Koozali.org: home of the SME Server

Site Hacked

Offline calisun

  • *
  • 601
  • +0/-0
Site Hacked
« on: December 04, 2018, 06:35:16 PM »
I had some issues for a while with PHP as can be seen in my post here: https://forums.contribs.org/index.php/topic,53598.0.html
And recently I have found out that I had similar issues when trying to export a SQL table using PHPMyAdmin (I would also get blank screen)
I started to dig around to see what is going on, I have discovered that a site I had on my server (Which I have forgotten about and was neglected) was based on PHP Software from 2008. Since I have forgotten about that site, it was not updated and it got hacked. Site is offline now.

I am able to use Horde by setting PHP Software Collections Contrib to PHP71
Also, after uninstalling and re-installing PHPMyAdmin, it seems to work fine also.

My question is, how do I find out what they got into and what was changed on the server, so I can fix it and get default PHP to function properly.
« Last Edit: December 04, 2018, 09:01:11 PM by calisun »
SME user and community member since 2005.
Want to install Wordpress in iBay of SME Server?
See my step-by-step How-To wiki here:
http://wiki.contribs.org/Wordpress_Multisite

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Site Hacked
« Reply #1 on: December 05, 2018, 03:27:19 AM »
Others will give you betrer advice than me but logs are the place to look.

However, I think the suggestions will be to first take it offline to check the damage.

It may be hard to detect exactly what has been done, and if you are silll exposed, so a reinstall/restore may be required.

You can search the interwebs for general advice on dealing with a compromised server.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Site Hacked
« Reply #2 on: December 05, 2018, 02:25:02 PM »
If an attacker has been able to actually compromise files on your system you probably need to reinstall from scratch and then transfer only your data from the existing system.

However, it could be that you simply installed an rpm related to the default php from a non-standard repository, or have a non-standard config somewhere.

In case this helps, here is info related to the default php and the default php rpms on my up-to-date SME 9.2 server:

php cli location and version
Code: [Select]
# which php
/usr/bin/php

# php -v
PHP 5.3.3 (cli) (built: Mar 22 2017 12:27:09)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

default php rpms, versions, sizes, and source repositories
Code: [Select]
# for f in $(rpm -qa php-*); do pkgs="$pkgs $f"; done; yum info $pkgs |egrep "^$|Name|Arch|Version|Release|Size|From repo"
Name        : php-cli
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 6.2 M
From repo   : base

Name        : php-common
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 2.9 M
From repo   : base

Name        : php-gd
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 324 k
From repo   : base

Name        : php-imap
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 100 k
From repo   : base

Name        : php-ldap
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 52 k
From repo   : base

Name        : php-mbstring
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 2.1 M
From repo   : base

Name        : php-mysql
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 216 k
From repo   : base

Name        : php-pdo
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 168 k
From repo   : base

Name        : php-pear
Arch        : noarch
Version     : 1.9.4
Release     : 5.el6
Size        : 2.2 M
From repo   : base

Name        : php-pear-Auth-SASL
Arch        : noarch
Version     : 1.0.6
Release     : 1.el6
Size        : 51 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Cache
Arch        : noarch
Version     : 1.5.6
Release     : 1.el6
Size        : 160 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-DB
Arch        : noarch
Version     : 1.7.13
Release     : 3.el6
Size        : 688 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Date
Arch        : noarch
Version     : 1.4.7
Release     : 5.el6
Size        : 402 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-File
Arch        : noarch
Version     : 1.4.0
Release     : 1.el6
Size        : 35 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-File-CSV
Arch        : noarch
Version     : 1.0.0
Release     : 2.el6
Size        : 86 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-File-Util
Arch        : noarch
Version     : 1.0.0
Release     : 2.el6
Size        : 26 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-HTTP
Arch        : noarch
Version     : 1.4.1
Release     : 5.el6
Size        : 38 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-HTTP-Request
Arch        : noarch
Version     : 1.4.4
Release     : 2.el6
Size        : 73 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Log
Arch        : noarch
Version     : 1.12.7
Release     : 1.el6
Size        : 246 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-MDB2
Arch        : noarch
Version     : 2.5.0
Release     : 0.9.b5.el6
Size        : 804 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Mail
Arch        : noarch
Version     : 1.2.0
Release     : 1.el6
Size        : 106 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Mail-Mime
Arch        : noarch
Version     : 1.8.4
Release     : 1.el6
Size        : 157 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Net-DIME
Arch        : noarch
Version     : 1.0.2
Release     : 1.el6
Size        : 55 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Net-FTP
Arch        : noarch
Version     : 1.3.7
Release     : 4.el6
Size        : 150 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Net-SMTP
Arch        : noarch
Version     : 1.6.1
Release     : 1.el6
Size        : 58 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Net-Socket
Arch        : noarch
Version     : 1.0.10
Release     : 1.el6
Size        : 21 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Net-URL
Arch        : noarch
Version     : 1.0.15
Release     : 4.el6
Size        : 26 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-SOAP
Arch        : noarch
Version     : 0.12.0
Release     : 4.el6
Size        : 358 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-Services-Weather
Arch        : noarch
Version     : 1.4.5
Release     : 2.el6
Size        : 284 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-XML-Parser
Arch        : noarch
Version     : 1.3.4
Release     : 1.el6
Size        : 75 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-pear-XML-Serializer
Arch        : noarch
Version     : 0.20.2
Release     : 1.el6
Size        : 223 k
From repo   : anaconda-base-201512091034.x86_64

Name        : php-xml
Arch        : x86_64
Version     : 5.3.3
Release     : 49.el6
Size        : 307 k
From repo   : base

