Server compromised!

Having trouble with the website? Have a suggestion for it? Post it here!
Post Reply
User avatar
Webmaster
The website guy
Posts: 303
Joined: Sat Mar 15, 2008 9:56 pm
Name: Ben McQueen
Car: Xray T2 09
Location: Portsmouth
Contact:

Server compromised!

Post by Webmaster »

Hi all,

Over the weekend, I discovered several websites on my server were compromised and used to send out spam e-mails. Scripts were uploaded to many website directories that allowed attackers to execute code on the server. From what I can gather, the main intention was to distribute spam emails. Please at least read the next paragraph, the rest is more technical and optional.

What you need to know/do
This would've, in theory, given them the means to access the database for the forum where all of your e-mail addresses and passwords are stored. Your passwords are encrypted but I would still highly recommend you change your password. A forum account isn't particularly important so I will not enforce this automatically but if you use the same password and e-mail address to login to another important site, please at least change this. I personally would encourage you to use different passwords for sites and services to the degree of writing them down somewhere if you have to.

When did they gain access?
The oldest script has a modified date of towards the beginning of September so I assume this date is correct and was when it was compromised. I first noticed odd behaviour (erratic server load) about 10 days ago but was investigating the wrong place (I thought it was a virtual machine issue). On Saturday, the old server fell over as it filled its hard disk (wasn't much space left and the combination of deferred spam and crazy log file sizes filled the rest up). On inspecting the log file, I realised it was sending 1000s of emails per hour and had been for at least 2 weeks. It does appear that the server was not used for "evil" until fairly recently (the initial scripts and backdoors were probably handled by an automatic script and not used in anger for a while).

How did this happen?
A recent security exploit was discovered in Invision power board which was running on two other websites on the same server (websites not actually owned by me). This was eventually exploited as the software was never updated. This gave the attackers the ability to write to certain directories on all the websites hosted on the server (around 5). The scripts allowed them to execute PHP code remotely. These appear to be have been used to create new files and add code to existing files giving the attackers "backdoors" to access the server easier and make it difficult to clean up.

What's been done to try and prevent this?
The website was moved to another server around 3 weeks ago (along with the backdoor scripts!!!). This server is running a newer distro of Linux, and is running software more geared to multiple people having access to multiple websites in the way that websites can't affect each other easily. In other words, if one website gets hacked, the rest will be safe. phpBB and Wordpress were all deleted and downloaded new and fresh (apart from the databases and user-uploaded images) so any sneaky backdoors that may have been added were removed. I dumped the old website files rather than going through them all with a fine toothcomb as their days were numbered anyway. I am obviously closely monitoring things currently to ensure it doesn't happen again and that every backdoor was removed. I am also in the process of writing my own scripts to monitor the website files so it can alert me if there are any changes. I've learnt a lot from the clean up operation and I know what to look for as well. Where I couldn't simply download fresh files, I've opened up and inspected for hinckleyrccc.co.uk and every other website. I've spent easily more than 12 hours on this since Saturday night. :sleep

Currently
A successful clean up as far as I can tell. Other remote servers are still trying to call the backdoor scripts serveral days later without success.

Unfortunately, this is just the way of the internet. Servers are constantly under attack. If you have any questions about this, general password stuff or keeping your internet kit safe at home, let me know.
Post Reply