WHMCS Breach - Some 3.5.1 Downloads Were Compromised
Jan 8, 2008
I just received a fairly scary WHMCS notice, you can view the details here:
<<please don't paste the file names, there are accounts that may have these on them>>
What are your thoughts on the entire situation? Personally, I'm a tad fearful (luckily, I hadn't upgraded to the next version yet as I was letting the other users play beta-testers) given the fact that there wasn't any versioning / modification 'notification' system in place on their end.
I'm fearing further updates. In essence, my concern is that the WHMCS development team isn't entirely certain how they were backdoored or to what scale they were backdoored.
Are their own billing systems & servers hosted in the same environment, were our billing details also released? etc. I want to know the scale of the attack.
We have found (thanks to CSF warning us) in /tmp 4 suspicious files. One is a perl script (probably a backdoor) and the other 3 files are binaries. They were probably uploaded by some vulnerability a customer's website (now suspended) because they are under his ownership.
The server seems ok, nothing out of the ordinary (the root logins are disabled, we su - from another account).
We have run rkhuner and chkrootkit (fresh installs) and found nothing.
One of the binaries contained this (retrieved with strings): chown root:root /tmp/suid; chmod +s /tmp/suid (suid being one of the other binaries). This /tmp/suid has no suid set and is not under root ownership:
-rw-r--r-- 1 user user 759 Jan 25 2008 dc.pl -rwxr-xr-x 1 user user 2404 Nov 4 22:10 libno_ex.so.1.0* -rwxr-xr-x 1 user user 4945 Nov 4 22:10 suid* -rwxr-xr-x 1 user user 6209 Nov 4 22:10 udev*
dc.pl seems to be from January but it's apparently fake:
somewhere on my cpanel server a script has been able to be used by a spammer and im now getting tonnes of returned mails from aol etc. 1000's are coming in every hour.
I think i have found the culprit, but i can't be sure. how can i find out for sure which script this was? the email headers dont even show the user from what i can see!
I got an email saying that there was a security breach at steadfast. At the same time I got an email saying that my account was suspended because I am sending spam from one of my domains. I NEVER SEND SPAM. I opened a support ticket and they apologized saying it's not my fault and they restored my account. Apparently spam was sent by a php script but they don't want to give me details. The next day they suspended my account again on the same reason.
I found a random proxy site running out of /var/www/temp. It seems to have been created yesterday, and I found about it via a DMCA notice from the planet. Is this apache's temporary directory? There was even an entry for it in the apache configuration and was running as a perl script out of its own cgi bin. I killed it and chmod'd it to 0. In the future, would setting permissions on this directory to non executable prove to be effective? Any idea if this type of breach is serious enough to warrant an OS reinstall?
I dont know how but the passwords keeps getting changed on the emails on my cpanel. Its no one who has acess and no files are being delted to the problem is only with the email.
we have a server that was breeched and is being used to send ddos attacks to another website and we need to stop it permanently and secure our server to avoid it from happening again.
My tech has already been able to track down the bot/script that was sending it and seemed to stop it for about a week, but they have gained access to the server again.
He is not an expert at security issues so I'm looking to hire someone for a one time job to correct this issue.
Can someone offer me some referrals of someone to take care of this. Please do not recommend Rack911 as I waited nearly a week for their assistance and had no luck.
I got this email earlier today, surprised to see there isn't already a 10-page thread about it. Did anyone else get this from The Planet?
In the course of the last two days, our Computer Security Incident Response Center team has identified suspicious activity in our customer management portal. Through their vigorous investigation, we have identified what appears to be a security breach that may have affected your customer portal account and server passwords. We have identified the methods by which the systems were compromised and have closed those holes. In addition to those actions, we will be implementing additional security measures to further strengthen the infrastructure and systems.
We are taking this action to alert you to this potential malicious activity. At this juncture, we are aware of only two incidents whereby log-in and server passwords were accessed. Based upon our security review of access logs, we do not believe any credit card information was compromised. We have contacted the authorities and are working with them to identify the perpetrator and to pursue appropriate legal action.
We are taking a proactive approach by contacting you directly, which we believe is the best course of action. We strongly suggest you implement a security best-practices approach by immediately taking four steps to mitigate risk:
1) Change your Orbit log-in passwords immediately and do so again every 60 days.
2) Change your server passwords and do so again every 60 days.
3) Be alert to any suspicious activity on your account.
4) If you suspect any unusual activity, please retain your access logs along with
I sent a server I have with a provider to have a RAM upgrade yesterday at 15:33 UTC, and ever since then I have had no access to my server.
SSH has been changed back to port 22, from a random high port. root password has changed RSA key has changed too.
I can see 3 possable reasons for this:
1) It's a different server plugged into the rack/router or a stolen IP
2) My provider "kindly" formatted and reinstalled my OS.
3) I have a compromised server, I very much doubt this as the server was offline.
I informed my provider about 18 hours ago that I had a "possable compromised server" and since then I have been given the run around as to what is happening.
For the last couple hours or so I have been trying to get them on live chat, which shows as online, but no-one answers. Thats another pet hate of mine.
I also have a couple tickets open asking for an update as they are not answering my origional ticket with updates.
Am I just being impaitent wanting a resolution to this in less than 18 hours or am I correct to complain?
I am trying to determine if i am hacked, here is details:
I just got a message from softlayer support: ABUSE - 66.228.xxx,xxx - HACKING/MALICIOUS ACTIVITY - IMMEDIATE ACTION REQUIRED. with some log like this: Quote:
cat /var/log/rkhunter.log | grep Warning [18:26:29] /usr/bin/GET [ Warning ] [18:26:29] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable [18:26:29] /usr/bin/groups [ Warning ] [18:26:29] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable [18:26:30] /usr/bin/ldd [ Warning ] [18:26:30] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable [18:26:35] /usr/bin/whatis [ Warning ] [18:26:35] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable [18:26:36] /sbin/ifdown [ Warning ] [18:26:36] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable [18:26:36] /sbin/ifup [ Warning ] [18:26:36] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[18:27:43] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ] [18:27:44] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ] [18:27:44] Checking '/etc/xinetd.d/smtp_psa' for enabled services [ Warning ] [18:27:44] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ] [18:27:44] Checking for enabled xinetd services [ Warning ] [18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa [18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa [18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa [18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
[18:27:59] Checking for hidden files and directories [ Warning ] [18:27:59] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
I have a few shred hosting servers I run. One of them keeps getting listed on CBL. It is very frustrating. Does anyone have an tools, tips, or tricks on finding the compromised?
So far I have confirmed that a script is using PHP to send mail out bypassing the MTA. It is faking the HELO and impersonating a well known ISP.
I used a combination of tshark and netstat. tshark can show me the HELO and EHLO. When I see the wrong entry I cross check that with netstat to see what. So Netstat only shows that it was PHP not the script path.
nohup tshark -f "port 25 and src host XX.XX.XX.XX" > /var/log/monitor/tshark-smtp.log & Then I grep for what I'm looking for:
grep -i "HELO" /var/log/monitor/tshark-smtp.log
Is there a way to get Netstat to show the script path or complete command that is establishing the connection? Currently these scripts are eating up memory to a point that other process or getting killed off.
I also tried to force all mail through the MTA, but When I enable SMTP_BLOCK in my firewall config I get and error:
*WARNING* Cannot use SMTP_BLOCK on this VPS as the Monolithic kernel does not support the iptables module ipt_owner - SMTP_BLOCK disabled.
If there is a better way I'm game. Maybe some IDS that can tell me more of what is going on with the server?
I have read many helpful feedbacks regarding choosing a reliable web host. Most of the concerns are centered around costs. However, I am more particular about the relative security of my website in addition to other perks such as space, speed and bandwidth. I rate my concerns on a 1-10 scale:
Security 9/10 Bandwidth 7.5/10 Disk space 6/10 E-mails, backups, etc: 8/10 Cost: 7/10
I just got a letter from my dedicated host stating we had just been compromised. These servers just were set up last week! And there is nothing on them yet. The only thing I have done is modified the /etc/hosts file via SSH.
My servers are not even public yet. Can SSH'ing in from an unsecured wireless network make me vulnerable?
What do you guys think? Best way not to let this happen again?
Oh this is great :-| He's still logged in!
[root@server~]# who root pts/0 2007-06-06 07:12 (xxx) test pts/2 2007-06-06 03:08 (81.89.10.92)
Ok...posting this here to hopefully get someone's attention at gnax.net.
