Pale Purple

A quick overview of a compromised Linux system

Some time ago, a new customer approached us (thanks to a referral from Bytemark); they were using a virtual machine to host their website. The machine itself was RedHat 9 (from 2003ish) and was used to take online bookings for events.

Here’s a summary of what we found, which may prove to be interesting/useful for others in similar situations.

  1. No one took responsibility for systems administration of the server, so over time it became more vulnerable to discovered flaws
  2. They were unaware that the server had been compromised until Bytemark contacted them – due to phishing sites being reported on the server
  3. The attackers gained entry through an account with a weak password via SSH. They’d clearly undertaken some form of brute force dictionary attack on SSH
  4. Once the attackers gained access, they quickly gained access as root (exploiting a vulnerability in the kernel).
  5. The attackers modified /etc/passwd and /etc/shadow to give themselves other accounts to use with a uid of 0
  6. The attackers installed two identical phishing sites in different locations (e.g. /var/www/html/images/.a/http/signin.ebay.com/….) with the usernames and passwords submitted logged to a text file – in all there appeared to be about 80-100 logins logged
  7. Luckily they didn’t mess with the code on the website (Perl) or the MySQL database. This was fortunate as no offsite backup was setup/available
  8. On inspecting the Perl code, we discovered it was vulnerable to a number of flaws (mostly shell injection, but theoretically race conditions too)
  9. Luckily it appears no attempt was made to intercept the credit card details which were held on the server temporarily before dispatch via email

So – the moral is, get some systems administration support! Ensure the server is kept up to date, disable unused SSH accounts – and make sure you have some sort of off-server backups.

Exit mobile version