Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1483
  • Last Modified:

Just Been Hacked! Mironov Backdoor on Linux 2.4.x - proftpd exploit - How do I .... See below

Hi - well if you've read the header you'll know I've had one of our Linux servers hacked by someone called "Mironov" and it's possibly due to the exploit in PROFTPD. There are files in the /tmp folder... one called 'miro' (executable) and a new directory containing some stuff. Has anyone had this attack before and if so is there a way to easily clean it up and patch the PROFTPD package to get it sorted?

This particular server has more than 200 websites on it, so I'm quite desperate to clean it rather than having to rebuild it.

Can anyone help with this please?

Mucho appreciated - looking forward to your answers.

Chris
0
kenwardc
Asked:
kenwardc
2 Solutions
 
ahoffmannCommented:
hmm, all ftp servers have their vulnerabilities, since dozent of years, and they never get fixed proper, unfortunately
FTP is obsolete in current networks. Replace it with ssh/scp.

Said this we can focus on the backdoor.
Check with
   netstat -an
which ports are open (LISTEN), then with
   netstat -pan
which process has it open (for those which are not usual, like httpd)
0
 
kenwardcAuthor Commented:
Done that. Found that the system was listening on 8859 and discovered it was setup by Mironov to listen on that address. Whether it was sending or receiving, or how he gets into the box, is something I do not know.

I have so far:
1. Updated ProFTPd to the latest version.
2. Rebooted the box into single user mode and changed the root password
3. Removed the file 'miro' from the /tmp directory
4. Deleted a directory called .orbit* and all its sub folders

Not sure what else he would have infected. So far it looks OK and nothing has come back looking as though he has managed to once again get onto the box, so fingers crossed.

So - anyone know of this hack and definitively how to get rid of it?

Regards
Chris
0
 
ahoffmannCommented:
did you check with netstat -pan which process was listening?

use find to find the files your removed all over your disks

> .. or how he gets into the box,  ..
are you secured with a proper firewall? Then it most likely came in through a vulnerable web application.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
kenwardcAuthor Commented:
Hi ahoffmann

No - he used a hole in proftpd to get into the server. Then set himself up as root, changed the root password, then put these files on the computer. Yes - as I said, the computer was listening on port 8859 which was HIS port.

Regards
Chris
0
 
kenwardcAuthor Commented:
Sorry - YES - the whole server is protected by a firewall, but because the customers need access via FTP this was the problem
0
 
ahoffmannCommented:
oops, you said that proftp was the hole.
noone needs ftp, except attackers to gain access ;-)
0
 
kenwardcAuthor Commented:
Problem is that on our servers we do not use control panel access for customers to update their websites so we allow FTP to the server from anywhere. Are you suggesting there is another way?

Regards
Chris
0
 
ahoffmannCommented:
ssh/scp
0
 
kenwardcAuthor Commented:
SCP? Don't know what this is?
0
 
jlevieCommented:
You can mitigate potential security risks with FTP by making sure that you are always using the current version of proftp and by setting proftp up to use non-linux accounts for access. When proftp operates in that mode it runs as an un-privileged user (usually nobody), which makes it difficult for an attacker to do anything meaningful. As long as your proftp server doesn't contain a root exploit vulnerability it is pretty safe. A web server that hosts lots of sites that customers update is probably safer when run in this mode than when users have ssh/scp access. In general, there are more times that a vulnerability may exist that can only be exploited from within the server than externally. And there's certainly less to worry about if external users only have access through FTP or HTTP.

I don't know what Linux you are using on this box, but one of the advantages of a commercial Linux as opposed to the free ones is the support that's available in terms of timely and easy updates. Something to consider...
0
 
ahoffmannCommented:
good point jlevie
an "copy-only" solution is already there:
  http://www.pizzashack.org/rssh/
  http://sublimation.org/scponly/
0
 
pjedmondCommented:
Unfortunately, because the 'attacker' has gained root access, you cannot guarantee the integrity of your system. Realistically, the best thing is to reinstall.

For future use you may wish to look at applications like tripwire that give you advance warning that critical or key files have been altered. In that case, you can restore from a known good backup from prior to the intrusion.

Sorry:(
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now