I've written their abuse@gnax.net and engineer@gnax.net multiple times and even called into their support line and spoke with Stephen (or Steven). No one there seems to care.
They have a group of Vietnamese hackers on their network that are launching attacks from several of their servers. They also have a google phising site on one of the servers.
Spoke with Stephen at Gnax support and his answer was that it wasn't his job and I needed to send a e-mail to abuse. After telling him that I'd done that multiple times he basically said oh well that he didn't know what to do.
Seems like the admins of gnax.net are either very irresponsible, stupid or just ignorant.
Here are the URL's.
[url]
[url]
Just replace the 1's with t's and you can see for yourself. The fwooshnet.com attempts to download a trojan to your system so if you don't know what your doing don't visit either URL.
I receive reports from my DC that my server is launching some hacking / malicious activity. This is the log that they provide:
Quote:
> > Aug 20 12:34:35 ensim sshd[30628]: Did not receive identification > string from MY.SERVER.IP > > Aug 20 12:44:23 ensim sshd[444]: Failed password for admin from > MY.SERVER.IP port 57896 ssh2 > > Aug 20 12:44:23 ensim sshd[444]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:26 ensim sshd[445]: Failed password for root from > MY.SERVER.IP port 58029 ssh2 > > Aug 20 12:44:26 ensim sshd[445]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:28 ensim sshd[446]: Failed password for root from > MY.SERVER.IP port 58141 ssh2 > > Aug 20 12:44:28 ensim sshd[446]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:31 ensim sshd[449]: Failed password for root from > MY.SERVER.IP port 58276 ssh2 > > Aug 20 12:44:31 ensim sshd[449]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:33 ensim sshd[450]: Failed password for root from > MY.SERVER.IP port 58421 ssh2 > > Aug 20 12:44:33 ensim sshd[450]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:36 ensim sshd[453]: Failed password for root from > MY.SERVER.IP port 58565 ssh2 > > Aug 20 12:44:36 ensim sshd[453]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:38 ensim sshd[455]: Failed password for root from > MY.SERVER.IP port 58672 ssh2 > > Aug 20 12:44:38 ensim sshd[455]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:41 ensim sshd[456]: Failed password for root from > MY.SERVER.IP port 58787 ssh2 > > Aug 20 12:44:41 ensim sshd[456]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:43 ensim sshd[457]: Failed password for root from > MY.SERVER.IP port 58961 ssh2 > > Aug 20 12:44:43 ensim sshd[457]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:46 ensim sshd[458]: Failed password for root from > MY.SERVER.IP port 59132 ssh2 > > Aug 20 12:44:46 ensim sshd[458]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:48 ensim sshd[459]: Failed password for root from > MY.SERVER.IP port 59348 ssh2 > > Aug 20 12:44:48 ensim sshd[459]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:51 ensim sshd[465]: Failed password for root from > MY.SERVER.IP port 59495 ssh2 > > Aug 20 12:44:51 ensim sshd[465]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:53 ensim sshd[466]: Failed password for admin from > MY.SERVER.IP port 59622 ssh2 > > Aug 20 12:44:53 ensim sshd[466]: Received disconnect from > MY.SERVER.IP: 11: Bye Bye > > Aug 20 12:44:56 ensim sshd[467]: Failed password for admin from > MY.SERVER.IP port 59803 ssh2 > > Aug 20 12:44:56 ensim sshd[467]: Received disconnect from > MY.SERVER.IP: 11:
one of the worst things (in hosting) has happened. I received a notice this morning from lfd (configserver) that someone had logged into my server as root and it wasn’t me.
Unfortunately I didn’t notice it until eight hours later so I have no idea (yet) what happened during that period. Thankfully I don’t have any really critical data on the system that could have been stolen.
I’m in the process of restoring from a full system backup right now. After that’s done I’m going to look to see what the differences are between the files from the backup and that on the comprised drive. I’m not sure if I’ll get anything useful from the diff but hopefully I’ll find a clue as to how they got root access.
Then of course I need to get my server back up. However, I don’t want to do this until I’ve taken some steps to identify how the individual got in and take some additional preventative steps.
Here’s what I am planning on doing:
1) Check to make sure all exposed services are patched and look at some security sites to see if there are any known vulnerabilities for these services. Anyone know which sites are good to look at?
