I don’t think that anyone actually got in via FTP… it’s almost like they figured out some vulnerability in one of our PHP apps and did some kind of insertions
there were ten other directories in /public_html/ and each had the same thing: a new .htaccess file with a directoryIndex index.php and the index.php was a copy of index.shtml with the include at the top which pointed to the “*.php” file with all the Viagra sales redirect stuff attempt.
So, I am removing those files and things are back to normal, but I don’t know how to close the hole or even what it was. fortunately the attack seems to have failed at least our users did not end up at “getfastpills.com” but instead they just got a 404.
Presumably the attacker realized this and abandoned his work otherwise he probably would have continued on until all top directories on the site were infected.
You may want to take a look at your error logs in $HOME/logs/error_log, to see if anything unusual shows up there.
One idea would be to look at the timestamp on the .htaccess files that were added – use that timestamp to give you an idea of where to look in the logs.
If that doesn’t help – my best suggestion is to review all the web apps on that account, and make sure they’re all running at the most recent version.
Like you said they most likely got in from a PHP script. Check the Apache log for repeated POST’s from the same IP and see which script was involved. You can check the timestamps from when those files were modified against the timestamps in the Apache log to identify the IP of the remote server and the vulnerable script. You can use find -mtime to check and see which files were recently modified, since usually people (or scripts they write) are too lazy to reset modification times.
After you identify the problem, it’s best to restore from a backup and then upgrade the vulnerable scripts. If you don’t have a backup, try to write some scripts that use find, sed, awk, etc. to remove the newly added lines to PHP files. Also check for newly created files that might be a backdoor or sort of remote access shell. Sometimes a clamscan can find any malware but it rarely does. Best method is to compare against backups. If you see anything that looks obfuscated and you didn’t create it, it’s probably a backdoor.
Also do the other stuff to make sure you weren’t compromised in other ways, check the crontabs, lastlogs, check for strange running processes, look to see if there are missing gaps in time in system logs. If you backup the whole server, file by file, daily, it’s pretty easy to see which files were tampered with. A root level compromise is pretty rare if you keep your software up to date, usually people just munge HTML documents and PHP scripts for “black hat” SEO (with links to sites like getfastpills.com) or install backdoors (like c99 shell).
Under PLESK I was able to request a daily email list of all SSH logins as well as all FTP and SFTP log ins. How can I get that from VirtualMin, or at least view these log in, dates, times and IP’s Ideally i could see i) just FTP log ins and ii) just ssh log ins, separately
You can view recent logins either by running the command “last” on the command line, or by going into Webmin -> System -> User and Groups, and clicking “Display Logins by”.
On that same screen, you can also search for users with a login shell – /bin/sh, /bin/bash, and /bin/false are commonly used.
Vulnerability: Port/Service Issue regarding Port 64.151.103.90 general/tcp Security hole found
Hrm, that doesn’t list a service you can disable, that’s just the IP address of your server. You’ll need a more specific problem description if you’d like to disable something that’s running on your server.
I’m not seeing any unusual log ins via SSH shell or FTP traffic on or near the time of the “Viagra Marketing Monster” exploit… and yes, another more knowledgeable person on my team says they were just trying to get more “hits” registered for their site. … you were right: “Black Hat SEO”
find /home/mydomain -mtime 4 did not result in a list that made any sense because it did not show files i know for sure were modified within the last 4 days. so I must have my find command wrong there…
The access file that covers Feb the 11, closed and zipped yesterday (13th) I download that and now I have to figure out what good tools to use to read and analyze a 245MB file. I downloaded Splunk but thing is way over my head…
OK so I reload the access log file and now filter for “menu.php” and then I get some very interesting results from the day before when the hacker must have started cracking his knuckles and going to work around 8 PM and then only after about 2 AM on the 11th did he succeed. Sheesh, don’t these guys in Russia have anything better to do? I guess if you are snowed in and it’s 20 below outside, maybe not…
At any rate, I don’t under how a GET call for an image can return an absolute URL for a PHP script in another directory… what does that mean and how did he do it!??
harump, my log entries and the php code were cleaned up on submit above… let me try again. here is the php (I change “php” to “hph” to get i accepted here…
Find files that have been modified within the past 4 days in your web directory: Use a - in front of the days:
find /home/mydomain/public_html -mtime -4
The PHP scripts can be created by other vulnerable PHP scripts since the web directory is all owned by the same user account running PHP via FastCGI and people usually don’t lock down permissions by setting most everything to read-only or immutabe.