Selected entries from httpd.conf (Ignore the entries related to my ibays, of course)
Code: [Select]
# egrep "Directory|AddHandler|php" /etc/httpd/conf/httpd.conf |grep -v "^\w*#"
LoadModule php5_module modules/libphp5.so
DirectoryIndex index.htm index.html index.shtml index.cgi
DirectoryIndex index.htm index.html index.shtml index.cgi index.php index.php3 index.phtml
<IfModule mod_php4.c>
    AddIcon /icons/php4.gif .php3 .php4 .php .phtml
    AddIcon /icons/phps.gif .phps
AddHandler cgi-script .cgi
AddHandler server-parsed .shtml
AddHandler imap-file map
ScriptAlias /phpscl-cgi /usr/bin/phpscl
<Directory /usr/bin/phpscl>
</Directory>
<Directory />
</Directory>
<Directory /home/httpd/html/horde>
    <FilesMatch "test.php$">
    AddType application/x-httpd-php .php .php3
    php_value include_path           '/usr/share/pear-addons:/usr/share/pear'
    php_flag  magic_quotes_gpc       off
    php_flag  track_vars             on
    php_flag  session.use_trans_sid  off
    php_admin_flag  allow_url_fopen  on
</Directory>
<Directory /home/httpd/html/horde/config>
</Directory>
<Directory /home/httpd/html/horde/lib>
</Directory>
<Directory /home/httpd/html/horde/locale>
</Directory>
<Directory /home/httpd/html/horde/templates>
</Directory>
<Directory /home/httpd/html/horde/scripts>
</Directory>
<Directory /home/httpd/html/horde/imp/config>
</Directory>
<Directory /home/httpd/html/horde/imp/lib>
</Directory>
<Directory /home/httpd/html/horde/imp/locale>
</Directory>
<Directory /home/httpd/html/horde/imp/templates>
</Directory>
<Directory /home/httpd/html/horde/ingo/config>
</Directory>
<Directory /home/httpd/html/horde/ingo/lib>
</Directory>
<Directory /home/httpd/html/horde/ingo/locale>
</Directory>
<Directory /home/httpd/html/horde/ingo/templates>
</Directory>
<Directory "/usr/lib64/GNUstep/SOGo/">
</Directory>
<Directory /home/e-smith/files/server-resources>
</Directory>
<Directory /home/httpd/html/horde/turba/config>
</Directory>
<Directory /home/httpd/html/horde/turba/lib>
</Directory>
<Directory /home/httpd/html/horde/turba/locale>
</Directory>
<Directory /home/httpd/html/horde/turba/templates>
</Directory>
<Directory /var/www/icons>
</Directory>
    <Directory /var/www/sarg>
    </Directory>
<Directory /home/e-smith/files/ibays/Primary/html>
</Directory>
<Directory /home/e-smith/files/ibays/Primary/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/Primary/files>
</Directory>
<Directory /home/e-smith/files/ibays/bugs/html>
</Directory>
<Directory /home/e-smith/files/ibays/bugs/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/bugs/files>
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/html>
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/files>
</Directory>
<Directory /home/e-smith/files/ibays/tasks/html>
</Directory>
<Directory /home/e-smith/files/ibays/tasks/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/tasks/files>
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/html>
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/cgi-bin>
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/files>
</Directory>
<Directory /home/e-smith/files/ibays/bugs/html>
    AddHandler phpscl-cgi .php
    Action phpscl-cgi /phpscl-cgi/php71_REMI
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/html>
    AddHandler phpscl-cgi .php
    Action phpscl-cgi /phpscl-cgi/php71_REMI
</Directory>
<Directory /home/e-smith/files/ibays/tasks/html>
    AddHandler phpscl-cgi .php
    Action phpscl-cgi /phpscl-cgi/php71_REMI
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/html>
    AddHandler phpscl-cgi .php
    Action phpscl-cgi /phpscl-cgi/php71_REMI
</Directory>
<Directory /home/e-smith/files/ibays/Primary/html>
    AddType application/x-httpd-php .php .php3 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir /home/e-smith/files/ibays/Primary/
</Directory>
<Directory /home/e-smith/files/ibays/bugs/html>
    AddType application/x-httpd-php .php .php3 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir /home/e-smith/files/ibays/bugs/
</Directory>
<Directory /home/e-smith/files/ibays/smokeping/html>
    AddType application/x-httpd-php .php .php3 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir /home/e-smith/files/ibays/smokeping/
</Directory>
<Directory /home/e-smith/files/ibays/tasks/html>
    AddType application/x-httpd-php .php .php3 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir /home/e-smith/files/ibays/tasks/
</Directory>
<Directory /home/e-smith/files/ibays/wordpress/html>
    AddType application/x-httpd-php .php .php3 .phtml
    AddType application/x-httpd-php-source .phps
    php_admin_value open_basedir /home/e-smith/files/ibays/wordpress/
</Directory>

