My server was comprimised, please help

[sebrown]

Hello all,

Most of you are much more skilled then I when it comes to forensics and security, so please do me a favor and help me out here so I can better understand the processes and procedures I should follow and implement.

Short summary:

I have a dedicated server running centOS and hosting a website, there is also a custom member management

software I've been using for 2 years now that handles a few thousand CC numbers and all account billing related issues.

A few days ago, I enlisted the help of the authors of this Membership Management software (OSS5) to complete some custom modifications. The company is US based, but they use Russian programmers (yea i know what your thinking) but I've never had a problem with them, before this week.

So, I create a FTP user account for the programmer to use, and give them the credentials as they requested. After a few days of not hearing back from them, I contact them to see whats going on and they say the credentials i provided are not valid. I plug them in myself, they work fine, so I decide to check my logs to see whats up. Come to find out, not only do the credentials I provided work, but they are being used by a IP address which is in UKRAINE. 78.30.193.208

The log shows this IP uploaded a zip file, unpacked it, deleted it, also they looked at my sql.php files and config.php files and modified some other misc files. I contact them back, tell them about the logs I have and ask them whats going on. They continue to deny their involvement in whats going on, despite the fact that the IP address and have only given that login to them.

A day later, I go to login to the Admin panel of this software, to find out all admin accounts have been deleted, and I have no access to the software. Fortunately, I had a browser open that still had a valid session cookie which allowed me to look at the CP for this software, and sure enough all admin accounts are gone. All exept one account which I did not create and have no Idea where it came from.

I immediately change all my passwords (Cpanel, FTP, SSH, etc) and begin pooring through the log files to see WTF is really going on. I find out that a PHP file had been compromised that contained my CPanel username and password, and this file has been duplicated, renamed and moved off of the server.

My question is, where do I go from here? How would one go about gathering more information about the breach so I can restrict further access, or prevent this type of thing from happening again. Please help me to understand the basics of forensic analysis so I can better understand WTF is going on.

Thank You in advance.

Steve

[beakmyn]

My suggestion since the company you use is in the US that should unplug the server right now and contact your local law enforcement. If you don't know what you're doing you could potentially lose all ability to persue this in a court. You're dealing with you're member's credit card and personal information. That means they could hold you personally responsible. This isn't a circumstance where you want try out forensics.

[sebrown]

My suggestion since the company you use is in the US that should unplug the server right now and contact your local law enforcement. If you don't know what you're doing you could potentially lose all ability to persue this in a court. You're dealing with you're member's credit card and personal information. That means they could hold you personally responsible. This isn't a circumstance where you want try out forensics.

The CC #s were all 3DES encrypted blobs so that will help, but I'm looking to be a little more pro active as opposed to pulling the plug and giving up. My company will deal with any legal issues, my objective is to find out exactly what happend and how to prevent it in the future.

[ArkNinja]

Well, you did give them access, that's what happened. And here's how to prevent it: Don't give people access! Your passwords were stored in plain-text so they gained complete access, and they could upload any file that they desired to you web server which would allow them to do anything.

[digip]

Steve, call a good lawyer and get the hell of the forums with something like this. Get ahold of your local law enforcment and notify the proper authrorities.

The fact that they had access is enough in itself enough to pull the plug and contact the authrorities. Your server has been compromised and the integerity of the filesystem and everything running on it has been put at risk and may still be a problem, so the only course of action is call in the experts, secure your data, rebuild everything prior to them having access to anything, and then change ALL passwords going forward with the new install and restore. You may potentially have to revert and lose some data, or reconstruct entries manually to be sure they are legit. The longer you wait to be proactive in handling it, the more you will have to clean up later and the bigger mess you will have to fix.

And what of the customers whose credit cards are stored on there. Being that you have credit card transactions on their makes me wonder how legit your post is though. Any company that stores that kind of data would have certain laws and rules to abide by, one of which may be to notify all customers of any kind of compromise, shortly after any legal investigation is carried out by whomever the authorities are on the matter.

[3w`Sparky]

contact the police , take the HDD out , wack it into a box and start fresh restore from a backup prior to that compromise, you have to assume the whole system is dirty now , there could and most lightly is loads of tweaked scripts and code that will be archiving off anything useful and exporting it off!

once you have restored from a backup , patch and bring upto speed all elements of the server, even tho they didn't actually hack it they most lightly have a better idea of that server than you do now !

[pritchard9]

+1 on digip's and sparky's posts. Pull the plug. This is too far gone for a quick fix. The authorities are the only way. If you had sensitive information on there, im gathering from digip's post that you had other peoples credit card credentials, then this is really serious. Cut your loses. Pull the plug. Phone the authorities.

[Brian Sierakowski]

Have to agree, according to Sec+, you're supposed to:

1) Document what's on the screen

2) Create a bit for bit image

3) Copy whats in the memory

From there, you can run any forensics on the backup, leaving the hard drive untouched. Creating a hash any important file is a good idea, since if you have to go to court you need to prove that it was unaltered. If you wanted to use any logs in court, you have to prove that you discovered the information in a scheduled check of the logs.

THAT SAID: I do agree with everyone else above.

If there is any recourse you can take against the Russians (sorry, but 'lol'), look into it, but consider how expensive it would be to conduct a trial against Russian citizens. The only hope you have is that they're extradited to the US, and depending on how legit this company is, they could disappear.

Also, have you considered that it actually ISN'T the company? You said you've used them before, and they did the work just fine. They also mentioned that the login info you sent them was no good, sound like this could potentially be a MITM attack. I don't know how built up Russia's infrastructure is, but it may be easier to tap networks then it is here.

Did you determine what they uploaded? Did they know where to go to get the user info?

Here's what I would do:

1) Take the server down, restore a backup done before the compromise

2) Notify all the users of what happened, might lose some, but you'll lose ALL of them if they're CC gets maxed out and it gets traced back to you

3) If you made any copies, use them to perform forensic analysis to see if you can tell wtf they did

4) Don't give out admin credentials over a potentially unsecured medium, and to potentially untrustworthy recipients.

5) Learn from the painful experience, and get better at what you do from it :).

Good luck!

[VaKo]

Hah! Your going to call the police on some Russians/Ukrainians who hacked your server? What do you think they will accomplish? Even the Ukrainian police won't be able to do a thing, this will never see the inside of a court room. Just rebuild the server and don't off shore work to places like Russia without researching the risks.

[dr0p]

Let the customers know that their CC numbers are more than likely up for sale somewhere. And you can't catch them if they really are from Ukraine / Russia, the law enforcement there won't do a thing. Oh, and shut the server off, there's a 99% chance they still have a backdoor.

[digip]

Hell, it might not of even been the people you mentioned. You could have compromised your own server with a GUmbler infection, which hails from Russia to begin with, so it would look like the people you hired did it but might just be a coincidence.

[operat0r_001]

all you had to say is cpanel.... http://rmccurdy.com/scripts /cpanel_scripts/ see the hackcheck lol my cpanel script cerca 2007 the webhost I worked for was about 40% owned I enjoyed watching people and detecting them

colocate

get me root

ill setup snort mod_sec and audit the site for ya ;)