You may want to grep for all those backdoors with eval(base64_decode(…)) and just mass-remove them after inspection:
OK, thanks for that tip. I’m documenting all your guidance! I will sweep this domain for “eval” and the others as well. I searched on the web to find out how the exploit might have occurred in the first place, but I still don’t see a clear path to determining exactly how the menu.php was inserted.
We are not letting users upload images of any kind, so it cannot be the known GIF infected file exploit.
I would like to learn how to configure the serve to prevent execution of PHP from any directory except the one and only place we use PHP: (WordPress, latest version) /public_html/blog/ directory.
We will be redoing the whole site soon, using LiveCode server and RevIgniter framework and no PHP and the Word press installation is present only in this single location… so I don’t need to have PHP execute from any where else. (umm wait, no, one other location /public_html/slideshows/SlideshowPro directory also uses PHP)
So I may as well simply block execution of PHP from any other location except these two directories. This was on recommendation: to block execution from all "/images/ directories, for example…But I would rather do it the other way: config exactly from where they can be executed. How can i do that?
I am also finally going to block SSH log in as root. Can I do that from inside WebMin? I;m also accessing VirtualMin as Root, I probably should not do that either. How do I set myself up as a user with all the full scope of admin privileges in Virtual-Web Min as I would have if I was Root?
If you use SSH keys to login, you can disable password authentication, but DON’T disable it until you are sure you have SSH keys setup. See PasswordAuthentication in /etc/ssh/sshd_config.
Another option I like for preventing SSH brute force attacks is to install the fail2ban package. If you install it on a Debian/Ubuntu system, it will be setup to protect SSH attacks by default, but if you install on an RHEL/CentOS system, you’ll need to configure it in /etc/fail2ban*.
Lastly, if you are the only one using SSH, update your firewall to only allow SSH connections from your preferred networks. You should be able to do this in Webmin under the Linux Firewall module. Edit the rule accepting traffic on port 22, or manually edit the iptables rules file (possibly /etc/iptables.up.rules on your system) to change:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
to
-A INPUT -s (your IP or network) -p tcp -m tcp --dport 22 -j ACCEPT
Repeat that line for as many IPs or networks as needed, then restart the firewall:
I don’t use SSH keys to log in … just straight user/pswd method.
I need to allow my “wizard” in Brazil and another in California to get on… these are highly trusted. They come in usually with a dynamic IP, so I’m not sure I will always know what network they are logging in thru, I will check. It is only those 2, no one else outside the LAN and our own Firewall.
I know that I should block root log in via SSH and force everyone to log in as user and the SU… I know how to do that, I just want to know if I do, does that mean I can’t log into VirtualMin as Root either?
btw… this grep -rl eval.base64_decode /home/mydomain/public_html is taking several hours!
but it did find some files in an old, disable “site-map-generator” directory which I had disabled… but it was still accessible. all the encoded files have a disclaimer “Proprietary, do not reverse engineer” I deleted that whole folder as there is not way to now if a trojan is in there or not… but the dig on the two directories running WordPress and SlideShowPro (only two php CMS apps on this domain) turned up empty, so they are clean (apparently is possible for an entire Word Press installation to get infected!)
Allowing SSH root access with key only instead of password should be secure as well. Brute force attackers will only try passwords and surely not keys.
Disallowing root to login via SSH will have no effect on Webmin. In principle SSH does not even need to be running for Webmin to function.
They are at it again! I’m getting some PHP insertion into some directory. hackers are inserting a line of PHP into the top of html and .shtml files now, trying to call imagMagick with a php string.
I posted this on Expert’s Exchange and they are telling me I should turn off the execution of PHP in .html and .shtml files if I do not need it. in httpd.conf, but I don’t see anything in httpd.conf that matches what they talk about.
In Web Min, how to I block PHP execution in all pages except .php page, for all domains?
We don’t need to execute PHP in .html or .shtml pages.
I did examine the logs again and all files that were modified in the last four days but see nothing suspicious. Now I am worried I have a trojan buried deep inside the WordPress data base that runs “headless” as this thing keeps infecting the same files, as if there is no human behind it… So I’m not going to see any POST in a log file.
Anyway, I have changed the admin password again, and I have set the permission on those files to 444, change the WordPress admin log in password and upgraded WordPress to 3.3… now we just have to turn off execution of PHP in .html and .shtml files as the next step, then wait and watch. I don’t know how to scan a Word Press installation for trojans… but I’m asking that over there on the WP site.