Checksums for apache "modules"
Code: [Select]
# shasum /usr/lib64/httpd/modules/*
8bdd401d88ea89bf055c209925f620c6439a2e65  /usr/lib64/httpd/modules/libphp54-php5.so
fc6b444854531d0bec063ed5df9ef0f785980c93  /usr/lib64/httpd/modules/libphp55-php5.so
3d07766ee31fcc4fb9335d4db4bc168cec3321c1  /usr/lib64/httpd/modules/libphp56-php5.so
3e0284d3cc8db9052116348b7bd512676703cfb9  /usr/lib64/httpd/modules/libphp5.so
f79ef722a9190505f4cc2a329c2ee5067086c6a7  /usr/lib64/httpd/modules/libphp70.so
edb1db58295bae7f83d5317f192d1ee30fed1558  /usr/lib64/httpd/modules/libphp71.so
e9a282120c284452f5540c8c2d199efdcc181814  /usr/lib64/httpd/modules/mod_actions.so
30634176434de65926b6c8f4257ca3d9967a51b2  /usr/lib64/httpd/modules/mod_alias.so
36537b2029981c0e169397344d7d19bd48a69920  /usr/lib64/httpd/modules/mod_asis.so
d8d3d3f205b4047cef5fd1a83289d59e74019d74  /usr/lib64/httpd/modules/mod_auth_basic.so
23b1c19be41a75eeb8acc8d64b9685bfbcc78261  /usr/lib64/httpd/modules/mod_auth_digest.so
39e3a86c5c7e701b31a735709fe5a85aab72c546  /usr/lib64/httpd/modules/mod_authn_alias.so
ce62fa54f18a600c132a586a8b8532fe5f86d03a  /usr/lib64/httpd/modules/mod_authn_anon.so
e43a340196b61528b1cbc39efe801077dbda6c15  /usr/lib64/httpd/modules/mod_authn_dbd.so
404e9a8fc23c970bfd6dc389982221a66ab9445d  /usr/lib64/httpd/modules/mod_authn_dbm.so
ff2a15240126478af771842ad517a8d47ae112ba  /usr/lib64/httpd/modules/mod_authn_default.so
40c97c528c01a42b73ea20815d46cec0d311e592  /usr/lib64/httpd/modules/mod_authn_file.so
249f16e76410df5cd710582ff63f077c719da5bb  /usr/lib64/httpd/modules/mod_authnz_external.so
268aef351a42feedf874aefd9fd2e156fbd4cd0f  /usr/lib64/httpd/modules/mod_authnz_ldap.so
24df1ec092e9443b36cdb91615aa908a5acaef67  /usr/lib64/httpd/modules/mod_auth_tkt.so
a0fece1ee0ef75dd69e8c4364bea15406631b202  /usr/lib64/httpd/modules/mod_authz_dbm.so
17ed8fda236174f1b582f28fe7a82757fd2aa968  /usr/lib64/httpd/modules/mod_authz_default.so
a07f678461075da7a820df46ed10e714e6f67e38  /usr/lib64/httpd/modules/mod_authz_groupfile.so
4466d3ec4780e1a08467a353c33b417575f484e3  /usr/lib64/httpd/modules/mod_authz_host.so
9cf20ddc1bec004e2fb854cb7f006421566f86f1  /usr/lib64/httpd/modules/mod_authz_owner.so
738c8f4764de1fadebde9b30fcf1bb7ccbe4464e  /usr/lib64/httpd/modules/mod_authz_user.so
e817a6886d4f731da585c5ae168fb679aaedb0eb  /usr/lib64/httpd/modules/mod_autoindex.so
af977fdcecb60fb44393dec28446ae4ef19fa04b  /usr/lib64/httpd/modules/mod_cache.so
7dc7278d639cf45b62307f96f73ed4633945cce5  /usr/lib64/httpd/modules/mod_cern_meta.so
67c0749d1c8cc27f2c949f6f8b0d6c5d00263086  /usr/lib64/httpd/modules/mod_cgid.so
113fb6bd07724881d7f9e37cc01196349429fb8c  /usr/lib64/httpd/modules/mod_cgi.so
d8980ade3bae0a14e57b67696642be907c3cb8f6  /usr/lib64/httpd/modules/mod_dav_fs.so
d75ffcbe9ced3b51bbef7ad8ea008962238d386a  /usr/lib64/httpd/modules/mod_dav.so
ba0df52c659e96b3e7d0b3048d6383f1665d55cf  /usr/lib64/httpd/modules/mod_dbd.so
403aa542cd2a3cf4935c4e6b552f4c596443acff  /usr/lib64/httpd/modules/mod_deflate.so
eb8e20547a43cfdcd74db6b40ee61cd1a2ad73f3  /usr/lib64/httpd/modules/mod_dir.so
