Problem With My Server With UKFAST

Started by glennk, April 24, 2012, 12:29:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

glennk

April 24, 2012, 12:29:42 PM
I recently noticed that my sites and forums were running slow. I contacted my hosts who said they were unable to replicate the problem. However they did tell me that my server is compromised. Im at a losss for what to do as I do not understand servers.

Any help would be appreciated. This is the email they have sent me :

A support ticket: 2501522 has been created in response to your query

Please login to your online account at https://my.ukfast.co.uk/pss/view.php?id=2501522 to respond to your support ticket.

Hello Glenn,

Ticket reference 2501522

Thank you for contacting technical support.

Great to speak to you today. As discussed, the websites appear to be loading successfully and at some speed. I cannot replicate the issues you are experiencing.

With regards to the potential server compromise, I found the following line, located in the file /etc/passwd:


Marwanz666:x:0:0::/home/Marwanz666:/bin/bash

I have used the command, 'userdel' to remove/delete the user. It is not immediately clear how they have managed to access the server, however, I recommend that you investigate this accordingly. I suggest a further investigation, because it appears that the server remains compromised even after my deletion of the user. I see this because when I type the command, 'w', it shows that no users are connected to the server:

[root@94 ~]# w
16:04:08 up 4 days,  5:27,  0 users,  load average: 1.84, 2.37, 2.17
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

This is strange because it should say at least 1 user is connected to the server since I am currently logged into the server via SSH.

I would recommend that you check the /var/log/messages and also other files within /var/log/.

As always, if you have any further questions or concerns regarding this, please don't hesitate to contact me. Have an awesome week!

For future issues you may wish to visit our comprehensive online frequently asked questions (FAQ) at https://my.ukfast.co.uk/faq/index.php

Best regards,

Dan Howard
Linux Engineer
+44 800 542 2702
http://www.cloudhosts.co.uk
View FAQs here https://my.ukfast.co.uk/faq/index.php

LiroyvH

#1
April 24, 2012, 04:54:37 PM Last Edit: April 24, 2012, 05:15:30 PM by CoreISP
If that command comes up blank, it may be that your filesystem is borked or system files were modified.
Do you not have a firewall and server monitoring software installed that checks md5 on crucial system files?

It looks like your server was never hardened?

Do a full OS restore. Backup your files, nuke your server and rebuild it from scratch. Then restore your site.
This is no longer safe as you, nor your host, clearly have a single clue about what's going on and what has happened...

Oh and hire someone to protect your setup...
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

青山 素子

#2
April 25, 2012, 02:12:08 AM
I totally agree with CoreISP.

Unless you're experienced in forensic work on servers, it's better to get a backup of just the data, wipe the server, and rebuild from scratch. Sometimes, even if you are experienced in handling recovery of these types of things, it's just easier to wipe.

Before you restore the data backups you took, make sure to analyze them. You don't want to be restoring a backdoor an intruder hid among the good data.

Also agreed that you should have someone experienced review your configuration to make sure it's as secure as is practical for your needs.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

glennk

#3
April 25, 2012, 05:52:51 AM
Cheers guys, Ive had a further email from the hosts and it basically confirms what you say. Could you advise on where I can hire someone to secure the server and how much I should be paying them.

RE: Ticket reference 2501522

After further investigation from our night engineers, I'm afraid that more evidence has been found that suggests this server has been compromised.

The contents of this directory: /etc/xdg/menus/applications-merged/cache, show the files used in this compromise.

As they are owned by root, not by a specific user, this compromise is a rather serious one. As the attacker has gained root privileges, there's not really any limit on what could have been done to the server.

As such, I'd strongly recommend a reinstall of this server, as this is the only way to be sure that the compromise has been removed. It is possible that the current signs of compromise could be cleared up, but there wouldn't really be a way to guarantee that it had been fully resolved.

If you could please give this a think over and then let us know how you'd like to proceed, then we can discuss what else needs to be done here.

Kind regards,

Sam Norbury
Linux Engineer
+44 800 542 2702
http://www.cloudhosts.co.uk
View FAQs here https://my.ukfast.co.uk/faq/index.php
Print
Go Up Pages1
User actions
Advertisement: