Strange Server Hack

Forum Moderators: phranque

Message Too Old, No Replies

Strange Server Hack

Openg

11:31 pm on Aug 20, 2009 (gmt 0)

Hi,
I have a client that has had his Virtual Server hacked - there have been hidden links such as this:

<div style="overflow:auto; visibility:hidden; height: 1px; "><ul><li><a href="http://example./com/l">.</a></li></ul></div>

With similar links using PHP on other sites of his using the register_shutdown_function (linked again to http://example.com/l which isn't even a registered domain)

There were some random links left on another site linked to a folder called 'priv' on some random blokes site that had a replica of his front page in it - I called him up and he says he knows nothing about it.

I'm trying to get to the bottom of this so thought I'd start at this font of wisdom, so if you have any ideas pass them by me because I'm stumped,

Cheers,

Dom

[edited by: tedster at 3:32 am (utc) on Aug. 21, 2009]
[edit reason] hide the real domain name [/edit]

tedster

3:36 am on Aug 21, 2009 (gmt 0)

Well, this is just the evidence that security was breeched - it's the "payload" that the hacker inserted on those pages. The hacker, now that they have access, can easily switch those particulars around on a moment's whim.

What matter most is the fix - not what particular urls were inserted. This particular payload looks like a further evolution of the old iframe insertion, but it is using a 1px height div instead of an iframe to cary the code.

What you need to nail down is how the server's security was breeched. and then plug up that security hole. This usually means patching/updating key software that's running that may have been allowed to slide. the most commmon software is usually what hackers target, because they want MASSES of zombie pages delivering their payload. So check out old versions of CPanel, Wordpress, VBulletin, and even php and mysql installs.

And once you patch the security, then upload clean versions of the pages from a local backup. If you don't do that, you may leave a trapdoor behind and the server will be hacked again.

Openg

7:27 am on Aug 21, 2009 (gmt 0)

Thanks Tedster,
It seems that all four sites on a VPS were affected, would I be right in assuming that it is more likely to be an issue with the shared server than a security issue on one of the four sites?

janharders

8:09 am on Aug 21, 2009 (gmt 0)

No, you cannot deduct from that.
With php often running as mod_php, one breached site can infect others on the same machine, possibly even easier than a potential local attacker (that does not gain super user access) could.
Did you check the errorlogs for suspicious entries? Attackers often use scripts that try multiple exploits and those attempts leave traces before one succeeds. Also check the FTP logs.
Like tedster said, you should backup the system for further inspection and install a clean system and restore a backup, not just upload "clean" versions of the sites, because there might still be an infection on the system, outside the htdocs.

Openg

8:22 am on Aug 21, 2009 (gmt 0)

Thanks for your time answering fellas,
I know it sounds naive but it's a shame there isn't a version of something like AVG that runs on servers and checks for rogue code, anyhow I guess I'm learning something :0)

janharders

10:25 am on Aug 21, 2009 (gmt 0)

Well, in general: if your server is heavily secured with the right access limitations etc, you won't have to worry about code injections that much, because they'll only infect one site. Also, there's mod_security which tries to intercept attacks and block them, but nothing can let coders write their code and stop them from building security risks. Sadly, searching for *.php usually finds quite a few holes.