f1a4bb73b25f0985886e5cb0715b8c2f48333a80  /usr/lib64/httpd/modules/mod_disk_cache.so
0936522ffca5699e5a2445adda50f405653b3626  /usr/lib64/httpd/modules/mod_dumpio.so
78ab2aaa6379a505cc24cb3a7497507348550572  /usr/lib64/httpd/modules/mod_env.so
097dd3a9dd07f5b6a06d832efa01654026fe4f03  /usr/lib64/httpd/modules/mod_expires.so
0cfe6944495fa3148d189c4a80d0326f4266c6b3  /usr/lib64/httpd/modules/mod_ext_filter.so
0ad8e437d2f5b85c6a0e51cb52a86420308b50b8  /usr/lib64/httpd/modules/mod_filter.so
df639783ea644d351ef59d0e515ecdaac7d70ddb  /usr/lib64/httpd/modules/mod_headers.so
8272018733ae7105db1233ed25a2ca5d07e09f0b  /usr/lib64/httpd/modules/mod_ident.so
dce850575d57c2d35140938d1d0940cce2d21300  /usr/lib64/httpd/modules/mod_include.so
b7f303cd4c7a144c33c8bc917d0df6c6be82da40  /usr/lib64/httpd/modules/mod_info.so
f0838b6126f740788d84642950b4a252c2dc2dac  /usr/lib64/httpd/modules/mod_ldap.so
be3a2dc06c34a237e9b086946886bf4d9574b10b  /usr/lib64/httpd/modules/mod_log_config.so
bdf96b7b337a46efae9d3c706016b811ece6c7d1  /usr/lib64/httpd/modules/mod_log_forensic.so
4fba00551e09cbbd1d34e66af8de6fa94d2dc2d7  /usr/lib64/httpd/modules/mod_logio.so
2cd663c9fc3ca613435f3651d14693749278d87b  /usr/lib64/httpd/modules/mod_mime_magic.so
389ac407e5fb26ab6d8b2446d8e5c2c04503bae5  /usr/lib64/httpd/modules/mod_mime.so
ac45360aa88c6a96987eb34d3fb833ae7ca278a2  /usr/lib64/httpd/modules/mod_negotiation.so
e02d06587e7fd4669b7ffbc062982fcf0a2a6b68  /usr/lib64/httpd/modules/mod_perl.so
4d197f401fbdf0e666bb56814772f3ba9f1abcae  /usr/lib64/httpd/modules/mod_proxy_ajp.so
a5694effd1545d343938becf5da886b40bf6e266  /usr/lib64/httpd/modules/mod_proxy_balancer.so
cd460892e580ef9c4786aaf6d58e6552a50b4488  /usr/lib64/httpd/modules/mod_proxy_connect.so
bb18221ff7d59506d921b20042d359a3491fc6f7  /usr/lib64/httpd/modules/mod_proxy_ftp.so
6ed8f606d3514048374d209f4c556abedfcbc60a  /usr/lib64/httpd/modules/mod_proxy_http.so
a9fb9b21b6208c9891674d294cbb6992af859e2a  /usr/lib64/httpd/modules/mod_proxy_scgi.so
dd2196e1a67640597de1207322b648a2eaf73c5e  /usr/lib64/httpd/modules/mod_proxy.so
d80a0971c5c3a7680459359a055217dd2bfd7051  /usr/lib64/httpd/modules/mod_reqtimeout.so
f6573271b822057a1c3aa546195f750ffa1a3441  /usr/lib64/httpd/modules/mod_rewrite.so
f5f0c35f0d2e96d44effae2f0ae75869f20087f6  /usr/lib64/httpd/modules/mod_setenvif.so
1585e4525643d07a4ea034aeaae39fa377089cdc  /usr/lib64/httpd/modules/mod_speling.so
2d868d1dcade8cdecd975a42ff2fc6262736c9d6  /usr/lib64/httpd/modules/mod_ssl.so
988f72bfc2aa1a83ba5db1c6ab52c2b3221d5556  /usr/lib64/httpd/modules/mod_status.so
dc143ba0503329e6d5d96e78d3c040f1a203299d  /usr/lib64/httpd/modules/mod_substitute.so
8094e2b57c1c52bf5a006697d7f4c781102c3b28  /usr/lib64/httpd/modules/mod_suexec.so
e7242702208c52686f0146ebe7247ff2c58e73d7  /usr/lib64/httpd/modules/mod_unique_id.so
ebc4615518434c3d444424fd18293795738cc31c  /usr/lib64/httpd/modules/mod_userdir.so
b213e1ff036bd57d392af3fb42b21ab892c12a82  /usr/lib64/httpd/modules/mod_usertrack.so
0917bdaba68640ef387e3ea31ed4fecb49eed80d  /usr/lib64/httpd/modules/mod_version.so
0ae2dac28f2468b202e491eef4629e7beba996c8  /usr/lib64/httpd/modules/mod_vhost_alias.so

