[RESOLVED] Hacked - pls help - PHPBuilder Forums

[RESOLVED] Hacked - pls help

btfans

Hacked - pls help

Dear All,

* pls excuse me if this was NOT posted to a correct category *

My phpBB (/var/www/html/phpBB2 running in FC3) wrongly allow 777 and attacked by this hacker
(ip=81.196.20.134)
the /tmp/.666 and /tmp/.lick are invoked continuously seems phpBB is run.

And result in substantial problem on the sh (defunct) (zombie) processes.

I want expert advice:

1) how it is invoked?
2) how to STOP ?
3) now I only deny from the ip for access /var/www/html using .htaccess.

Mathew

------------------- lick.txt -------------------------

[Code deleted by the moderator: no point giving out free attack scripts to all and sundry]

MarkR

Step 1: Unplug your server from the ethernet
Step 2: Make a complete regular backup, as you usually do (if that's a network backup, you may need to plug it into a private network to do this)
Step 3: remove the hard disc and keep it for forensics
Step 4: Replace the HD, reinstall the OS, and make REALLY sure that you haven't accidentially restored any untrusted binaries when you restore.

Doing the restoration is the hardest part- you have to make TRIPLE sure that you aren't accidentally restoring any trojan'd binaries that were modified by the attacker.

Your best bet is to remove all executable content (inluding PHP of course) from the restore and replace it from your development server / source code area, recompilng anything as necessary

Once you're sure that your machine is clean, then you can investigate how to fix the hole the attacker used.

Mark

bradgrafelman

Extreme yet systematic, professional response provided by MarkR.

If you don't want to go to those extremes... I would recommend at LEAST doing this:

DELETE THOSE TWO FILES!
Backup the phpBB SQL database.
Uninstall PHP. Delete the PHP install directory entirely after uninstallation.
Delete the phpBB folder.
Reinstall both from scratch, then do a restore of the phpBB database.

btfans wrote:
3) now I only deny from the ip for access /var/www/html using .htaccess.

Do you have a firewall, IPSEC, anything like that? If so, don't block him from your webserver... block his connection from ever reaching your server. Though with proxies, botnets, etc. these days... probably won't do much.

MarkR

If your system has been compromised, you have no way of telling how many things have been compromised, or detecting any backdoors which may have been left.

Leaving a compromised machine online is a criminally irresponsible thing to do and it should not be encouraged.

It's those people who leave known compromised machines connected to the network who are (indirectly) responsible for the amount of DDoS, phishing attacks etc, that we see on the internet today.

Just pull the plug. Don't plug it back in until it's restored, known clean, and secure.

Mark

btfans

Finally remove the phpBB 2.0.4, and resinatall the new version. - FIXED.
Thank you all for help.

MarkR

You did totally reinstall the operating system on the server, right, and restore your backups VERY CAREFULLY?

Failing to do this will leave your machine compromised, and will have it continued to be used by spammers, DDoSers and other nasty people.

Mark