Hacked this AM - ServerBeach Forums

Today I came across the following discussion where one of my tutorials was mentioned:

Hacked this AM - ServerBeach Forums: "Someone used a PHP exploit to take down several of our sites this morning.

Replaced the homepages with their hacker page ~DESTROYER~We had backups but they actually took the time to delete one of our databases, leaving the rest untouched.

We traced it to the hosting company, www.e3sarcom.orgNot sure what exploit they used as we had the latest version of PHPBB with all updates to the OS and many services disabled. Jerry"

I replied with:

GLJones, Sorry to hear about your site getting hacked.

I have a question, how are you so sure that it was a PHP exploit? Just curious. The reason I ask is a few friends of mine had thought the same but the problem ended up being totally different (Brute force FTP attacks).

Quote:
Originally Posted by Kevin Smith
Actually this guy had a good little tutorial and some .conf files to keep out a lot of things..

http://frankmash.blogspot.com/2005_1...h_archive.html

Thank you Kevin for mentioning my tutorial.

I wanted to point out that depending on what your site is about, you may need to tweak some mod_security settings to not let legitimate traffic get blocked (happened to one of my clients).

If on a dedicated server, I would also recommend blocking your root login attempts alltogether and creating an alternative account with root's power.

Also, install brute force detection (if not already installed).

I look forward to answering any questions you may have. You can post a comment on my blog or e-mail me at softwareengineer99 at yahoo in case you need assistance.

Thanks
Frank

And this:

Quote:
Originally Posted by Kevin Smith
I only have one issue and luckily its only for ONE client that just cant get off the pacifier....FRONT PAGE...just cant seem to get it to allow connections.


Is there a way to test BFD, I just want to make sure its running....

BFD runs as a cron job every 8 minutes or so. The cron job is placed in /etc/cron.d/bfd

You can verify BFD is running by tailing
Code:

/var/log/bfd.log


You can also try the following command to see the list of ips that have attacked your server (if they BFD is installed):
Code:

bfd -a


Are you having difficulties in letting the client connect using Front Page? Do you have APF/iptables installed?

GLJones, I also wanted to point out that once you are hacked, and assuming that the hacker got access to your file system, there is no guarantee that your system is clean. I highly recommend you run a rootkit scan on your server to make sure the hacker didn't leave any rootkit on your server. This can be done using tools like rkhunter/chkrootkit etc. Also, make sure your important system binaries haven't been compromised.

Just a few pointers I thought may help.

Thanks
Frank

And then:

Quote:
Originally Posted by Kevin Smith
If I run bfd I get this..
.....
but if I do a killall bfd...no processes killed....my bfd logs are empty..

Since BFD runs as a cron job, no process will be killed. Can you verify if the cron job for BFD is present?

If not, try putting something like this (modify for your environment)
Code:

MAILTO= SHELL=/bin/sh */10 * * * * root /usr/local/sbin/bfd -q >> /var/log/bfd.log

Hope this helps
Frank