Atomicorp

So I found someone hacked a site on the server (older site running unpatched Zen Cart). Looks like ASL contained them pretty well but I did see they tried to load some PERL bots on the server. Wanted to make sure nothing else got compromised so I turned to rkhunter. Rkhunter is reporting something odd

Warning: Checking for possible rootkit strings [ Warning ]
Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible rootkit: Xzibit Rootkit

I looked it up and I did see hdparm but it looked like what was in there was supposed to be in there. Is this anything to be concerned about?

Hdparm is definitely not in there by default, Id say it could be the real thing. I'd be happy to take a look at the script for you (send to support@atomicorp.com). Also you can check the File Integrity window in ASL to browse through the files that have changed on the system.

It's OK. It will be a false positive. I get it on all the servers we have with rkhunter installed.

Faris.

Highland,

Can you send me the access logs for the attack? I'd like to see how they got in. mike AT atomicorp.com DOT com

I'll be honest in that the attacks happened so long ago they're gone from the log rotation. I only noticed when the client noticed spam links embedded in the text of her site.

I'm 99% sure that they got in through this vulnerability
http://www.zen-cart.com/forum/showthread.php?t=130161

It appears, given the lack of any real messes created in the admin section and the repetitive hack files, that it's probably a bot attack from Russia or Romania. I'll email you the hack files they put on the server. ASL had shut off all the bad PHP functions they were trying to use (exec(), system(), etc) so they didn't get very far. At best they got her meager customer database of 50ish people. There's no CC data or anything stored (payments through Paypal and all) and they didn't even appear to realize they could grab her API key (stored as plain text in the database) and snag her Paypal balance.

I migrated her off to Magento and most is back to normal now. I'm done with Zen for good.

It's OK. It will be a false positive. I get it on all the servers we have with rkhunter installed.

I think that was the last concern I had with the server so everything else checks out. Thanks for the info!

faris wrote:It's OK. It will be a false positive. I get it on all the servers we have with rkhunter installed.

Yes, I've also seen that message on a lot of servers. I believe it's gone with the latest release of rkhunter, though I'd have to check. I'm pretty sure it's a false positive.