[BlueOnyx:17533] Re: Hacking and Spamming..
Steve Davis
thezio at gmail.com
Thu May 7 10:07:18 -05 2015
Wayne,
You should be able to do
/usr/sbin/lsof if your running as normal user.
To install On CentOS or Scientific Linux Blue Onyx Server
yum install lsof
As for finding the bad compromised files on your server, here is what i have done.
You must do the next steps as root
First, stop sendmail
service sendmail stop
Then as root inspect your /var/log/maillog file for sendmail-wrapper.php
This will show you the user and compromized files on your server that are allowing the exploits.
remove them, obviously. But read all the way down in case you want to install a HoneyPot like i did
Then go to /var/spool/mqueue and remove all the files there, I had hundreds of thousands after just 24 hours of exposure.
Then go to /var/spool/clientmqueue and remove those as well. These are bounces.
If you have a very large admin mbox file, i recommend removing it as well. I had 23,000 mail messages and could never open
rm mbox
> mbox will create another
Next you need to update your out of date Joomla or WordPress installations. These were my problem.
But most importantly, you need to purchase the PHP 5.4 and PHP 5.5 packages and install them, also immediately,
Joomla and PHP 5.3 is where all my exploits came from.
Next, go to http://www.rfxn.com/ and install the maldet CLI package, configure the settings by the instructions, and run.
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvzf maldetect-current.tar.gz
configure the conf.maldet
vi /usr/local/maldet/conf.maldet
This package will help detect most compromises, but not all. Inspect what it has to say and clean the files it does not.
Next, run this grep command
grep -r ‘base64_decode($_POST’ /home/.sites/
Notice the ticks to separate the two arguments.
This command helped me find dozens of small exploits hidden on top of modified .php files that seems to gang together to open other Joomla exploits.
Finally, for me, i designed a simple honeyPot that blocked IP addresses when the hackers attempted to get back into my server. So, when they called the compromised file, it blocked their IP. Immediately.
1. From the exploited files you find in maillog
I renamed the exploited file (for example db.php) and added the content of this file.
### db.php
<?php
$file = 'people.txt';
// The new person to add to the file
header("Content-type: application/json");
$person = json_encode($_SERVER['REMOTE_ADDR']);
$newline = "\n";
// Write the contents to the file,
// using the FILE_APPEND flag to append the content to the end of the file
// and the LOCK_EX flag to prevent anyone else writing to the file at the same time
file_put_contents($file, $person, FILE_APPEND | LOCK_EX);
file_put_contents($file, $newline, FILE_APPEND | LOCK_EX);
$mystring = "./blockip.sh " . $person ;
//echo ($mystring);
// Then block the IP
shell_exec($mystring);
?>
End of File db.php
You will need to make the next file executable, by the WebOwner of the domain your in.
You may also need to add the WebOwner to the sudo config file
visudo
go to the bottom and add that user.
And, comment out Defaults requiretty
Then exit out of visudo
make blockip.sh executable
chmod +x blockip.sh
The next file is the one the db.php file calls.
## blockip.sh
#! /bin/bash
/usr/bin/sudo /sbin/iptables -A INPUT -s $1 -j DROP
// If you want a text message sent to you every time the script is executed, for fun perhaps.
echo "$1" | mail -s "Exploit” YOUR TXT ENABLED DEVICE ADDRESS HERE
End of File blockip.sh
I know this was a lot, and not quite what you asked, but after a week working on the best solution, this was it for me.
Hope it helps and is not too confusing, if i had more time i would have formatted this response much better.
Best of luck , Steve
On May 7, 2015, at 9:01 AM, Wayne Michael <wrmichael at hotmail.com> wrote:
>
> is there is BlueOnyx equivalent to do the iptables commands below?
>
> They also mention lsof. Where can I get that from for blueOnyx?
>
>
> From the CBL:
>
> {http://cbl.abuseat.org/lookup.cgi?ip=x.x.x.x}
> Finding the problem by network activity: Linux/FreeBSD etc
>
> One way of finding the user that is infected and spewing spam is to use the "lsof" (list open files) utility. "lsof" is available for most versions of UNIX-like systems such as Linux as part of the official distribution, but may not be installed by default. So first, make sure you have it installed. On many systems such as Ubuntu, you can install it by:
> sudo apt-get install lsof
>
> Once lsof is installed, you can issue the following command
> sudo lsof -i | grep smtp
>
>
>
> Preventing it Happening Again
>
> • Make absolutely certain that ALL CMS software (Joomla, Cpanel, Wordpress, Plesk etc) is kept up to date at all times. Do not let your users make any excuses for not doing so.
> • Make it impossible for such infections (and they will happen again) to spam the world by implementing the blocking of email sent direct from the machine without going through your mail server. Some of your customers may believe that they need to be allowed to do this. The best answer for them is to configure their software to relay it through the mail server software on the machine or to an external smart-host.
> For blocking: With Cpanel you can use ConfigServer Security Firewall (CSF). It's free. CSF has the "SMTP_BLOCK" configuration option - turn it on.
> Basic Cpanel, there's also "WHM SMTP Tweak" would should also help.
> The following is an equivalent for non-Cpanel installations - it permits local mail submission and blocks external mail submission:
> iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT
> iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
> iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mailman -j ACCEPT
> iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
> iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
>
> The above permits users to send mail via a local mail server, permits local mail server software (running under userid root, or gid mail or mailman) to send email to the Internet, but prevents any ordinary user making direct SMTP connections to the Internet. You may have to adjust this for Qmail or Exim. Check which userids are used. Note that the iptables settings will probably be lost next time you reboot.
> Many versions of Linux (Debian, Ubuntu etc) have a package called "iptables-persistent". You can install this package ("sudo apt-get install iptables-persistent") and manage your boot-time iptables entries using it.
> If you're using cPanel and APF, APF by default will wipe out iptables rules you enter manually leaving the server vulnerable. If you are using APF, you should make the above change via APF and that will take care of reissuing the commands upon reboot or reset.
> • Do you really need PHP script support? CGI support? PHP mail functions? Turn off the ones you don't need. Some people, for example, turn off CGIs, and PHP "fsocketopen" or "exec" functions in the PHP ini files (either for the whole site, or individual environments), and manage to inhibit many infections.
> • Some of these scripts get installed into /tmp. If /tmp is a separate file system, you can stop it being used by malicious scripts by adjusting the /etc/fstab file to mount /tmp with the "noexec" and "nosuid" flags. This means that the O/S will not run programs that are in the /tmp directory nor treat them as setuid.
> • Turn off customer FTP if you don't need it. Note that some CMS packages install FTP with anonymous FTP turned on by default. This is ALWAYS a bad idea, so make sure "anonymous login" is turned off.
> • It is necessary to force password changes on those users whose web sites have been compromised. If you can't tell exactly which users have been compromised, it's strongly recommended you change all passwords.
>
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
More information about the Blueonyx
mailing list