yum activity related to php
Code: [Select]
# grep -i ": php-" /var/log/yum/yum.log
Feb 19 13:53:49 Updated: php-common-5.3.3-48.el6_8.x86_64
Feb 19 13:53:51 Updated: php-cli-5.3.3-48.el6_8.x86_64
Feb 19 13:53:56 Updated: php-pdo-5.3.3-48.el6_8.x86_64
Feb 19 13:56:36 Updated: php-gd-5.3.3-48.el6_8.x86_64
Feb 19 13:57:05 Updated: php-5.3.3-48.el6_8.x86_64
Feb 19 13:57:19 Updated: php-mysql-5.3.3-48.el6_8.x86_64
Feb 19 13:57:21 Updated: php-imap-5.3.3-48.el6_8.x86_64
Feb 19 13:57:23 Updated: php-ldap-5.3.3-48.el6_8.x86_64
Feb 19 13:57:24 Updated: php-mbstring-5.3.3-48.el6_8.x86_64
Feb 19 13:57:25 Updated: php-xml-5.3.3-48.el6_8.x86_64
Apr 07 07:44:27 Updated: php-common-5.3.3-49.el6.x86_64
Apr 07 07:44:31 Updated: php-pdo-5.3.3-49.el6.x86_64
Apr 07 07:44:33 Updated: php-cli-5.3.3-49.el6.x86_64
Apr 07 07:45:37 Updated: php-gd-5.3.3-49.el6.x86_64
Apr 07 07:45:54 Updated: php-5.3.3-49.el6.x86_64
Apr 07 07:45:55 Updated: php-mysql-5.3.3-49.el6.x86_64
Apr 07 07:45:57 Updated: php-imap-5.3.3-49.el6.x86_64
Apr 07 07:45:57 Updated: php-ldap-5.3.3-49.el6.x86_64
Apr 07 07:45:58 Updated: php-mbstring-5.3.3-49.el6.x86_64
Apr 07 07:45:59 Updated: php-xml-5.3.3-49.el6.x86_64

httpd, php checksums
Code: [Select]
# shasum /usr/sbin/httpd /usr/bin/php
4025414508ba153691a7de8fca3ae07ea55cfa84  /usr/sbin/httpd
be15b567e4ae28f8b27bb1f13c0e2a4fcf7d4e68  /usr/bin/php

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Site Hacked
« Reply #3 on: December 05, 2018, 02:45:56 PM »
If you have the time and the spare hardware around, you could install a fresh/blank SME server, do all the updates, then start comparing the two systems.

Another item to check is all running processes listening on ports (then research each item and compare the executable to a known-good system):
Code: [Select]
# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 127.0.0.1:3128              0.0.0.0:*                   LISTEN      2755/squid         
tcp        0      0 192.168.200.2:3128          0.0.0.0:*                   LISTEN      2755/squid         
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2460/perl           
tcp        0      0 0.0.0.0:2202                0.0.0.0:*                   LISTEN      2626/sshd           
tcp        0      0 127.0.0.1:26                0.0.0.0:*                   LISTEN      1054/perl           
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      1597/httpd         
tcp        0      0 0.0.0.0:636                 0.0.0.0:*                   LISTEN      1991/slapd         
tcp        0      0 127.0.0.1:4190              0.0.0.0:*                   LISTEN      2318/dovecot       
tcp        0      0 127.0.0.1:20000             0.0.0.0:*                   LISTEN      14599/sogod         
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      2318/dovecot       
tcp        0      0 0.0.0.0:515                 0.0.0.0:*                   LISTEN      2253/lpd           
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      2215/tcpsvd         
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      1991/slapd         
tcp        0      0 0.0.0.0:9001                0.0.0.0:*                   LISTEN      3164/node           
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      3171/mysqld         
tcp        0      0 127.0.0.1:139               0.0.0.0:*                   LISTEN      2784/smbd           
tcp        0      0 192.168.200.2:139           0.0.0.0:*                   LISTEN      2784/smbd           
tcp        0      0 0.0.0.0:8843                0.0.0.0:*                   LISTEN      1597/httpd         
tcp        0      0 127.0.0.1:11211             0.0.0.0:*                   LISTEN      2172/memcached     
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      2201/tcpsvd         
tcp        0      0 127.0.0.1:783               0.0.0.0:*                   LISTEN      2736/perl           
tcp        0      0 127.0.0.1:143               0.0.0.0:*                   LISTEN      2318/dovecot       
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      1597/httpd         
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      2606/perl           
tcp        0      0 127.0.0.1:980               0.0.0.0:*                   LISTEN      2645/httpd-admin   
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2441/tcpsvd         
tcp        0      0 127.0.0.2:53                0.0.0.0:*                   LISTEN      2168/dnscache       
tcp        0      0 192.168.200.2:53            0.0.0.0:*                   LISTEN      2151/dnscache       
udp        0      0 0.0.0.0:67                  0.0.0.0:*                               3416/dhcpd         
udp        0      0 127.0.0.1:11211             0.0.0.0:*                               2172/memcached     
udp        0      0 0.0.0.0:59895               0.0.0.0:*                               2755/squid         
udp        0      0 192.168.200.2:123           0.0.0.0:*                               2387/ntpd           
udp        0      0 127.0.0.1:123               0.0.0.0:*                               2387/ntpd           
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               2387/ntpd           
udp        0      0 192.168.200.255:137         0.0.0.0:*                               2774/nmbd           
udp        0      0 192.168.200.2:137           0.0.0.0:*                               2774/nmbd           
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               2774/nmbd           
udp        0      0 192.168.200.255:138         0.0.0.0:*                               2774/nmbd           
udp        0      0 192.168.200.2:138           0.0.0.0:*                               2774/nmbd           
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               2774/nmbd           
udp        0      0 0.0.0.0:1812                0.0.0.0:*                               2704/radiusd       
udp        0      0 0.0.0.0:1813                0.0.0.0:*                               2704/radiusd       
udp        0      0 127.0.0.1:53                0.0.0.0:*                               2298/tinydns       
udp        0      0 127.0.0.2:53                0.0.0.0:*                               2168/dnscache       
udp        0      0 192.168.200.2:53            0.0.0.0:*                               2151/dnscache       
udp        0      0 :::123                      :::*                                    2387/ntpd

If you've truly been compromised, you also need to locate and examine anything that might run a program on a schedule -- cron, startup scripts, service definitions, php code for all web apps (owncloud has a scheduler option described as 'run when pages are reloaded', IIRC).

Any services accessible from offsite must be thoroughly researched and vetted.

For example:
If ssh is accessible from offsite, is there now an unexplained entry in <user>/.ssh/authorized_keys for any user (bearing in mind that it is possible to have ssh use a different filename for authorized_keys)? 

Are there any unexplained user accounts in /etc/passwd or in your ldap?

The original linux hack (from a book I read in the early 90's) was to replace the login executable with either a wrapper or compromised version that saved usernames and passwords for every login for later recovery.

Every executable that is able to communicate over a network - inbound or outbound - might be compromized either in the file itself or in its configuration in a way that could give the attacker renewed/future access to  your server...

And, to really light up your day -- if your server has truly been hacked, the attacker may have compromised one or more other systems or devices on your LAN, which would then let them use that system to regain access to the server.  If the SME server is your router and dns they could also have snooped credentials out of your browser sessions with offsite servers and services...

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: Site Hacked
« Reply #4 on: December 05, 2018, 10:18:15 PM »
Nicely summarised...
--
qui scribit bis legit