Discussion:
[SLUG] How to deal with Hacker Activity ?
David Lyon
2015-06-02 03:57:34 UTC
Permalink
Hello all,

One place I do work for is having trouble with Hacker activity.

Let's face it, there are hacker's out there trying to take down systems.

The specific issue I'm seeing is .php files vanishing from the web server.

This is annoying and I'm wondering if any others are seeing anything like
this.

I'm also wondering what specific steps can be taken to minimise hacking
problems.

We don't have a big budget, a counter-hacking team or anything like that.

To me it looks like the ISP may have been hacked in a similar way as
GoDaddy was hacked in the US.

Regards

David
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
gr0ve
2015-06-02 05:01:21 UTC
Permalink
Hi David,
Are you sure the .php files are being removed by a malicious actor? Are there log entries or other traces that indicate an exposure to an exploit? To remove files from a system would leave traces of
activity, even remotely and subsequent tampering to cover it up is usually clumsily executed and easily identified.
It would depend also on your specific php version but you could install suhosin to log any out of band activity. If you think a malicious actor is deleting files, check also your database links for insertion attacks or other indications of attempted tampering. I suspect an in house error such as a bad day for someone, or a rogue cron job, perhaps, or if you are exposed to the ext4 corruption bug on Linux, look there.
Without more information, I always assume a more local problem first, as opposed to intrusion etc.

--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by David Lyon
Hello all,
One place I do work for is having trouble with Hacker activity.
Let's face it, there are hacker's out there trying to take down systems.
The specific issue I'm seeing is .php files vanishing from the web server.
This is annoying and I'm wondering if any others are seeing anything like
this.
I'm also wondering what specific steps can be taken to minimise hacking
problems.
We don't have a big budget, a counter-hacking team or anything like that.
To me it looks like the ISP may have been hacked in a similar way as
GoDaddy was hacked in the US.
Regards
David
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
David Lyon
2015-06-02 05:06:44 UTC
Permalink
Files are definitely being deleted.

Which log would I look in ?

It's a common Linux cpanel hosting plan.
Post by gr0ve
Hi David,
Are you sure the .php files are being removed by a malicious actor? Are
there log entries or other traces that indicate an exposure to an exploit?
To remove files from a system would leave traces of
activity, even remotely and subsequent tampering to cover it up is usually
clumsily executed and easily identified.
It would depend also on your specific php version but you could install
suhosin to log any out of band activity. If you think a malicious actor is
deleting files, check also your database links for insertion attacks or
other indications of attempted tampering. I suspect an in house error such
as a bad day for someone, or a rogue cron job, perhaps, or if you are
exposed to the ext4 corruption bug on Linux, look there.
Without more information, I always assume a more local problem first, as
opposed to intrusion etc.
--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by David Lyon
Hello all,
One place I do work for is having trouble with Hacker activity.
Let's face it, there are hacker's out there trying to take down systems.
The specific issue I'm seeing is .php files vanishing from the web
server.
Post by David Lyon
This is annoying and I'm wondering if any others are seeing anything like
this.
I'm also wondering what specific steps can be taken to minimise hacking
problems.
We don't have a big budget, a counter-hacking team or anything like that.
To me it looks like the ISP may have been hacked in a similar way as
GoDaddy was hacked in the US.
Regards
David
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
gr0ve
2015-06-02 06:23:11 UTC
Permalink
I would start by checking the log files under /var/log and associated web & db log files, especially any php logs. Copy them offline to another system and look through the date stamps to see if anything matches the problems you are experiencing. You may notice a pattern of activity that points to malicious activity. If it is file system corruption, it may be something you would have to check with the service provider, in the case they have moved the underlying
infrastructure to the ext4 filesystem version that has recently been found to
have a corruption issue. There are steps
to forensically derive if your system has been tampered with, but if you see widespread ongoing file deletion, it is more likely something local to the system itself.

--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by David Lyon
Files are definitely being deleted.
Which log would I look in ?
It's a common Linux cpanel hosting plan.
Post by gr0ve
Hi David,
Are you sure the .php files are being removed by a malicious actor? Are
there log entries or other traces that indicate an exposure to an exploit?
To remove files from a system would leave traces of
activity, even remotely and subsequent tampering to cover it up is usually
clumsily executed and easily identified.
It would depend also on your specific php version but you could install
suhosin to log any out of band activity. If you think a malicious actor is
deleting files, check also your database links for insertion attacks or
other indications of attempted tampering. I suspect an in house error such
as a bad day for someone, or a rogue cron job, perhaps, or if you are
exposed to the ext4 corruption bug on Linux, look there.
Without more information, I always assume a more local problem first, as
opposed to intrusion etc.
--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by David Lyon
Hello all,
One place I do work for is having trouble with Hacker activity.
Let's face it, there are hacker's out there trying to take down systems.
The specific issue I'm seeing is .php files vanishing from the web
server.
Post by David Lyon
This is annoying and I'm wondering if any others are seeing anything like
this.
I'm also wondering what specific steps can be taken to minimise hacking
problems.
We don't have a big budget, a counter-hacking team or anything like that.
To me it looks like the ISP may have been hacked in a similar way as
GoDaddy was hacked in the US.
Regards
David
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
David Lyon
2015-06-02 05:20:45 UTC
Permalink
Post by gr0ve
If you think a malicious actor is deleting files, check also your
database links for insertion attacks or other indications of
attempted tampering.
We are seeing MySQL table corruption as well in a 'Session' table.
Post by gr0ve
Hi David,
Are you sure the .php files are being removed by a malicious actor? Are
there log entries or other traces that indicate an exposure to an exploit?
To remove files from a system would leave traces of
activity, even remotely and subsequent tampering to cover it up is usually
clumsily executed and easily identified.
It would depend also on your specific php version but you could install
suhosin to log any out of band activity. If you think a malicious actor is
deleting files, check also your database links for insertion attacks or
other indications of attempted tampering. I suspect an in house error such
as a bad day for someone, or a rogue cron job, perhaps, or if you are
exposed to the ext4 corruption bug on Linux, look there.
Without more information, I always assume a more local problem first, as
opposed to intrusion etc.
--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by David Lyon
Hello all,
One place I do work for is having trouble with Hacker activity.
Let's face it, there are hacker's out there trying to take down systems.
The specific issue I'm seeing is .php files vanishing from the web
server.
Post by David Lyon
This is annoying and I'm wondering if any others are seeing anything like
this.
I'm also wondering what specific steps can be taken to minimise hacking
problems.
We don't have a big budget, a counter-hacking team or anything like that.
To me it looks like the ISP may have been hacked in a similar way as
GoDaddy was hacked in the US.
Regards
David
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
gr0ve
2015-06-02 05:31:25 UTC
Permalink
You should be able to look in the mysql transaction log and line up any corresponding entries to timestamps and
Also in the web/system log files as a very general response. Without more detail, it is still hard to say whether your problem is local or if someone is breaking the door down, but there will be a correlation
between the events.



