Server Compromise Issues

[PlayStage]

Hello,

If the attacker managed to alter some of his websites by implementing callbacks, scripts, sub-scripts (please note that an attacker can embed a piece of code into an "apparently" harmless logo.png file) this means that when you provision a new server and run the same websites it's just a matter of time when you get compromised once more.

Kind regards,
George.

 

[eva2000]

We have ongoing issues with our server being compromised and need some assistance. While we have our host helping us along with other people in the community, we really need assistance on the security side. This is really crippling on us and we're all going through a tough time here. We aren't sure how they got in and hoping for additional solutions to ensure this doesn't happen again.

Here is what the host said: There are several OS system files that has been modified and we are not sure what files been modified so that the hacker can get easy access. Using this the hacker will still login easily on the server with his own means and delete all the required data accordingly. The only option is to backup all the important data on your local end and reload OS on the server.

So we are currently working on an OS reload.

1). What recommendations do you have for installations adding maximum security
2). Since they are getting into SSH, what do you recommend we do as a setup?
3). Anything else would be most appreciated.

just hire a professional and be done with it to figure out how they got in and to clean up the intrusion https://sucuri.net/website-security/malware-removal

 

[TPerry]

this means that when you provision a new server and run the same websites it's just a matter of time when you get compromised once more.

yep, and that gets back to the basics of good security. There are plenty of resources available for an admin to perform those checks on images available (Maldetect comes immediately to mind). That's why good security practices are so important.
Honest to god.. some folks are running servers that really have no business doing it... I've been lucky as I classify myself as a talented amateur.

 

[Wesker]

This is resolved. Thank you all for your suggestions.

 

[TDUBS]

This is resolved. Thank you all for your suggestions.

If you don't mind me asking, how did you manage to resolve it?

 

[Wesker]

Despite all your combined suggestions which we implemented a good % of them, we had another compromise about 6 hours ago. Alot of damage was done. Will have more information shortly here.

 

[Wesker]

Hello,

If the attacker managed to alter some of his websites by implementing callbacks, scripts, sub-scripts (please note that an attacker can embed a piece of code into an "apparently" harmless logo.png file) this means that when you provision a new server and run the same websites it's just a matter of time when you get compromised once more.

Kind regards,
George.

We did a full audit and cleaned up several parts.

just hire a professional and be done with it to figure out how they got in and to clean up the intrusion https://sucuri.net/website-security/malware-removal

Issue isn't malware.

Hello,

I see all of you talking about SSH, private keys, open-closed ports, 2FactorAuth.
Most of you are missing key aspects you don't find by running Google searches: a server is as secured as its weakest chain.

Should you need a security audit done by a system engineer, feel free to contact me.

Kind regards,
George.

We did all of this.

Don't use Port 22, for starts. Change the SSH port to something else.

We fixed this as well.

If the server is compromised - ditch it and move to a new one, you'll never recover.

On any new server always make sure your exposure is minimised, eg only ports 80 and 443 open to public, use a ssh key with no password authentication and no root login keep you system up-to-date. use a port scanning tool such as nscan to check for open ports. you could also consider an audit tool to verify

We did this.

All of the above posts are perfect examples of hardening your server. There are many tutorials for basic yet vital Linux hardening methods that will protect you against vulnerabilities.

Here's a good start.. https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/

We did this.

Considering that he commented

It's a pretty good indicator that the intrusion point involved SSH at some point. The actual vector of attack is not answered (and can easily be a piss-poorly written add-on or script being ran on the server) to the admin not keeping up with system updates (servers's are NOT a install and forget type deal unlike many amateur admins believe).
At this point, a security audit would serve no purpose other than showing where he/she screwed the pooch - the simplest thing for him to do is provision the server again THEN make sure he hardens it and keeps it updated and use basic good security practices for securing the server.

We clearly need to do a more indepth audit at this point because the belief now is that it was a sql injection this time around but we don't know for sure until we fully review everything.

 

[Wesker]

- Keep everything up to date at all times, Install security updates asap.

- Use 2FA on your SSH and use SSH keys (I use Yubikey's for 2FA)

- Use 2FA everywhere
- Use strong and unique passwords

We did this.

https://xenforo.com/community/threa...k-server-configuration-hosting-support.61392/

We followed this.

Using SSH private key is a good start. And also port 22 whitelist to only your IP is the next option. Dont forget disable root login via SSH.

We did this.

 

[Brent W]

What operating system are you using? It sounds like your XF install is still compromised. I recommend doing a new server, Centos 7 and an XenForo to XenForo conversion to insure that only legitimate data is moved over. Then move 3rd party database tables over after auditing them as well. Do the conversion on a separate server than the one that will be live. One that preferably does not have internet access, just local access.

 

[Wesker]

What operating system are you using? It sounds like your XF install is still compromised. I recommend doing a new server, Centos 7 and an XenForo to XenForo conversion to insure that only legitimate data is moved over. Then move 3rd party database tables over after auditing them as well. Do the conversion on a separate server than the one that will be live. One that preferably does not have internet access, just local access.

CentOs7 and this was a new server. We did all of this.

 

[Brent W]

CentOs7 and this was a new server. We did all of this.

You did an XF to XF conversion? If so, not sure what to tell you.

 

[Brent W]

You can try using a service like Cloudflare or Securi. If using Cloudflare, enable their WAF.

 

[Wesker]

You can try using a service like Cloudflare or Securi. If using Cloudflare, enable their WAF.

We use cloudflare and also have added this.

 

[ManagerJosh]

You can try using a service like Cloudflare or Securi. If using Cloudflare, enable their WAF.

We use cloudflare and also have added this.

Depends on how the WAF, it would block many things, but it won't block everything. Especially if you're fighting Web Shells.

 

[TPerry]

Do you still have a quantity of custom mods that you use? I remember you mentioning at one time looking for a developer for a substantial quantity of code to do. If so, have you verified that those add-ons are secure and well coded?

 

[Wesker]

Do you still have a quantity of custom mods that you use? I remember you mentioning at one time looking for a developer for a substantial quantity of code to do. If so, have you verified that those add-ons are secure and well coded?

I PM'd you about the custom developer we use.

We do have custom mods with them all purchased from established members here.

 

[ŽivaAkcija]

almost one year without any downtime on my hosting and server

 

[Wesker]

almost one year without any downtime on my hosting and server

That's great to hear!

 

[Wesker]

Just wanted to let everyone know the issue was related to cometchat. Cometchat isn't secure. The guy did a sql injection and deleted several tables by compromising cometchat. That was the issue with the 2nd compromise.

The hacker has made it a mission to attack our site simply for greed.

 

[Wesker]

More updates

3rd issue: Today he compromised the admincp and changed the email on the admin before our site locked down. We patched that up.

4th issue: He then decided to ddos attack us