2) Change firewall to only allow ssh access from a couple specific IP addresses.
3) Disable root ssh access so I have to login via a different account and perform sudos, etc.
4)?
I’ll also look for a good server-hardening guide to see if there are some obvious things I forgot to secure.
Do any of you find folks have any other suggestions or resources that I should check out?
So one of the sites on our box was compromised earlier today.
We've shut it down for now and contacted our sysadmin to help research the problem. Not sure if he will be able to really help much as he's only done updates and such in the past.
Any idea of quality sysadmins who might be able to investigate the box and the site?
I have been trying to troubleshoot our Windows 2003 server for weeks, but have made no lead way. The following are the steps they take to breach the server.
“They” are able to create an account. Some used usernames they have created are: sysadmin, adm, mssqladm.
It is very odd, looking in the event viewer, they just appear to create accounts out of the blue, they don’t even login or attempt to login or anything, all the sudden it says, New Account Created.
“They” then change the password of the account they just created.
Then “They” assign themselves the following group permissions, ‘Users’, and ‘Administrators’. ** SHAKING MY HEAD ** How the bloody hell do they assign themselves Administrator rights?
Then the do a few different actions depending, often times they disabled the windows firewall, and change open ports, other times they simply just logoff, other times, they have placed Trojans horses and other malware in their temporary internet folder under their use folderr.
This has been a cat and mouse game for weeks, I catch the new account, and immediately delete it, and check the firewall and enable if needed, then run a full system scan with AVG and Prevx. Sometmies AVG finds Trojans and malware, other times its clears.
I have racked my brain, checked all running processes with google, and they are seem legit. I have updated everything in windows via windows update, we are running windows 2003 server SP2. I have looked at the users and groups and everything seems secure.
Do you have guys have any idea what is going on? I have feeling something is running internally, which is allowing them to create the accounts.
Is there a tool that tracks all currently running processes, and allows you to go look at the logs to see what exactly was running at a certain time?
My server (using plesk 8.1 on windows 2003 server) has been compromised with some sort of rootkit and I'm investigating vulnerabilities. This server hosts some of my asp.net applications and I have to grant Modify Permission to IIS WP (iwam_plesk) user on Some subfolders (under Httpdocs folder for each domain). Is it a security problem? if yes, how else can I allow asp.net applications to write to, say, an Access db?
I've come across something that has stumped me. A client who has pdf files download fine when using firefox but using IE 6 or 7 prompt to save a tar file which does not open properly.
My clients in LA - those on AT&T and Time Warner in paticular - are having bad download speeds from my server with Softlayer. Anyone else having similar trouble? Clients who normally get 500-700kb/s down are getting < 50 kb/s down, even early in the morning when the total traffic on my 100mbps port is under 1.5mbps.
Basically, east coast is fine, and anyone with a T1 in LA is fine as well - it's just DSL and Cable modems in LA that are screwed up. In fact, one of our are clients is using Apple Remote Desktop to connect to a remote client with a T1; it's faster to through Time Warner, then VPN to Verizon, and then connect Softlayer and back again than to go directly from Time Warner to Softlayer, which is really weird.
I own the website [url]and it's hosted at Host Excellence. Recently there have been some downtime periods, and most importantly, I have noticed that downloads are very slow. For instance, when I download a file such as [url]I get an approximative transfer rate of 100-150 KB/sec (whereas most other sites download at 500 KB/sec or more). First of all I'd like to know if you guys get similar results, and what do you recommend? I have contacted my host about it, they seem to deny the problem. Should I switch? What to? I need something reliable and fast.
My site is hosted on siteground, and i offer a few mp3s for download on my site. But, when my visitors download the songs, only a part of the song is downloaded, not completely. Siteground says this problem is about the apache server limitations on the http protocol downloads.
Can any user defined apache handler be defined to increase the http timeout value? I am on shared hosting.
I ordered a new server from iWeb a few days and after I transfered everything and was stating to set everything up I noticed that I as only getting about 1/2 of my download speed from both of my iWeb servers.
Is anyone else experiencing slower then normal downloads from iWeb?
Normally I could max my connection out at 2.1 MB/s now I can only get about 800 KB/s - 1.0 MB/s
I'm selling downloads of music files. The zip files are quite large. I've had several people complain that they get a message that the server resets their connection before the download finishes.
