Site Got Hacked. Want to know how. Ideas?

Scott_MacGregor · on Jan 20, 2010

If you have not already done so, you might want to try installing rkhunter (Rootkit Hunter). It scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files and suspicious strings in kernel modules.

Maybe installing Jailkit to chroot SSH users might plug a hole for you too. This is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. It is used to secure cvs, sftp, shell or daemon processes. You can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.

As a future potential preventative, you might want to think about installing fail2ban. It is an intrusion prevention framework. It blocks selected IP addresses for hosts that are trying to breach the system's security by monitoring log files and will ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

These are for Linux, and I’m not an expert with them, so I can’t really walk you through installing or using them, but you might want to look into them and see if they might help you.

If this "Security" stuff is not your cup of tea, these guys might be able to help: http://www.serverwizards.com/ I have never used them, but have come across a few of their happy "Security" customers in tech forums in the past. I keep them in my contact list just in case.

_l4lu · on Jan 19, 2010

There are many ways a site can be hacked. This could range from a silly error in one of your PHP scripts, to some other software on the server being vulnerable.

Often sites are hacked by automated bots rather than an actual person. Which means you are using some popular piece of code with a vulnerability. Whatever you run, you need to keep track of security announcements for that product. Especially if it is popular, like Drupal for example. I'm not saying Drupal is bad, it's just that lots of people look for vulnerabilities in it.

Look at your server logs (assuming they are still there). This should give you a clue as to how they got access. Also, you say permissions are 755. And the owner is...?

gaoshan · on Jan 19, 2010

my username is displayed as the owner. I've looked at the access, error and secure logs and the only thing I see that looks odd is a GET request that contains a short (40 or 50 characters total) string of hex like \xc3\x83\etc, etc. But that request indicate it comes from msnbot. Could that be the culprit and they faked the user agent?

noodle · on Jan 19, 2010

whats the get request contain? and whats the variable? search the source for the variable and see what it does.

gaoshan · on Jan 19, 2010

  /somecategory/apage.php?id=34\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\x9d&listing=989

Thing is, removing that hex and just putting in

  /somecategory/apage.php?id=34&listing=989

does the same thing. I get the same output to the browser regardless of which is used.

noodle · on Jan 19, 2010

it is probably not the culprit, but did you take a look at the code in apage.php that processes id just in case? it could be something.

gaoshan · on Jan 19, 2010

I have looked at the code and the GET request is sanitized before being passed on.

noodle · on Jan 19, 2010

i ask again, then, are you using something like filezilla, and/or do you log in as root without a sudo?

gaoshan · on Jan 20, 2010

No I am not using Filezilla and root cannot be logged into without sudo.

noodle · on Jan 19, 2010

could be an FTP hack. you using filezilla?

otherwise, if you're using a downloaded software package, upgrade it and report the problem.