A quick overview of a compromised Linux system
Some time ago, a new customer approached us (thanks to a referral from Bytemark); they were using a virtual machine to host their website. The machine itself was RedHat 9 (from 2003ish) and was used to take online bookings for events.
Here’s a summary of what we found, which may prove to be interesting/useful for others in similar situations.
- No one took responsibility for systems administration of the server, so over time it became more vulnerable to discovered flaws
- They were unaware that the server had been compromised until Bytemark contacted them – due to phishing sites being reported on the server
- The attackers gained entry through an account with a weak password via SSH. They’d clearly undertaken some form of brute force dictionary attack on SSH
- Once the attackers gained access, they quickly gained access as root (exploiting a vulnerability in the kernel).
- The attackers modified /etc/passwd and /etc/shadow to give themselves other accounts to use with a uid of 0
- The attackers installed two identical phishing sites in different locations (e.g. /var/www/html/images/.a/http/signin.ebay.com/….) with the usernames and passwords submitted logged to a text file – in all there appeared to be about 80-100 logins logged
- Luckily they didn’t mess with the code on the website (Perl) or the MySQL database. This was fortunate as no offsite backup was setup/available
- On inspecting the Perl code, we discovered it was vulnerable to a number of flaws (mostly shell injection, but theoretically race conditions too)
- Luckily it appears no attempt was made to intercept the credit card details which were held on the server temporarily before dispatch via email
So – the moral is, get some systems administration support! Ensure the server is kept up to date, disable unused SSH accounts – and make sure you have some sort of off-server backups.