Server Hacked 2 times/ Have no Clue

[FYT2008]

We are experiencing difficult times here. Yesterday we found our server hacked with links inserted all over the website ( check yourself here: www.x6.ro ( please note www.x6.ro dont use joomla, the index is done manuallyand they even modified this index as well ), www.k6.ro - you will see a software that want to download on your screen that ask for permission ) and the hackers also inserted alot of invisible links into the websites.

I spent then 10 hours reinstalling FEDORA ( + plesk ) on the server doing the following:

- delete permission 777
- blocked smtp connections ( cose we got even listed in XBL spam database with ip because of exploits )

- blocked ftp access for anyone

- changed root password ( very complex ) , changed each hosting account password with a complex password.

=======================

Now you can only connect through the server via SSH but the password was impossibility to crack so this is not an option to explain why we got hacked again.


Now I checked my server and it is hacked again.

I checked logs, nothing unusual but the site was hacked now.

If you can help mewith solving this mystery ( how I got hacked ) Iwill be very gratefull.


I can provide all info you need, LOGS, anything, just let me know what files you need or what type of linux commands you want me to run on the server ( note I am linux starter ).


1000 thanks if you can help me solve this. After the whole reinstall we still got hacked this is outrageous.'

You can check all LOGS I collected now from the server here www.x6.ro/loguri.zip

[stevea]

Currently it looks like all your low ports are filtered except for 80. If it was hacked in this state then you must look to the web service as the problem

Certainly you must have gained some information from the logs and examining the changes.
Did you find when the hack files were created ?
Where the cron logs OK at this time ?
Was audit running ? (if not use it).

Never use ftp - it's hopelessly insecure.

I think you need to hear from an Apache/web-service security person.
best wishes.

[pete_1967]

What kernel version your server is running? An exploit to elevate local user privileges to root in versions 2.6.17 to 2.6.24.1. Just one way in on your system.

Another is, even if your server is secure, insecure scripts your clients are running. Have you chrooted all clients?

I don't have time to look at the logs (it's late here) but someone else may.

[FYT2008]

What I found now is the followinf lines from /log/secure
-----------
Feb 25 07:45:36 82-78-216-197 useradd[9076]: new user: name=boywonder, UID=10005, GID=2524, home=/var/www/vhosts/focusyourtarget.com/web_users/boywonder, shell=/bin/false

-----------

Someone during today added a new Plesk user to a hosted website.

THE STRANGE STUFF is that THE IP that did that ( 82-78-216-197 ) is MINE ( i mean the server IP )

The guy that did it had only 2 options:

1. a sort of script installed the website pages that can modify plesk

I cant imagine how he used the same server IP

[pete_1967]

You seriously should pull the plug on that server and keep it off the network until you've solved the cause and patched it.

At least you have something to look into now, and check your kernel version if it's one of I mention above, it means bad boys got an account with you (or have cracked someone else's).

[FYT2008]

I only use the account.

Wile reading the logs /var/log/messages came to this :

1. All connections are PROTO=TCP

2. Only 1 line PROTO=UDP ( this mean udp connection )

Feb 25 06:30:19 82-78-216-197 kernel: Inbound IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:14:2a:65:7d:ab:08:00 SRC=86.122.133.145 DST=255.255.255.255 LEN=49 TOS=0x00 PREC=0x00 TTL=128 ID=22804 PROTO=UDP SPT=1101 DPT=5200 LEN=29

This ip: 86.122.133.145 is the only one that connect via UDP to my server ( and I really dont know how this is possible, all UDP connections are closed )


aparently this ip is from the same town with me