-3

UPDATE II: I honestly fail to see how my question is inappropriate for this site, and no one seems to want to give me a reasonable response for that, but whatevs, I solved it. Thanks to the actual people that read and helped (instead of trying to enforce seemingly arbitrary "rules" for what should or should not be posted here).

UPDATE: Despite this being tagged as a duplicate, this question is trying to figure out HOW a site could have been compromised in this situation, NOT asking a generic question about how to secure a server.

I was recently alerted by Dreamhost that a few of my websites directories had been compromised with 3 letter php files written into them. Decoding them, I have discovered that they are files that send out spam when executed. When I started looking into the problem, I noticed some very strange things that make me question how I could have been hacked if the server itself (shared space with who knows how many other websites) was not hacked at the root level.

Here are some of the details and oddities:

  1. Only six directories out of more than 50 had these files written into them.
  2. 4 of the directories contain WordPress, but only 3 of those are even being served at the moment.
  3. The other 2 directories are mostly static html, no db access at all, with a little javascript.
  4. None of the directories had openly writable permissions (777) on anything in them
  5. All the files were written into the top level of each website directory, nothing lower down that I can find.

So I am let wondering how this could have happened and with the following questions:

  1. What are the possible vectors for attack here? Since some of the directories were not even web accessible, it seems unlikely that web access was the vector. Since some contain static files, it seems unlikely that this is related to one of the recent WordPress vulnerabilities.

  2. Is it possible or likely that there has been a root server level hack on the Dreamhost server, giving the attacker access to all directories and accounts?

  3. I suppose it is possible my shell account password was hacked, but if so, why would only 6 of the directories be written into? (and in random order as far as I can tell, there are many other directories in the alphabet between them and they are not in order of date modified or created either). In any event, I have changed my shell password just in case.

I am not a system admin, much more of a web designer and developer, but I would like to figure out how this could have happened so that I can better protect against this type of attack in the future. Thanks for any advice!

Stephen
  • 143
  • 5
  • 2
    Almost certainly IS a wordpress vuln. If they had root they would be doing more with it outside the web structure. – JamesRyan May 09 '15 at 13:22
  • I fail to see how it could be a wordpress vuln when it affected other websites that are NOT wordpress, and in EXACTLY the same way. – Stephen May 09 '15 at 13:23
  • possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – EEAA May 09 '15 at 17:42
  • This question I believe is different than the one above due to its specific question about how a hack could have occurred in a specific instance. – Stephen May 10 '15 at 02:54
  • I honestly fail to see how my question is inappropriate for this site, and no one seems to want to give me a reasonable response for that, but whatevs, I solved it. Thanks to the actual people that read and helped. – Stephen May 16 '15 at 18:46
  • Best guess is that once wordpress was compromised the attacker either: leveraged the fact that the compromised user access allowed directory traversal (https://en.wikipedia.org/wiki/Directory_traversal_attack) or perhaps once WP was compromised they were able to write and read to any folder that the web server user's GROUP could access or that they the web server user could access. – Bryan 'BJ' Hoffpauir Jr. Jul 12 '15 at 15:19

1 Answers1

3

If all the folders are owned by one system user (somewhat implied by you suggesting you have a shell account that can see everything), and the PHP scripts are run as that user (any host worth their salt will be doing so), they can write into any directory you own/have write enabled (eg 777 isn't required - owner-write is enough).

Each distinct website should run under it's own system user for maximum seperation.

As to expecting or attempting to deduce logic behind skiddies and where they drop files: that way, madness lies.

Update

Your hosting account has all of the various websites running under one user account on the server. Your shell login is as that same account.

When the webserver executes your PHP scripts (in wordpress, etc) it will be doing so as that user. This means that, absent any very clever hackery by your host, any PHP script that runs under any of the directories in your account has exactly the same access to all of the files in your account as you would when connected to the shell. This includes modifying files outside of the website's document root (eg: in other directories, even directories not "published"), writing into directories with permissions 700, reading database credentials from your configuration files, etc.

