How to clean hacked server and add more security?

Support for security such as Firewalls and securing linux
agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: How to clean hacked server and add more security?

Post by agriz » 2013/10/03 17:20:05

Accepted password for user from xx.xx.xx.xx port xxxxx ssh2
Accepted password for user from xx.xx.xx.xx port yyyyy ssh2

i have set the ssh port as abcd
but why it is showing different port everytime?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How to clean hacked server and add more security?

Post by TrevorH » 2013/10/03 17:30:38

Because that's the port on the client side of the connection.

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: How to clean hacked server and add more security?

Post by AlanBartlett » 2013/10/03 18:14:48

[quote]
agriz wrote:
[i][/i]
I am installing only packages (even though they are old) which are available in yum.
[i][/i]
[/quote]
By just looking at the packages' version numbers those packages may [i]seem[/i] to be 'old'. However after reading the [b]Upstream Vendor[/b]'s [url=https://access.redhat.com/security/updates/backporting]policy on backporting security fixes[/url] you will understand that those packages are quite secure.

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: How to clean hacked server and add more security?

Post by agriz » 2013/10/04 03:43:30

Clamav has found a gif file as a virus. It is telling that as "PHP.Hide-2"
I downloaded that image checked the content in the notepad. I found nothing in the notepad.

My virus scanner didn't warn me about the virus.
But i searched internet and found similar virus few files
Don't open this link -> (//myhanbando com/xe/m layouts/topi jpg)

When i try to open/save the image, my virus scanner warns and automatically deletes that file.
What else could be a problem on the server?

//
( Someone advised me that i should manage the system only i have gained the knowledge.
But i cant agree with that. Known is a drop. In that case, I can never manage a system.
I have heard twitter has been hacked by someone once! )

User avatar
vonskippy
Posts: 839
Joined: 2006/12/30 03:00:04
Location: Western Slope Colorado

Re: How to clean hacked server and add more security?

Post by vonskippy » 2013/10/04 04:24:57

[quote]
agriz wrote:
What else could be a problem on the server?[/quote]
You may NEVER know.

Which is why the only way (THE ONLY WAY) to be sure a compromised server is no longer compromised is to do a low level format on the hard drive(s) and start completely fresh.

Otherwise you can never be 100% sure that you have a clean server.

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: How to clean hacked server and add more security?

Post by agriz » 2013/10/04 04:38:11

I am honestly going to start the site in a new server.
I am only using the scripts which are needed for me.

I think installed webmin without yum.
I installed all other software with yum.

How did the malware reach my server?
What kind of malware is it?

It is though any package?
Is it through my scripts?
Is it through any other way?

I allow users to upload the scripts.
I check for the image type. If it is not an image, it will not be uploaded.
If it is an image, it will be sent to a folder where i have .htaccess file which will block all the execution of scripts.
I also use php createimagefrom(gif|jpeg|png) before uploading. So, the file will never get executed.

I have blocked root login in ssh.
I connect ftp with ssh.

tmp has been stopped execution.
i haven't changed the file location from /var/www/
php secure installation.
i have done few more things to secure with the knowledge i have.
i am using epel and rpmforge repos

They might be enough or they might not be enough.

If i haven't found the problem, I am going to repeat the same security and scripts on my server which will be welcoming malware with the same security hole.
That is why i would like to find the problem before i change the server.
I just need a clue for the problem.

(i was using using justhost shared host. Someone hacked the server which slowly spread and attacked my site too. But soon fixed that problem.)

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: How to clean hacked server and add more security?

Post by unspawn » 2013/10/04 06:42:19

It appears information has been fed into this thread in such a way that it leaves an incomplete and unclear picture of what the state of the "victim" server (or shared hosting account?) actually was or is and what applies to the new server. Next to that it seems issues are not prioritized in a way that seems logical to me (for example SSH root access should not ever have been an issue as it should have been disabled from the start. [i]It's not a security best practice[/i]) and there's been some reading problems (for example I never suggested to install just ClamAV but use the LMD databases). All of this makes it difficult to assess things.

Now if spamhaus RBL lists a site then you have been or may still be sending spam. "PHP.Hide-2" points to a C99(-like) PHP shell. Apart from admin problems with lax access controls / (mis)configuration / lax security or (subverted or malicious) local user accounts / badly coded homebrewn scripts it's commonly vulnerable software in the web stack that enables an attacker to upload a shell.

Mitigate the situation by disabling web and mail services (in short just stop hosting), make backups, ensure the new system only contains up to date system software, then harden the system and set up appropriate auditing, take care to strengthen the web stack with the recommendations from the CentOS, SANS and OWASP documentation. Migrate (or better: have your clients if any migrate) hosting accounts and slap them hard when you find homebrewn, illegal or outdated CMS, forum, web log, photo gallery, statistics, or other software including themes, extensions, plugins and whatnot. Scan the account before allowing it to go Live. Ensure regular system auditing, reporting and update checks are in place and remember that [i]it is your responsibility towards the rest of the 'net[/i] to keep things safe.

Nanook
Posts: 14
Joined: 2007/08/27 09:48:39
Location: Shoreline, WA
Contact:

Re: How to clean hacked server and add more security?

Post by Nanook » 2021/06/26 19:32:51

rkhunter will find things on a perfectly clean site until you whitelist various things that normally use deleted files, etc. This is normal and you should not consider your site hacked just because rkhunter returns a positive result until you've investigated the rkhunter.log and determined the cause.

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: How to clean hacked server and add more security?

Post by lightman47 » 2021/07/01 21:30:57

My observation is that rkhunter tends to report changes to files, whether by you or updates, etc. A 'please check the machine' (i used to get them often) does not necessarily indicate a hack. As mentioned, you need to read the log to find out why you are getting the notification.

In my case, it turned out to be normal file changes related to running update. As my backups and updates are scripted, I solved my issue with the addition at the end of my script with rkhunter --propupd which would refresh the file 'signature' list after each update.

Post Reply