Post #421,961
12/30/17 1:53:08 PM
12/30/17 1:53:08 PM
|
How do I research a hack tool?
My server was compromised this morning. The directories rimpek and vlomaw were added to each site. When I try to search for them to see what they're doing, all I find is links to all the sites that have been compromised and don't know it yet.
|
Post #421,963
12/30/17 2:07:44 PM
12/30/17 2:07:44 PM
|
Dunno. Contact your computing appliance vendor?
I've got a dormant WP site setup on Dreamhost. About a year after I turned it on, I got an e-mail from them that my site had been compromised, but they cleaned it up. (Whew!)
Presumably your hosting outfit is aware of what to do in such circumstances, too? But maybe they just provide the virtual hardware and the rest is up to you. :-(
Google doesn't turn up anything for me with those two weird words. "Wordpress hacked" does turn up a bunch of things, but they might not be relevant.
Dunno if there's a version of Google for TOR and the "dark web" - I've never poked around there.
Good luck!!
Cheers,
Scott.
|
Post #421,964
12/30/17 2:50:04 PM
12/30/17 2:50:04 PM
|
Yeah, Dreamhost noticed it about 5 hours before I did
They had already disabled a bunch of stuff and gave me a list of affected files. Now I'm going through the whole server looking for anything that changed in the last 24 hours. Man, there's a bunch.
|
Post #421,970
12/30/17 6:23:30 PM
12/30/17 6:23:30 PM
|
bunch of them out there, also try sans.org thought I saw an article on last mailing
"Science is the belief in the ignorance of the experts" – Richard Feynman
|
Post #421,973
12/31/17 12:47:31 PM
12/31/17 12:47:31 PM
|
Start with the web server logs
That should give an idea of how the service was compromised. It will narrow the search parameters as to finding what was used. Looking for a cluster of 4xx responses may help as most compromises scan the server for vulnerabilities before striking.
If there's nothing in the web server log, or there are pieces missing, then you have a much bigger problem as that would indicate some type of privilege escalation beyond the web server.
Penetration testing tools like OpenVAS can be used to check for known holes, but as Digital Ocean has already made changes, that may no be very helpful at this stage. OpenVAS is a competent free tool, but can be a bear to get running from scratch. Some Linux distributions include it. (Kali Linux does. This is a specialist pen testing live disc distro.)
|
Post #421,978
12/31/17 4:05:36 PM
12/31/17 4:05:36 PM
|
thanks for the tip downloaded kali linux
"Science is the belief in the ignorance of the experts" – Richard Feynman
|
Post #422,004
1/2/18 3:39:23 PM
1/2/18 3:39:23 PM
|
And now a cron exploit?
On the day it was hacked, once per hour for 12 hours I got an email from my crontab with a huge list of spam links. I don't see anything amiss in the crontab now. Any ideas what this was attempting to do? Or actually did?
|
Post #422,005
1/2/18 3:53:47 PM
1/2/18 3:53:47 PM
|
Review at jobs as well
|
Post #422,011
1/2/18 9:15:49 PM
1/2/18 9:15:49 PM
|
Other account's crontab?
The collection lives at /var/spool/cron/crontab (or .../crontabs)
One of the system logs should contain a trace of the jobs that were executed, as well as the user account that executed the job. The exact file is up to the configuration of the OS. (Most likely, either a dedicated cron log, or syslog. The service can show up as cron or CRON, so "grep -i" is needed to find them all.)
|
Post #422,012
1/2/18 9:22:39 PM
1/2/18 9:22:39 PM
|
also note /etc/cron.daily cron.weekly cron.motnly and cron.hourly
"Science is the belief in the ignorance of the experts" – Richard Feynman
|