rachel

--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by David Lyon
Post by gr0ve
If you think a malicious actor is deleting files, check also your
database links for insertion attacks or other indications of
attempted tampering.
We are seeing MySQL table corruption as well in a 'Session' table.
Post by gr0ve
Hi David,
Are you sure the .php files are being removed by a malicious actor? Are there log entries or other traces that indicate an exposure to an exploit? To remove files from a system would leave traces of
activity, even remotely and subsequent tampering to cover it up is usually clumsily executed and easily identified.
It would depend also on your specific php version but you could install suhosin to log any out of band activity. If you think a malicious actor is deleting files, check also your database links for insertion attacks or other indications of attempted tampering. I suspect an in house error such as a bad day for someone, or a rogue cron job, perhaps, or if you are exposed to the ext4 corruption bug on Linux, look there.
Without more information, I always assume a more local problem first, as opposed to intrusion etc.
--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by David Lyon
Hello all,
One place I do work for is having trouble with Hacker activity.
Let's face it, there are hacker's out there trying to take down systems.
The specific issue I'm seeing is .php files vanishing from the web server.
This is annoying and I'm wondering if any others are seeing anything like
this.
I'm also wondering what specific steps can be taken to minimise hacking
problems.
We don't have a big budget, a counter-hacking team or anything like that.
To me it looks like the ISP may have been hacked in a similar way as
GoDaddy was hacked in the US.
Regards
David
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
David Lyon
2015-06-02 05:35:16 UTC
Permalink
Thanks Rachel,

The information you have provided is very helpful.

I will look into the things you have mentioned in detail. It's a good start.
Post by gr0ve
You should be able to look in the mysql transaction log and line up any
corresponding entries to timestamps and
Also in the web/system log files as a very general response. Without more
detail, it is still hard to say whether your problem is local or if someone
is breaking the door down, but there will be a correlation
between the events.
rachel
--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by gr0ve
If you think a malicious actor is deleting files, check also your
database links for insertion attacks or other indications of
attempted tampering.
We are seeing MySQL table corruption as well in a 'Session' table.
Post by gr0ve
Hi David,
Are you sure the .php files are being removed by a malicious actor? Are
there log entries or other traces that indicate an exposure to an exploit?
To remove files from a system would leave traces of
activity, even remotely and subsequent tampering to cover it up is
usually clumsily executed and easily identified.
It would depend also on your specific php version but you could install
suhosin to log any out of band activity. If you think a malicious actor is
deleting files, check also your database links for insertion attacks or
other indications of attempted tampering. I suspect an in house error such
as a bad day for someone, or a rogue cron job, perhaps, or if you are
exposed to the ext4 corruption bug on Linux, look there.
Without more information, I always assume a more local problem first, as
opposed to intrusion etc.
--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
Post by David Lyon
Hello all,
One place I do work for is having trouble with Hacker activity.
Let's face it, there are hacker's out there trying to take down systems.
The specific issue I'm seeing is .php files vanishing from the web
server.
Post by David Lyon
This is annoying and I'm wondering if any others are seeing anything
like
Post by David Lyon
this.
I'm also wondering what specific steps can be taken to minimise hacking
problems.
We don't have a big budget, a counter-hacking team or anything like
that.
Post by David Lyon
To me it looks like the ISP may have been hacked in a similar way as
GoDaddy was hacked in the US.
Regards
David
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Tom Worthington
2015-06-02 22:38:53 UTC
Permalink
... steps can be taken to minimise hacking problems.
I used to run my own Moodle server until I found Viagra ads on it. I
decided that I did not have the time needed to keep the server secure
and now leave it to specialists to do.
--
Tom Worthington FACS CP, TomW Communications Pty Ltd. t: 0419496150
The Higher Education Whisperer http://blog.highereducationwhisperer.com/
PO Box 13, Belconnen ACT 2617, Australia http://www.tomw.net.au
Liability limited by a scheme approved under Professional Standards
Legislation

Adjunct Senior Lecturer, Research School of Computer Science,
Australian National University http://cs.anu.edu.au/courses/COMP7310/
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Loading...