Server hacked with javascript

Question

eOHello.

I just got hacked! The hacker injected code into my website files on my server.

Server: Debian Lenny, Apache 2.2, PHP 5.2, MySQL 5

EDIT:

Apparently my question wasn't deemed good enhough for some so I will try again. I apologize if I appear to be a total noob.

What have I done so far:

• used chkrootkit, rkhunter - no problems detected
• Bad PHP files with permission 777 was targeted, and they are being fixed.

As for the other thread about hacked server I read it. Unfortunately it doesn't quite help me answer this question:

But here is one thing that I need some help to understand. I got some files/directories that have 755 permission but the owner is www-data:www-data. Some of these files has ben compromised too. My naive thought was that set the owner and permissions like that prevented direct upload/altering files by hackers but allowing users to upload files via a script protected by a password (.htpasswd outside of web root)

Do you know what I need to do instead?

Answer 1

If you're interested in analyzing what happened, you take the server off the network and make a forensic image of the drive volume to a separate, preferably external hard disk. Then you wipe the drive and restore from a known good backup.

If you don't have a known-good backup, you recreate it from scratch.

Then you apply all updates and security fixes. Then you work on setting up a file monitoring program that works like Tripwire, where your files are checksummed and you store the check files on a separate disc/disk for comparison.

Then you can try to figure out how the attacker got in. Weak passwords? Unnecessary services? SQL injection? Plug the holes. Update your file monitor.

Set up logging to a separate machine so logs are copied and can be compared for tampering-checking.

You cannot trust a machine once it has been compromised. You have no guarantee that the binaries aren't hiding things that are running in the background. You need to take it offline and restore from a pre-compromised state and bring it up to a point where you fix the holes or at least have it create a trail to follow if it's compromised, but you cannot trust system binaries in the system if the attacker may have gained root access.

Answer 2

I'm a fan of AIDE but that's not going to help after the fact unfortunately.

Apache error.logs are a good place to start.

Answer 3

Unfortunately, even if you manage to find the offending IP address, this is very unlikely to lead you to the attacker. The attack will almost certainly have come from another compromised machine.

Your machine could feasibly have been hacked by any of the open services on your machine. Start by checking the services that have listening ports open. e.g.:

1. FTP
2. SSH
3. Apache itself
4. MySQL?

Check the logs of each of these services to see if there's anything unusual there.

In my experience, the vast majority of these hacks are facilitated by:

1. FTP credentials compromised - often via a trojan on a client machine that has access. - either by key-logging, or compromising a password cache.
2. Old version of a popular PHP script that is insecure, coupled with loose file permissions for the user context of the website.