*** HACKED ***

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
octet
Forum User
Forum User
Posts: 64
Joined: Fri Dec 14, 2007 11:35 am

*** HACKED ***

Unread post by octet »

Hi guys,

Woke up this morning to find out that one of our businesses website was hacked and all admin users had their emails changed. Start investigating and found that some random kid has used this scanner to check for vulnerabilities on our domain: http://01.com/esop.php

We had a small module for testimonials which had this code in it:

http://seology.com/alb-hack/blocktestimonial.txt

httpdocs/modules/blocktestimonial/blocktestimonial.php

Code: Select all

public function uploadImage(){
 
        $uploadpath = "upload";
    
                //upload the files
   move_uploaded_file($_FILES["testimonial_img"]["tmp_name"],
   _PS_ROOT_DIR_.DIRECTORY_SEPARATOR.$uploadpath.DIRECTORY_SEPARATOR.$_FILES["testimonial_img"]["name"]);

                        //store the path for displaying the image
   $testimonial_img = $uploadpath ."/".$_FILES["testimonial_img"]["name"];
                        $testimonial_img = addslashes($testimonial_img);

                       
                        return $testimonial_img; //return image path 
    
 }
So through this, they have managed to upload the shell.

Error logs here:

http://seology.com/alb-hack/199err.txt

Access logs here:

http://seology.com/alb-hack/199acc.txt

Uploaded files here:

http://seology.com/alb-hack/uploaded.tar.gz

Should ASL not pick this up and block it?

Only found this in ASL:

Image

Image
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: *** HACKED ***

Unread post by mikeshinn »

What do you have the real time malware system setup to protect?
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: *** HACKED ***

Unread post by prupert »

If it is known malware it should be automatically picked up by the modsec upload malware scanner, right?
Lemonbit Internet Dedicated Server Management
octet
Forum User
Forum User
Posts: 64
Joined: Fri Dec 14, 2007 11:35 am

Re: *** HACKED ***

Unread post by octet »

mikeshinn wrote:What do you have the real time malware system setup to protect?
Here:

Image
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: *** HACKED ***

Unread post by mikeshinn »

You'll want to follow these directions to configure the real time malware system:

https://www.atomicorp.com/wiki/index.ph ... irus#ASL_4
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: *** HACKED ***

Unread post by mikeshinn »

If it is known malware it should be automatically picked up by the modsec upload malware scanner, right?
Only if it was uploaded via HTTP or FTP, for example if it was uploaded via a control panel (that the user didnt configure ASL to protect), SSH, or any other service thats not behind the WAF, then no the WAF wont see it. You want to enable the system wide real time malware protection system to protect against any upload vectors. WAF is just HTTP, and only where its been configured.
Post Reply