downtime September 24

Announcements and for questions/problems..
Post Reply
User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

downtime September 24

Post by bad_brain »

ahhh....almost 2 pm and finally a cup of tea. :lol:

so yeah, as you most likely have noticed the site was down for a while today, and no: we were not hacked. :P
the reason was another website on the same host which WAS hacked, the site belongs to a customer which manages the site himself and seems to have used flawed WP plugins. so loads of spam was sent (the mail server activity was what actually caused the downtime, when I first checked there were about 50k bounces in the queue). took a bit to identify what site actually causes the trouble because the bounce headers gave no clue about the sender...long story short: website removed until I have analyzed and (if possible) secured it, all back to normal (except for a temporary presence on some DNSBLs I guess).

P.S. thanks Mr. Cats...;)
Image

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Re: downtime September 24

Post by ayu »

So they managed to upload a PHP shell then or other scripts?
Check the logs to make sure they didn't go further in and leave something else behind :-k
"The best place to hide a tree, is in a forest"

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Re: downtime September 24

Post by bad_brain »

yeup, php shell. I deleted the whole account, they had no chance to get out of the vhost container because each website runs under its own user, for this they would have needed root privileges which can't be obtained through a site... :wink:
Image

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Re: downtime September 24

Post by bad_brain »

gah...now the security settings were triggered by my last post....what a day... ](*,) :lol:
Image

User avatar
ph0bYx
Staff Member
Staff Member
Posts: 2039
Joined: 22 Sep 2008, 16:00
15
Contact:

Re: downtime September 24

Post by ph0bYx »

Funny thing that happen to me is that I was trying to contact you on suck-o that suck-o is down. Took me a while to understand the fallacy there. I need to sleep more.

G'night!

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Re: downtime September 24

Post by bad_brain »

me too! :lol:
thanks for trying though buddy...gonna PM you my phone number, you can also use the business address in such cases. ;)

P.S. good night! ^^
Image

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Re: downtime September 24

Post by bad_brain »

serve3:~# postsuper -d ALL deferred
serve3:~#
SO much better now than the 48,838 before... :lol:
Image

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Re: downtime September 24

Post by ayu »

bad_brain wrote:yeup, php shell. I deleted the whole account, they had no chance to get out of the vhost container because each website runs under its own user, for this they would have needed root privileges which can't be obtained through a site... :wink:
hmm, why would they not be able to obtain root via a site?
Wouldn't they just need to upload a shell and find any vulnerable service in the system that runs as root, and then escalate it?

At least that's what I would have done, but I'm not sure how your system is setup so maybe I'm missing something :o
Do elaborate when you feel like it buddy, I live for this shit xD
"The best place to hide a tree, is in a forest"

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Re: downtime September 24

Post by bad_brain »

nope, because each site runs under its own service instance owned by its own user....pretty much a chroot environment. so all they can do is to move inside the vhost container without any access to higher directories or services because for that they would already need root privileges.
so: not just the users are chrooted, each apache process is because it runs under the according user. there is not one big apache2 process like in the Prefork MPM.

of course I also did a full system scan.
Image

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Re: downtime September 24

Post by ayu »

bad_brain wrote:nope, because each site runs under its own service instance owned by its own user....pretty much a chroot environment. so all they can do is to move inside the vhost container without any access to higher directories or services because for that they would already need root privileges.
so: not just the users are chrooted, each apache process is because it runs under the according user.

of course I also did a full system scan.

ah ok, yeah then it becomes less likely that they broke further in x)
Especially since their target was probably random.
"The best place to hide a tree, is in a forest"

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Re: downtime September 24

Post by bad_brain »

Image

no command exec for skiddo....a shell pretty much turns into a web file client that way... :wink:

trying to get out of chroot:
Image
Image

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Re: downtime September 24

Post by ayu »

hmm, then it all comes down to what they can execute with pure PHP and through the MySQL server.
I think I'll play with this a bit, it's turning into an interesting scenario ^^
"The best place to hide a tree, is in a forest"

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Re: downtime September 24

Post by bad_brain »

gonna PM you some PHP info...^^
Image

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Re: downtime September 24

Post by ayu »

bad_brain wrote:gonna PM you some PHP info...^^
Sweet : D

I'll check it in a minute or sixty xD
Customers oh so user friendly C#.Net site just fucked up beyond all recognition, so have to fix that first *cries*
"The best place to hide a tree, is in a forest"

User avatar
ph0bYx
Staff Member
Staff Member
Posts: 2039
Joined: 22 Sep 2008, 16:00
15
Contact:

Re: downtime September 24

Post by ph0bYx »

bad_brain wrote:me too! :lol:
thanks for trying though buddy...gonna PM you my phone number, you can also use the business address in such cases. ;)

P.S. good night! ^^
Nice, although I doubt there will be need for emergency contacts in the future :)

Post Reply