The other day, a new customer approached us (thanks to a referral from Bytemark; they were using a virtual machine to host their website. The machine itself was RedHat 9 (from 2003ish) and was used to take online bookings for events - people's details (credit card number etc) were taken via https and emailed to a back office for offline processing.
Here's a summary of what we found, which may prove to be interesting/useful for others in similar situations.
- No one took responsibility for systems administration of the server, so over time it became more vulnerable to discovered flaws
- They were unaware that the server had been compromised until Bytemark contacted them - due to phishing sites being reported on the server
- The attackers gained entry through an account with a weak password via SSH. They'd clearly undertaken some form of brute force dictionary attack on SSH
- Once the attackers gained access, they quickly gained access as root (exploiting a vulnerability in the kernel).
- The attackers modified /etc/passwd and /etc/shadow to give themselves other accounts to use with a uid of 0
- The attackers installed two identical phishing sites in different locations (e.g. /var/www/html/images/.a/http/signin.ebay.com/....) with the usernames and passwords submitted logged to a text file - in all there appeared to be about 80-100 logins logged
- Luckily they didn't mess with the code on the website (Perl) or the MySQL database. This was fortunate as no offsite backup was setup/available
- On inspecting the Perl code, we discovered it was vulnerable to a number of flaws (mostly shell injection, but theoretically race conditions too)
- Luckily it appears no attempt was made to intercept the credit card details which were held on the server temporarily before dispatch via email
So - the moral is, get some systems administration support! Ensure the server is kept up to date, disable unused SSH accounts - and make sure you have some sort of off-server backups.
