store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Dec 06, 2019 6:43 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: Cannot delete files :: Permission Denied
Unread postPosted: Fri Mar 06, 2015 1:18 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
Well, it looks like I've had a server hacked. The hacker made access through a Wordpress site (what else!), downloaded a script, etc. He left behind a script that shows part of his actions. He grabbed the RSA key and somehow has locked known_hosts and authorized_keys. I have tried everything that OI can think of to delete the files and cannot. I was able to edit them and save them as zero byte files.

Code:
-rw-r--r-- 1 root root    0 Mar  6 07:27 authorized_keys
-rw-r--r-- 1 root root    0 Mar  6 07:26 known_hosts


Suggestions?


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Fri Mar 06, 2015 6:56 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Could be a basic immutable flag setting. Check with:

lsattr

If it is immutable, you can strip that with chattr -i <filename>


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Fri Mar 06, 2015 10:53 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
Thank you for your reply. I appreciate you.

I've tried that. lsattr gives me:

------------- authorized_key


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Sat Mar 07, 2015 7:49 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Not immutable then, could be a bad drive or something rootkit related


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Sat Mar 07, 2015 8:01 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Is this within a VZ Container? If so, delete them from /vz/private/[ctid]/fs/root/root (or wherever).

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Sat Mar 07, 2015 8:07 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
EXCELLENT!!! It worked fine. Thank you.


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Sat Mar 07, 2015 8:15 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Great.

This also, at least to my understanding, makes the possibility of a rootkit quite low. Run rkhunter and clamdscan to see what you can find. Be prepared for false positives on rkhunter due to it being a Container, and when running clamdscan make sure you exclude web log files or you'll see some false positives there too.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Sat Mar 07, 2015 8:22 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
I am running maldetect to see what site was compromised. But now I am researching how I can lock down SSH to only two IP's. I don't know how the container was compromised since it is behind a hardware firewall. Only Parallel's and my client are supposed to have access.


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Sat Mar 07, 2015 10:48 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
You know, over the years I have been steadily learning and I appreciate each of you. But I am confused.

We have a Watchguard X8000 firewall and SSH is enabled only for stated IPs. How then could a hacker get into the server? Only me and specified clients plus Parallel's have IPs stated.


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Sun Mar 08, 2015 11:00 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
It won't have happened via ssh. It would most probably have been via the wordpress site you mentioned, since you saw things happening there.

PHP (and Perl) allows you to do all sorts of things, including running shell commands, unless they are locked down. A total guess would be that they ran some sort of shell script (which automates gaining of an effective shell) or other nasty script. Typically it would only have allowed access to whatever apache (or whatever user it might be if the site was running in php_fastcgi mode) would be able to access. But one mistake somewhere, or one vulnerable program, or a vulnerable kernel, could potentially allow them to gain root access.

There's bound to be some details on Google with a blow-by-blow account of how these things work.

Getting copies of your current authorized_keys is of no consequence. These are your (and potentially parallels') public keys and having access to them has no (that I know of) security consequences. But since the bad guy changed them to HIS (I assume this is what happened from what you said?), then it may have been part of what his exploit kit automatically did. But since there was no SSH access to the Container (blocked by the firewall) then it would not have benefited him.

This is probably a script kiddy or an automated bot, doing everything it can to take control. In theory it should do so in a way that you would not notice, so replacing your keys, as opposed to adding his, seems odd.

So, I'd say the key thing is to disinfect the Container, ideally change all system and Plesk/FTP/Email passwords because you have to assume if they got root access (IF they did) then they copied the databases.

If you can figure out what they actually did then that's great, and will allow you to narrow down what you have to do or at least what you have to worry about. But with only your partial log of what he did, most of it will be guess-work.

rkhunter running daily would be a good thing if it isn't doing so already (but you need to tell it when YOU change or update binaries as otherwise it can give you false positives), as it would alert you to changes in important system files and configurations. ASL 4 does something similar but mostly configuration files. Actually ASL does so many things that I've lost track so you may be able to find some interesting things about this compromise through ASL. I really must look into everything it does in more detail.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Sun Mar 08, 2015 6:16 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4088
Location: Chantilly, VA
Dont disregard a compromised desktop or a stolen password either. Thats definitely the easiest way to compromise a system.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Thu Mar 19, 2015 8:03 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 674
KrazyBob wrote:
We have a Watchguard X8000 firewall and SSH is enabled only for stated IPs. How then could a hacker get into the server? Only me and specified clients plus Parallel's have IPs stated.


Many years ago we had a box get compromised because we had an intern code an image upload that never bothered to validate if actual images were uploaded. In fact it did no validation at all so you could upload anything. Even a PHP script. Some guy in Turkey found that and through the compromised PHP he uploaded nearly rooted the box (ASL kernel stopped him). So you can be easily rooted without any SSH exposure at all.

Wordpress' #1 vulnerability is that not only is it poorly written, but it has an entire ecosystem of even more poorly written plugins (where anyone with even a poor coding background can write a plugin). I mean stories like this are now a weekly occurrence. Wordpress has tried to mitigate this with automatic updating but that requires some configuring to make it work. So all you need is one unpatched site and you could have a bad PHP script uploaded and you're hacked.

_________________
"Its not a mac. I run linux... I'm actually cool." - scott


Top
 Profile  
Reply with quote  
 Post subject: Re: Cannot delete files :: Permission Denied
Unread postPosted: Tue Mar 31, 2015 4:21 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
You guys are great. I appreciate how you each foster a learning environment. You have businesses of your own yet you make time for me. I appreciate each one of you. When my daughter was diagnosed with cancer over 8 years ago my business -- and time for learning -- took a back seat. Now in remission I have a chance to rebuild my failing business. This means learning and playing catch-up. But that's OK.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group