All of this means that this likely started with just the one site being exploited, and files being dropped in directories from there.

Change all your database passwords. Upgrade all of your sites and plugins (check the access logs for suspicious POSTs to see where the original entry point might have been). Check all of your sites to ensure no new users have been added in the database.

Switch to an account/product/host where each website can have it's own unix account, or you remain at risk of one website being exploited leading to all of them being defaced/impaired.

Update 2

Your host says that there was a login to the shell - presumably they were explicit in saying it was "suspicious" rather than just any login to the shell (which might be suspicious to them to begin with - few people use shells with webhosting IME).

Occam's razor says your host is mistaking your logins for an attacker's logins and this still started as (or was entirely) PHP.

If it was bruteforced, your password will have had to have been terrible or your host has no bruteforce protection to speak of.

Alternatively, you typed your password into a compromised machine or using an unencrypted protocol (such as vanilla FTP) over an insecure network (which is pretty much anything, really).

It is less likely, but possible, that there is a vulnerability in the host's systems that allows customer passwords to be lifted from say, a control panel (assuming they are stored and visible from inside there) but we'd be hearing about thousands of hacked sites at your host by now (ditto if there was some sort of server wide backdoor/vulnerability). Some attacks rely on social engineering attack on the host itself (this is seriously unlikely to happen unless you host really interesting or important sites).

Phil
  • 1,222
  • 1
  • 7
  • 15
  • so you are saying that it IS likely that the entire shared server is compromised? – Stephen May 09 '15 at 13:16
  • No, I'm suggesting that it seems likely that all your websites (folders) run as one system user, and something in your account being exploited and running as your system user has the same access to files as you logged in using that system user over SSH. EDIT: supply the output of ls -la showing all the directories your websites are in, and we'll be able to prove/disprove my theory – Phil May 09 '15 at 13:19
  • ok, so other than my password being compromised, is there any other possibility for how they could have gained access to my ssh shell? – Stephen May 09 '15 at 13:20
  • I have already done the ls -al and the owner of all dirs is me, and the owner group is one I don't recognize but I assume is one created by my hosting company for my account, and are also all the same. But does this prove that it was ONLY my shell account that was compromised, or could it still mean that the server itself (and potentially all hosting accounts on it) was compromised? – Stephen May 09 '15 at 13:32
  • and when i get the group info it shows the following format: groupname:x:my_user_id: – Stephen May 09 '15 at 13:39
  • It is unlikely your shell account was exploited. Let me get to a desktop computer and I'll expand my original answer to fill in the gaps for you here. – Phil May 09 '15 at 13:40
  • Done (I don't think you get notified of edits). – Phil May 09 '15 at 14:42
  • Thanks for your response, but I remain confused by a few things: 1. If they compromised one site, and that gave them access to all directories for that user, why only place the files in 6 out of over 50? And why is there nothing related (alpha, mod date order etc) about those 6? 2. I am searching my logs now, but so far can only find calls for the files they added, not any odd command that created the files in the first place... – Stephen May 09 '15 at 15:07
  • Maybe several sites were exploited at different times. It is very common now for exploiters to upload files and only return to use them a month or more later when the evidence of their intrusion has likely been deleted from the access logs (if they haven't deleted them themselves). Also, in my experience lately these attacks have been manually driven, not done by a script looking to drop files everywhere, so human-element of randomness is to be expected. In any event, the inconsistency of the file drops does not change the "how" of them getting there. – Phil May 09 '15 at 15:34
  • as a follow on, my hosting company told me that there was an actual logon to my shell account, can you think of some other way they got my password (other than bruteforce)? – Stephen May 10 '15 at 12:16
  • I've updated my answer. TL;DR: I'm not sure I believe your host can tell the difference between you logging in and anyone else logging in on shell unless you've given them a list of your IPs you've used for the last n weeks, unless the suspicious login was from, say, Egypt, or whatever. – Phil May 11 '15 at 16:38