Find the answer to your Linux question:
Results 1 to 8 of 8
Like Tree1Likes
  • 1 Post By docbop
Hi, I am experiencing a strange behavior on one of my servers. The server is running CentOS 5.5 (Final) and Parallels Plesk Panel 9.5.4. I am the only one with ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2010
    Posts
    8

    Exclamation Unauthorised root logins?


    Hi,

    I am experiencing a strange behavior on one of my servers. The server is running CentOS 5.5 (Final) and Parallels Plesk Panel 9.5.4. I am the only one with access to the server and the server is only used for my own websites.

    In the root folder i have found some PHP files which i have not uploaded myself. The files looks like they have been used to send out emails (se attached files below). When i run "last" i see there has been a root login from a ip which is located in Italy (where i have never been). When i discovered this i changed my root password asap. I also added the following line in .bashcr:

    echo "ALERT - Root access on:" `date` `who` | mail -s "ALERT: Root access on server 7" *my email here*

    So every time root login to the server, i get an email alert which contains the ip of the remote host. Now, i just recieved such alert and i have not logged into the server myself. Also the ip is located in another country then myself.

    So i login to the server, change the password again and reboot the server. When the server comes back up i do "last root". But there i cannot find the unauthorised login that i just received an email alert about. Why do i not se this in the wtmp or wtmp.1 log?

    After i added the command to .bashcr, i have experienced three unauthorised login. All with different root passwords. I always use a very strong password (min 10 chars/numbers/signs), so a bruteforce attack is eliminated. My question here is, how do they manage to keep logging in?

    One thought was that i had som spyware on my computer, but i have scanned my computer with AVG and several other virus software and they did not find any.

    Files:
    fileconvoy.c*m/dfl.php?id=g1d6df11d33165719999471378e8943538a8a73 529

  2. #2
    Linux Engineer docbop's Avatar
    Join Date
    Nov 2009
    Location
    Woodshed, CA
    Posts
    949
    Turn off allowing root to login. Force yourself and anyone else who might login to use and account and su to root.

    With all you've said I don't know if I'd trust that server anymore, might be time to rebuild so you know exactly what state its in.
    Dapper Dan likes this.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,439
    Turning off root login via sshd_coinfig might not be enough, nor is changing the root password.
    This guy already has root, so there is no telling what was installed or changed on the machine.
    Think: Root kits, trojans, etc.
    Imho you need to install a second machine with an up-to-date operating system and recreate your service there.
    You must always face the curtain with a bow.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Nov 2010
    Posts
    8
    I agree. I plan to rebuild the server, but i am curious on how they keep geting into the server. Any ideas/theories?

    Also, i wonder how the "hacker" would execute the PHP files i discovered? I cannot find any commands in crontab. Any ideas?

  6. #5
    Linux Guru
    Join Date
    Dec 2013
    Location
    Victoria, B.C. Canada
    Posts
    1,650
    If they installed a trojan or worse on your machine who knows. A web search turns up some hits on that file. It's being spread some how and executed by browser I would say.

    An example of compromise:
    Linux under attack: Compromised SSH keys lead to rootkit | ZDNet

  7. #6
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,649
    Quote Originally Posted by clinton4 View Post
    I agree. I plan to rebuild the server, but i am curious on how they keep geting into the server. Any ideas/theories?

    Also, i wonder how the "hacker" would execute the PHP files i discovered? I cannot find any commands in crontab. Any ideas?
    Usually an insecure upload script is exploited to get these things on to the server as it's probably the easiest attack vector. Get yourself this and have a thorough read through. It is both scary and educational (especially if you are a web coder / admin)
    "I used to be with it, then they changed what it was.
    Now what was it isn't it, and what is it is weird and scary to me.
    It'll happen to you too."

    Grandpa Simpson



    The Fifth Continent

  8. #7
    Linux Engineer docbop's Avatar
    Join Date
    Nov 2009
    Location
    Woodshed, CA
    Posts
    949
    Quote Originally Posted by clinton4 View Post
    I agree. I plan to rebuild the server, but i am curious on how they keep geting into the server. Any ideas/theories?

    Also, i wonder how the "hacker" would execute the PHP files i discovered? I cannot find any commands in crontab. Any ideas?
    The ways are endless. Attended some meetings of web securtiy pro's and you be shocked at all the holes in the common web tools to do practically anything. Some even have whilte papers available on locking down website and defensive programming.

  9. #8
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,737
    There are well-known security holes in php, most of which have been fixed, but a lot of sites are still using vulnerable versions. As said by others, install an entirely new system with latest patched code, disable root logins, make all your web pages and directories read-only, and keep your system patched on a daily basis (or at least a weekly basis). Once updated/patched, restart all of your services so they will incorporate the fixes you installed. Do note that unless you restart a service, it will still be using the old (buggy) software, such as shared libraries, executables, etc.

    FYI, Linux.com and LWN.net both publish daily lists of security patches that have been issued by all the major Linux distributions. I read them daily... it is the first thing I do in the morning, and again in the afternoon. None of my systems have ever been pwnd, and I am at least partially responsible for several thousand web servers... When I see a vulnerability that may impact our network, I email the details to our operations and netops groups. Usually they are already familiar with the issue, but sometimes not. As the old saying goes, it is better to be safe, than sorry! Especially since we have to serve over 100 million users!
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •