Cannot delete files :: Permission Denied

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Cannot delete files :: Permission Denied

Unread post by KrazyBob »

Well, it looks like I've had a server hacked. The hacker made access through a Wordpress site (what else!), downloaded a script, etc. He left behind a script that shows part of his actions. He grabbed the RSA key and somehow has locked known_hosts and authorized_keys. I have tried everything that OI can think of to delete the files and cannot. I was able to edit them and save them as zero byte files.

Code: Select all

-rw-r--r-- 1 root root    0 Mar  6 07:27 authorized_keys
-rw-r--r-- 1 root root    0 Mar  6 07:26 known_hosts
Suggestions?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Cannot delete files :: Permission Denied

Unread post by scott »

Could be a basic immutable flag setting. Check with:

lsattr

If it is immutable, you can strip that with chattr -i <filename>
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Cannot delete files :: Permission Denied

Unread post by KrazyBob »

Thank you for your reply. I appreciate you.

I've tried that. lsattr gives me:

------------- authorized_key
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Cannot delete files :: Permission Denied

Unread post by scott »

Not immutable then, could be a bad drive or something rootkit related
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Cannot delete files :: Permission Denied

Unread post by faris »

Is this within a VZ Container? If so, delete them from /vz/private/[ctid]/fs/root/root (or wherever).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Cannot delete files :: Permission Denied

Unread post by KrazyBob »

EXCELLENT!!! It worked fine. Thank you.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Cannot delete files :: Permission Denied

Unread post by faris »

Great.

This also, at least to my understanding, makes the possibility of a rootkit quite low. Run rkhunter and clamdscan to see what you can find. Be prepared for false positives on rkhunter due to it being a Container, and when running clamdscan make sure you exclude web log files or you'll see some false positives there too.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Cannot delete files :: Permission Denied

Unread post by KrazyBob »

I am running maldetect to see what site was compromised. But now I am researching how I can lock down SSH to only two IP's. I don't know how the container was compromised since it is behind a hardware firewall. Only Parallel's and my client are supposed to have access.
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Cannot delete files :: Permission Denied

Unread post by KrazyBob »

You know, over the years I have been steadily learning and I appreciate each of you. But I am confused.

We have a Watchguard X8000 firewall and SSH is enabled only for stated IPs. How then could a hacker get into the server? Only me and specified clients plus Parallel's have IPs stated.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Cannot delete files :: Permission Denied

Unread post by faris »

It won't have happened via ssh. It would most probably have been via the wordpress site you mentioned, since you saw things happening there.

PHP (and Perl) allows you to do all sorts of things, including running shell commands, unless they are locked down. A total guess would be that they ran some sort of shell script (which automates gaining of an effective shell) or other nasty script. Typically it would only have allowed access to whatever apache (or whatever user it might be if the site was running in php_fastcgi mode) would be able to access. But one mistake somewhere, or one vulnerable program, or a vulnerable kernel, could potentially allow them to gain root access.

There's bound to be some details on Google with a blow-by-blow account of how these things work.

Getting copies of your current authorized_keys is of no consequence. These are your (and potentially parallels') public keys and having access to them has no (that I know of) security consequences. But since the bad guy changed them to HIS (I assume this is what happened from what you said?), then it may have been part of what his exploit kit automatically did. But since there was no SSH access to the Container (blocked by the firewall) then it would not have benefited him.

This is probably a script kiddy or an automated bot, doing everything it can to take control. In theory it should do so in a way that you would not notice, so replacing your keys, as opposed to adding his, seems odd.

So, I'd say the key thing is to disinfect the Container, ideally change all system and Plesk/FTP/Email passwords because you have to assume if they got root access (IF they did) then they copied the databases.

If you can figure out what they actually did then that's great, and will allow you to narrow down what you have to do or at least what you have to worry about. But with only your partial log of what he did, most of it will be guess-work.

rkhunter running daily would be a good thing if it isn't doing so already (but you need to tell it when YOU change or update binaries as otherwise it can give you false positives), as it would alert you to changes in important system files and configurations. ASL 4 does something similar but mostly configuration files. Actually ASL does so many things that I've lost track so you may be able to find some interesting things about this compromise through ASL. I really must look into everything it does in more detail.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Cannot delete files :: Permission Denied

Unread post by mikeshinn »

Dont disregard a compromised desktop or a stolen password either. Thats definitely the easiest way to compromise a system.
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: Cannot delete files :: Permission Denied

Unread post by Highland »

KrazyBob wrote:We have a Watchguard X8000 firewall and SSH is enabled only for stated IPs. How then could a hacker get into the server? Only me and specified clients plus Parallel's have IPs stated.
Many years ago we had a box get compromised because we had an intern code an image upload that never bothered to validate if actual images were uploaded. In fact it did no validation at all so you could upload anything. Even a PHP script. Some guy in Turkey found that and through the compromised PHP he uploaded nearly rooted the box (ASL kernel stopped him). So you can be easily rooted without any SSH exposure at all.

Wordpress' #1 vulnerability is that not only is it poorly written, but it has an entire ecosystem of even more poorly written plugins (where anyone with even a poor coding background can write a plugin). I mean stories like this are now a weekly occurrence. Wordpress has tried to mitigate this with automatic updating but that requires some configuring to make it work. So all you need is one unpatched site and you could have a bad PHP script uploaded and you're hacked.
"Its not a mac. I run linux... I'm actually cool." - scott
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Cannot delete files :: Permission Denied

Unread post by KrazyBob »

You guys are great. I appreciate how you each foster a learning environment. You have businesses of your own yet you make time for me. I appreciate each one of you. When my daughter was diagnosed with cancer over 8 years ago my business -- and time for learning -- took a back seat. Now in remission I have a chance to rebuild my failing business. This means learning and playing catch-up. But that's OK.
Post Reply