Topic: SME server 7 presumed hacked - performing DOS attack on another domain?

[joshAU]

Hello.
Long time no speak here - no need to... SME has been such a reliable system.

Running a SME server 7 as dedicated server and gateway with modem in bridge mode to server...
I have installed some batches of updates in the past but to be honest I haven't installed any for ages... 

Last Monday, I noticed my monthly bandwidth, 100GB, had all but vanished, in 4 days...
Having a look at my web providers usage page, it seemed to be using approx 1GB per hour, every hour.

I assumed one of the windows systems was hacked, however, after leaving ONLY the SME server connected to router, with its internal LAN cable disconnected, the usage continued.

I ran IPTraf, and it appeared that their was a lot of repeated traffic between my external IP address, on port 80, and another domain interstate...

I ran a whois on the domain, and it appears to be a large accounting software firm.

The traffic seems to consist of approx 4 MB lots, which then restart, repeatedly, so therefore approx 1GB is being used, every hour. The 4MB size varies, but is always approx just over 4MB.

In case it was a glitch, I rebooted the server, but soon after restart it commenced again.

I am guessing that the server has been hacked, and is performing a denial of service attack on this software firm.

To be honest, while I've spent years maintaining and fixing win pcs for work, I have little experience in unix...

Could someone suggest a course to take... and also confirm that this is indeed what it looks like.
and perhaps suggest which logs I should examine, etc.
Furthermore, would it just be the apache server that has been compromised, or would you assume the whole server is compromised?

I suspect that the best course of action is to wipe the server, and failing any response to the contrary, that is what I will do. I have begun backing up all files, and the few modified conf, etc files that I can remember modifying, in preparation to installing SME 8.

However, I had a few configuring issues last time, such as getting a second SME server to authenticate with the primary server domain... the main issue, and others, such as caching of windows updates, that could cause a few headaches...

Any advice greatly appreciated.
Thank you.

[mmccarn]

If you have any websites or ibays using php5-cgi, you may have been hit by a security vulnerability that cropped up this past February.

You can find if you have php5-cgi on your system using this command:
grep php5-cgi /etc/httpd/conf/httpd.conf

You can read more at http://forums.contribs.org/index.php/topic,48612.0.html

If it has been a particularly long time since you installed any updates, there may be other unpatched vulnerabilities on your system.

[CharlieBrady]

I ran IPTraf, and it appeared that their was a lot of repeated traffic between my external IP address, on port 80, and another domain interstate...

Use "netstat -anp" to identify the process which is terminating those connections at your end. It is most likely that the connections are inbound, in which case they are web accesses to your web server (process will show as "nnnn/httpd"). Your httpd/access.log will identify the web resource (URL) which is being accessed. Note that port 80 inbound connections are initiated by the remove end of the connection, not by your server.

How did you determine that the transfers are in 4MB lots?

I am guessing that the server has been hacked, and is performing a denial of service attack on this software firm.

From what you have said it is more likely that they are performing a DoS on you.

[CharlieBrady]

From what you have said it is more likely that they are performing a DoS on you.

I'd recommend you Edit the subject of this thread. You are jumping to conclusions.

[joshAU]

First, very sorry about the time taken to respond.
I ended up wiping and installing SME8.

Thank you both mmccarn and CharlieBrady for your advice.
I appreciate the time you have put into answering my question.
If I had had more time, and more knowledge, I would have investigated the issue further, but I needed to get the system up and running, so I backed it up, wiped and put on SME8.

CharlieBrady, in regards to how I knew it was 4MB size, IPTraf seems to show that info on the right hand side... watching the transfers, they would increase to just of 4MB, and then stop, and another transfer would start, again up to just over 4mb. It was never the same amount though, eg, 4.01, 4.15, 4.1 mb.

As the remote website was one of the largest accounting software companies in Australia, i assumed it was more likely that I had been compromised, but that may not be the case...
I have edited the subject as you suggested, as you are correct, I was jumping to conclusions.

Thanks again to you both for you help.

[CharlieBrady]

First, very sorry about the time taken to respond.
I ended up wiping and installing SME8.

If you have a vulnerable PHP application and have done nothing to secure it, you could end up back in the same situation.

[joshAU]

Thanks for the reply, and the advice, CharlieBrady.
I don't currently have any real modifications or additions to this server, just sme8, with all available updates, hosting a single page static webpage at the moment.
Thanks once again. I do appreciate it.

[CharlieBrady]

I don't currently have any real modifications or additions to this server, just sme8, with all available updates, hosting a single page static webpage at the moment.

If that was the case also with your SME7 server, then it's unfortunate that we didn't spend more time understanding what was happening. Whatever problem there was could still exist, or could still affect other users.

[joshAU]

Hi again CharlieBrady.
Yes, I do understand that. The problem was I had to get the system back up and running ASAP, and I didnt have any spare systems or drives, so I had to copy off the files, wipe and reinstall as quickly as I could. I would have liked to have gotten to the bottom of it.

The differences between the two installations were the old one was version 7, and while some updates had been applied, I don't think I had installed any new updates for at least 6 months. The only other difference was the old version had a installation of ozcommerce on it, which I had installed on it a year or so earlier, played around with a bit, and never used again.

Hope this info helps.

P.S. I tried to change the subject to "Re: SME server 7 possibly compromised -appears to be performing DOS attack?" but it doesnt seem to change the main subject line, only the subject in the post i made previously. Any ideas on how to change it?