Page 1 of 3 123 LastLast
Results 1 to 10 of 29
  1. #1
    Master Untangler
    Join Date
    Oct 2008
    Posts
    144

    Default Someone hack my web server and put perl scrip into /tmp

    I have a web server running with an IP public.

    I notice on folder /tmp
    always a strange file ...
    I keep deleting the file, but somehow it come back again

    I attach the file , I have no idea what this script is for?
    but I guess some thing bad ....

    anyone knows what this script is all about?
    and how some one put that file on /tmp folder?


    Thanks

    Yuan

  2. #2
    Master Untangler neiby's Avatar
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    603

    Default

    That looks pretty bad to me. It appears to be a tool to gather information about your system and report it back to another server via IRC.
    Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,242

    Default

    And now we know why UT ships with SSH DISABLED.

    If you enable that service you need to protect it... format the box it's lost.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler neiby's Avatar
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    603

    Default

    I agree. If that script is on there, who knows what else they have on there, especially since the code keeps reappearing after you delete it. Wipe the box and start over. And like Sky-night says, if you're going to open up SSH, protect it!
    Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by sky-knight View Post
    And now we know why UT ships with SSH DISABLED.

    If you enable that service you need to protect it... format the box it's lost.
    I think he's talking about his web server (not his untangle)

    but the point is still valid.

    what web server is this out of curiousity? IIS? apache?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Master Untangler neiby's Avatar
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    603

    Default

    Oh, yep, you're right. I wasn't reading his post very thoroughly. I don't know what UT has to do with this then. If you open up SSH or some other type of access to your web server from the outside world, this kind of thing is going to happen.

    It just occurred to me that since this is in Off-Topic, he may just be asking for help. It probably has nothing to do with Untangle.
    Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

  7. #7
    Master Untangler
    Join Date
    Oct 2008
    Posts
    144

    Default

    Hi,....

    Thank you all for responding to this thread.

    Yes, it has nothing to do, at least not directly with untangle.

    It happens to my web server.

    But I guess I need a good advice of best practise this web server is behind untangle.

    Here is the current schema :

    Internet ---> Router1------Switch---------UT------Switch User
    | |
    | |
    Web Server with 2 NIC(IP Public,IP LOcal)-------

    If I put the web server behind UT, remove the NIC with IP public,
    and just make a port forward on UT, will it help the hacker out of my web server?


    On the web server, I am running Linux Suse, and Joomla and RoundCube Web Mail.
    Yes, I open SSH for remote administation and also FTP

    I am suspecting the hacker is using security hole on Joomla or RoundCube. But
    I don't have any exact info yet .............


    Thanks in advance


    Yuan

  8. #8
    Master Untangler neiby's Avatar
    Join Date
    Jun 2009
    Location
    Denver, CO
    Posts
    603

    Default

    I know nothing at all about Joomla or RoundCube, so I can only recommend doing some research on best practices regarding securing them. As far as SSH goes, move it to a non-standard port and make sure you use a very secure password with lots of numbers, lowercase, uppercase and special characters. You might also try an ACL that only allows SSH from your source IP addresses.

    It might require a bit of expertise to determine all the ways your box is compromised, though.
    Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,242

    Default

    Non-Standard port is security through obscurity... this doesn't work.

    Any half decent port scanner will locate and positively identify any TCP based service within a matter of seconds.

    CLOSE THE FREAKING PORT. There is zip... zero... NADA reasons to have SSH exposed to the world. Ok, I lied, if you're selling shells you kinda need it, but that's it.

    CLOSE THE FREAKING PORT. Use VPN to authenticate access. The service is too hot a target to open, all it takes is 1 zero day to ruin your server.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Master Untangler
    Join Date
    Oct 2008
    Posts
    144

    Default

    Quote Originally Posted by sky-knight View Post
    Non-Standard port is security through obscurity... this doesn't work.

    Any half decent port scanner will locate and positively identify any TCP based service within a matter of seconds.

    CLOSE THE FREAKING PORT. There is zip... zero... NADA reasons to have SSH exposed to the world. Ok, I lied, if you're selling shells you kinda need it, but that's it.

    CLOSE THE FREAKING PORT. Use VPN to authenticate access. The service is too hot a target to open, all it takes is 1 zero day to ruin your server.
    Thank you for your advice.
    No I am not selling shells ... :-)

    I change sshd config to only accept connection from local IP.

    is that secure enough? as some times I can not come and visit the server,
    but need quick setup or anything else ...

    anything else I should check?

    Thanks

    Yuan

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2