Additional security modules installed on dedicated server for security.

CarlHawkins · #1 (**permalink**) 11-05-10, 06:54 PM

Hello everyone.
we recently had an issue where one of our users accounts had been exploited and several files had been added to his account, after tracing back through files we now know it was a Joomla component that was exploited.

we first found out there was a problem when the tech guys at webhostinguk forwarded us a ticket containing an email from another server complaining the hackers were now using our server to try and hack theirs.

thank you to all at webhosting uk for the support offered regarding this matter, I am sure there's probably a groan when they see me log into the chat now

but thanks Rick and Peter M for the hours spent with me on this ..

Website design is my area so server security is... well a different ballgame so I struggle..but continue to learn thanks to the feedback from the support team..

my main question today is..

webhostinguk received a complaint about our server andcontacted us, actually they tried 3 times via the support desk, the 3rd time was a final notice before they suspended our server..

for me this is a serious situation to be put in so I was worried about this..

I would assume millions of sites on a daily basis have these issues, I would also assume that these warning emails from other concerned server administrators are simply a heads up, kind of a slap on the wrist, a message to say Oi..take a look at that account and stop the code exploits..

I don't mean to belittle this situation or to simply shrug this incident off as just one of those things as I do take this seriously, I would like however to get some feedback from others who have had this happen to them?

Our situation was:
we had a user that had placed a Joomla component on his site, genuine usage from his point of view, he didn't know that it could be exploited.

we didn't know about this so obviously didn't take any action.

the code was then exploited and bad files were placed on his account by hackers.

the new files were used in attempts to hack other sites.

complaints came in and we tracked and stopped the bad code.

so...
what are the possible repercussions of this action, who's accountable, who can get busted, could there be fines our court hearings, could there be criminal investigations?

or is it a worst case scenario that webhosting uk simply suspends the server, sorts out the problem and restarts the server?

Kind Regards
Carl

**whuk-cristiano** · #2 (**permalink**) 11-05-10, 07:53 PM

Hi Carl,

Thank you for your feedback for Peter & Rick.

I have been checked your ticket and chats regarding the hacking issue you faced recently. I see that most of the security modules are installed on the server. Here are some of the additional security modules to be installed on the server.

Install mod-security on the server.
Mod_Security is an open source intrusion detection and prevention engine for web applications (or you can say is a web application firewall). Operating as an Apache Web server module. The current stable version of it is 1.9.4.The purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.
Mod_security is great and I encourage it be used by everyone; it does have the potential to break some web applications but so far i have seen very few issues to say the least. Likewise it is easy to fix any applications that may break with the granular filter rules that can be setup to either deny or allow certain content. Overall mod_security is a needed addition to apache, providing a layer of security yet unseen for apache.

Install suhosin on the server.
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against buffer overflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Install RkHunter (Rootkit)

PM me if you wish to compile the above modules on the server.

Further checking I have found that the files were uploaded on March 10th. The logs have been rotated on the server & that is one of the reason it is not possible to locate from which IP were they uploaded OR the account was hacked.

We as webhosting.uk.com do send a notification only if we have the logs.

_______________
Cristiano
webhosting.uk.com

CarlHawkins · #3 (**permalink**) 11-05-10, 08:13 PM

Hello Cristiano.
Thanks for the reply

so quick.

I will get back to you regarding the tools you mentioned, its been a long few days and i have spent many hours trying to understand things i know nothing about lol so think i have just about run out of the will to live at this point

one thing that i would like to know is, one of the ways hackers were trying to get more information, actually they succeded before you guys closed ports and some php functions, but one of the ways was to exploit a joomla plugin by entering this in the url

PHP Code:


			
http://www.somewebsite.co.uk/index.php?option=com_ckforms&view=ckforms&id=2&Itemid=53//index2.php?option=com_forms&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 677 "-" "libwww-perl/5.813"

now i didnt know enough to try this when the server was vulnerable to this attack so i didnt see what happened but it looks like they were trying to obtain information from /proc/self/environ/

what information would this be and what would it let them do?

I shall give you a pm when i have had some sleep (lots of sleep) about the updates.

Many thanks in advance.
Carl

**whuk-cristiano** · #4 (**permalink**) 12-05-10, 01:09 AM

Hi,

Further investigating I have found that "/proc/self/environ/" provides with the info that of the apache on the dedicated server. Apache port, modules installed, handlers, apache version etc.

Yes, do PM me once you wish to compile the modules on the server.

jonathanc · #5 (**permalink**) 05-11-10, 03:38 PM

A bit late to respond on this... just giving a little cheer for modsec. Modsecurity hooray! You may find that you need to tweak your rules -- just don't be tempted to switch it off for sites that seem to trigger it a lot. Also, worth following the advice that is available for improving security of Joomla.