downtime September 24
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
downtime September 24
ahhh....almost 2 pm and finally a cup of tea.
so yeah, as you most likely have noticed the site was down for a while today, and no: we were not hacked.
the reason was another website on the same host which WAS hacked, the site belongs to a customer which manages the site himself and seems to have used flawed WP plugins. so loads of spam was sent (the mail server activity was what actually caused the downtime, when I first checked there were about 50k bounces in the queue). took a bit to identify what site actually causes the trouble because the bounce headers gave no clue about the sender...long story short: website removed until I have analyzed and (if possible) secured it, all back to normal (except for a temporary presence on some DNSBLs I guess).
P.S. thanks Mr. Cats...
so yeah, as you most likely have noticed the site was down for a while today, and no: we were not hacked.
the reason was another website on the same host which WAS hacked, the site belongs to a customer which manages the site himself and seems to have used flawed WP plugins. so loads of spam was sent (the mail server activity was what actually caused the downtime, when I first checked there were about 50k bounces in the queue). took a bit to identify what site actually causes the trouble because the bounce headers gave no clue about the sender...long story short: website removed until I have analyzed and (if possible) secured it, all back to normal (except for a temporary presence on some DNSBLs I guess).
P.S. thanks Mr. Cats...
Re: downtime September 24
So they managed to upload a PHP shell then or other scripts?
Check the logs to make sure they didn't go further in and leave something else behind
Check the logs to make sure they didn't go further in and leave something else behind
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
Re: downtime September 24
yeup, php shell. I deleted the whole account, they had no chance to get out of the vhost container because each website runs under its own user, for this they would have needed root privileges which can't be obtained through a site...
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
Re: downtime September 24
gah...now the security settings were triggered by my last post....what a day...
Re: downtime September 24
Funny thing that happen to me is that I was trying to contact you on suck-o that suck-o is down. Took me a while to understand the fallacy there. I need to sleep more.
G'night!
G'night!
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
Re: downtime September 24
me too!
thanks for trying though buddy...gonna PM you my phone number, you can also use the business address in such cases.
P.S. good night! ^^
thanks for trying though buddy...gonna PM you my phone number, you can also use the business address in such cases.
P.S. good night! ^^
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
Re: downtime September 24
SO much better now than the 48,838 before...serve3:~# postsuper -d ALL deferred
serve3:~#
Re: downtime September 24
hmm, why would they not be able to obtain root via a site?bad_brain wrote:yeup, php shell. I deleted the whole account, they had no chance to get out of the vhost container because each website runs under its own user, for this they would have needed root privileges which can't be obtained through a site...
Wouldn't they just need to upload a shell and find any vulnerable service in the system that runs as root, and then escalate it?
At least that's what I would have done, but I'm not sure how your system is setup so maybe I'm missing something
Do elaborate when you feel like it buddy, I live for this shit xD
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
Re: downtime September 24
nope, because each site runs under its own service instance owned by its own user....pretty much a chroot environment. so all they can do is to move inside the vhost container without any access to higher directories or services because for that they would already need root privileges.
so: not just the users are chrooted, each apache process is because it runs under the according user. there is not one big apache2 process like in the Prefork MPM.
of course I also did a full system scan.
so: not just the users are chrooted, each apache process is because it runs under the according user. there is not one big apache2 process like in the Prefork MPM.
of course I also did a full system scan.
Re: downtime September 24
bad_brain wrote:nope, because each site runs under its own service instance owned by its own user....pretty much a chroot environment. so all they can do is to move inside the vhost container without any access to higher directories or services because for that they would already need root privileges.
so: not just the users are chrooted, each apache process is because it runs under the according user.
of course I also did a full system scan.
ah ok, yeah then it becomes less likely that they broke further in x)
Especially since their target was probably random.
"The best place to hide a tree, is in a forest"
Re: downtime September 24
hmm, then it all comes down to what they can execute with pure PHP and through the MySQL server.
I think I'll play with this a bit, it's turning into an interesting scenario ^^
I think I'll play with this a bit, it's turning into an interesting scenario ^^
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 18
- Location: In your eye floaters.
- Contact:
Re: downtime September 24
gonna PM you some PHP info...^^
Re: downtime September 24
Sweet : Dbad_brain wrote:gonna PM you some PHP info...^^
I'll check it in a minute or sixty xD
Customers oh so user friendly C#.Net site just fucked up beyond all recognition, so have to fix that first *cries*
"The best place to hide a tree, is in a forest"
Re: downtime September 24
Nice, although I doubt there will be need for emergency contacts in the futurebad_brain wrote:me too!
thanks for trying though buddy...gonna PM you my phone number, you can also use the business address in such cases.
P.S. good night! ^^