Hello,
For the past week my server has been scanning and flooding different hosts. I've been getting these flood reports from my service provider but i can't figure out HOW my host has been compromised.
2013-06-09 19:43:26.000000 IP xxx.xxx.xxx.xxx.58070 > 174.132.159.150.80: UDP, length 1 2013-06-09 19:43:26.000000 IP xxx.xxx.xxx.xxx.42469 > 174.132.159.130.80: UDP, length 1 2013-06-09 19:43:26.000000 IP xxx.xxx.xxx.xxx.58070 > 174.132.159.150.80: UDP, length 1 2013-06-09 19:43:26.000000 IP xxx.xxx.xxx.xxx.53600 > 174.132.159.150.21: UDP, length 1 2013-06-09 19:43:26.000000 IP xxx.xxx.xxx.xxx.40914 > 174.132.159.150.80: UDP, length 1
Please help me idenfity the security breach.
Thank you.
Edit1.
The last command shows nothing suspicious.
Edit2. Ok, i'm onto something, looks like the breach was made using apache.
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/module.so' - /usr/lib64/php/modules/module.so: cannot open shared object file: No such file or directory in Unknown on line 0 [Sun Jun 09 03:24:54 2013] [notice] Apache/2.2.15 (Unix) DAV/2 mod_fcgid/2.3.7 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.0-fips SVN/1.6.11 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/module.so' - /usr/lib64/php/modules/module.so: cannot open shared object file: No such file or directory in Unknown on line 0 [Sun Jun 09 03:24:57 2013] [notice] Graceful restart requested, doing restart [Sun Jun 09 03:24:59 2013] [notice] Digest: generating secret for digest authentication ... [Sun Jun 09 03:24:59 2013] [notice] Digest: done
Edit 3.
I tighten the PHP security and disabled the fallowing functions.
disable_functions = "phpinfo, apache_note, apache_child_terminate, apache_setenv, closelog, debugger_off, debugger_on, define_syslog_variables, escapeshellcmd, eval, fp, fput, ini_alter, ini_get_all, ini_restore, inject_code, openlog, passthru, pclose, pcntl_exec, popen, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, syslog, system, url_exec, xmlrpc_entity_decode";
Anything that is requires by virtualmin here?
Comments
Submitted by andreychek on Mon, 06/10/2013 - 09:20 Comment #1
Howdy -- Virtualmin doesn't actually require PHP... so you're welcome to disable any PHP functions you like.
Other web apps may use them, but Virtualmin itself doesn't.
The Apache logs you listed don't actually show anything I'd consider to be suspicious.
That said, it is likely that the source of any breach is due to a web app that's been compromised.
How many domains do you have on your server?
You may want to review them, to check if there's any that are running old versions of any software. Having an older web app that contains a security hole is a common source of breakins.
Submitted by NigelAves on Sat, 06/15/2013 - 08:51 Comment #2
I had exactly the same problem happen a couple of weeks ago.
There are lots of tips via Google on how to tighten security depending on what you are running as web sites.
I was hacked via either Apache or Joomla, I have not discovered which.
The two most important things to do is to load mod_security and mod_evassive, then make sure that no one can create a .htaccess file. Also, Configure mod_security to work in conjunction with the HoneyPot project
and after all that make sure your virtual hosts have been restored with a clean backup.
This may or may not help but it's a starter.
Nigel