Page 1 of 1

root exploits

Posted: 11 Jan 2013, 23:34
by hetzbh
Hi,

I'm using CSF (btw, where can I see which version is it?) and I just found one of my servers has been hacked.
Looking at the /var/log/lfd.log, I see that a user which was created by the attacked ("ghost") is using a security exploit to gain root, but I didn't get any email nor did I find the following details:

1. Which security exploit is it?
2. How can I automatically block the offending IP?

I looked accross the csf.conf and I didn't find anywhere such options. Could you please tell me which options to set the 2 items?

How do I really see which security exploit that damn kid used? this is the most important issue for me..

One last thing: I was hacked by this "Ghost Iraq" - any good web site where I can find which exploit they use and how I can block it?

Thanks,
Hetz

Re: root exploits

Posted: 16 Jan 2013, 08:45
by abubin2
most hacking are done from application level nowadays. Assuming your box has already been harden, they will usually hack through exploits from un-updated wordpress or phpmyadmin.

I have had attack from phpmyadmin before. The default phpmyadmin have a setup folder which is full of vulnerability. I usually remove the whole setup folder whenever I install phpmyadmin.

As for how you got hacked, you need to check your logs and analyse them. Sometimes you might find traces and sometimes nothing. It's not easy to find.

Re: root exploits

Posted: 16 Jan 2013, 09:27
by hetzbh
hacking wordpress will give you the account, not root level access.

My question was about csf itself: it shows a message about security exploit, why not show the process name/pid that it happens, that will make life much easier to trace and fix..

Re: root exploits

Posted: 18 Jan 2013, 15:01
by Black Tiger
(btw, where can I see which version is it?)
In ssh console type the following:

Code: Select all

csf -v
You will get an output like this:
csf: v5.73 (cPanel)

Re: root exploits

Posted: 29 Jan 2013, 01:31
by elrohir
Hacking wordpress are done from application level.
Im not sure it's not root level access.