Hackers... Had a Visitor...

gord · 16 Apr 2010 at 11:31

So it appears our webserver has had a visitor. Luckily, didnt cause any damage but left me a nice html/txt file in the root of most of our websites called Hitman with the instruction to improve my security.

Our webserver runs quite a few applications and I don't know exactly where to start with finding the root of the exploit. Are there any scans/tips/tricks I can use to see how this might have happened. All files were created at a similar time.

Funny thing is, we actually used a PCI scan for the web server not that long ago when we were thinking of holding transactions on it.. damn happy we don't now, but we didnt have any major holes show up IMO.

Any help is much appreciated.

mast3r · 16 Apr 2010 at 11:36

raw sats data? *search hitman.txt, find IP. Trace Route IP, Report IP allong with logs to ISP.

What firewall are you behind? what software is on the server?

AHarvey · 16 Apr 2010 at 11:37

Didn't the hacker tell you how he got in? What was the txt file he left?

maybe try seeing what software you are running, then googling "the name of each one + security holes" and see what that brings up?

Other option is to look at hiring a security company to do it for you but you are probably talking big ££'s.

EDIT: seems to be a team of hackers called HITMAN:

http://www.zone-h.com/mirror/id/10494372

gord · 16 Apr 2010 at 11:54

mast3r said:
raw sats data? *search hitman.txt, find IP. Trace Route IP, Report IP allong with logs to ISP.

What firewall are you behind? what software is on the server?

Went into the logs of one of the sites and found the following for the day the files were created:

Code:

2010-04-02 13:23:56 W3SVC336356993 10.0.0.220 GET /Hitman.htm - 80 - 64.38.3.50 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9)+Gecko/2008052906+Firefox/3.0 200 0 0
2010-04-02 13:23:56 W3SVC336356993 10.0.0.220 GET /Hitman.htm - 80 - 109.200.166.75 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.2.2)+Gecko/20100316+Firefox/3.6.2 200 0 0
2010-04-02 13:25:47 W3SVC336356993 10.0.0.220 GET /Hitman.htm - 80 - 217.162.28.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0) 200 0 0

Seems to be 3 different IPs that tried to access the file quite a few hours after they were created. Although, to do it twice in the same second, surely we are looking at bots here rather than a person?

I didn't set the server up, but it appears we have no software firewall running unless AVG8.5 has one built in, but it doesnt look like it. I 'assume' we have hardware firewalls, as its a co-located hosted server.

The server runs a mishmash of apps using SQL, MySQL, PHP, ASPx.

mast3r · 16 Apr 2010 at 12:01

Ok, well that does indeed look like a bot issue, but how did that file get created!?
What are your CHMOD settings on the DIR.'s?

A webserver... i would be making sure you ARE behind a hardware firewall, look at the logs on that too.

iNPUt · 16 Apr 2010 at 12:02

Most probably some web app, with a PHP or MySql vulnerability. If so it should create a log file with the attackers proxies ip within the web log. Oh is there sometime like a command log, unless they got root it will still be there under the user they log in as.

About the firewall, iptables is enough though and won't stop any web based attacks, either will hardware, if a port is open its open.

shamelessly robbed from somewhere else:
"Use bash command "history" can provide a list of recent commands the user has entered.

if you want the list in a file. look for .bash_history in the user's home directory.

depend on setting on the system. the record length can be different. Default 1000 lines."

tntcoder · 16 Apr 2010 at 12:04

I'm not sure I would trust the web server anymore, could be fully compromised now...

I would start by making sure the system and all server daemons are properly patched. Then move on to auditing your web apps.

Try various scanners, google recently released a very nice one called SkipFish, there is also Nikto as well.

Neodite · 16 Apr 2010 at 12:12

http://www.zone-h.org/archive/notifier=TeaM HITMAN HaCkEr/page=13

??

gord · 16 Apr 2010 at 12:22

iNPUt said:
Most probably some web app, with a PHP or MySql vulnerability. If so it should create a log file with the attackers proxies ip within the web log. Oh is there sometime like a command log, unless they got root it will still be there under the user they log in as.

Not so sure. They managed to place a .htm file in the root of several of our websites spanning all technologies.. so it doesnt look like an app vulnerability.. otherwise surely it would affect that specific app's site?

Oddly, the only site it hasn't affected is our store. The SSL cert is setup for that sub domain too.

Neodite said:
http://www.zone-h.org/archive/notifier=TeaM HITMAN HaCkEr/page=13

Not on that page, but we have been named on another.

Schnippzle · 16 Apr 2010 at 12:31

Hopefully I wont get banned for posting this, but millw0rm is pretty good for finding source code for attacks. We use this to prevent break-ins on our system as you can reverse-engineer it if you have the right coders to do it

iNPUt · 16 Apr 2010 at 12:51

Schnippzle said:
Hopefully I wont get banned for posting this, but millw0rm is pretty good for finding source code for attacks. We use this to prevent break-ins on our system as you can reverse-engineer it if you have the right coders to do it

milw0rm has been out of action for near a year, there are places which post the 0day stuff but forgot them now.

As for spanning lots of websites, they might have been able to get root access then you should think about changing servers.

More likely from web to root then a buffer overflow or something in a daemon.

Solaris · 16 Apr 2010 at 12:58

Team Hitman are a Moroccan Islamic hacking group.

Its unlike them to warn you, they usually just deface sites.

mast3r · 16 Apr 2010 at 13:06

i had a Similar issue but the problem for me was one of the Client users installed a PHP-Nuke system, i advised him against it...

6 months later, he was here crying that he peed some CHILD off and he totally wiped him out, took a user base of 5400 users from an SQL Database and managed to decrypt the MD5 Hashed Passwords for more than 80% of the users.

MAJOR security hole.

NickK · 16 Apr 2010 at 18:58

Start with the free www.nessus.org then go from there.

I've been working with NGS for large scale beyond-enterprise level penetration testing and code inspection of applications. I've been impressed and I would recommend them if you're serious about security.

gord · 16 Apr 2010 at 19:31

Fantastic, thanks guys. I'd just got Nikto working before the end of the day.. command line software isnt something ive used for a while.. but getting there now. Will give that a look too NickK.

gam3r · 22 Apr 2010 at 02:08

NickK said:
Start with the free www.nessus.org then go from there.

I've been working with NGS for large scale beyond-enterprise level penetration testing and code inspection of applications. I've been impressed and I would recommend them if you're serious about security.

I've used nessus on a purely experimental basis and it's pretty good. You can see the vulnerabilities you may have by running various plug-ins etc, I would give it a try! I'm sure you can even write your own plug-ins using a scripting language called NASL..