LinkBack URL
About LinkBacksOriginally Posted by mtindor
Understood.
Yes, SSH was already locked in Host Access Control in WHM.
Unfortunately, the Host Access Control presents bugs for FTP but to SSH works well.
Thank you.
Konrath
Understood.
Yes, SSH was already locked in Host Access Control in WHM.
Unfortunately, the Host Access Control presents bugs for FTP but to SSH works well.
Thank you.
Konrath
Last edited by konrath; 06-29-2009 at 04:35 PM.
Alternatively, you can use the Host Access Control screen in the Security Center in WHM as that is an interface to the /etc/hosts.allow and /etc/hosts.deny files
As of cPanel 11, all cPanel accounts, including those without SSH access, have sufficient access for SFTP transactions.
Hello Mike and CpanelDavidG
As I understand it, the invasion is robotised and happens only by FTP. As this is a robot invasion, the hacker does not connect via SFTP because it necessarily would have to install the reg file for each account that invades.
In this case, the blocking of port 21 for certain countries it is sufficient to minimize this problem.
Thank you
Konrath
Last edited by konrath; 06-29-2009 at 05:10 PM.
Try to find a pattern:
- a lot of servers affected
- a lot of servers with a lot of hosted sites affected
- not all hosted sites on a server are affected
Try to find cause:
- high chance to be an automatic tool
- low chance to be a hand tool who upload a shell or malicious code on one site and take control on server (but in this case why didnt insert iframe in all accounts?)
- can be a virus who steal ftp passwords and upload automatic script in index or header
Because doesnt affect all sites , is possible to affect some popular CMS (wordpress,joomla)?
Looking feedback from masters of dedicated servers with a lot of accounts from different persons , what similarities they find ?
- the same CMS script is used?
- code is injected in all files or specific files?
- how many sites hosted are affected and how many are not affected ?
- what have in common sites who are not affected ?
Come on, you can more.
antivirus
Hello
What antivirus detects the virus installed in the website or in the computer?
Thank you
Konrath
There are many viruses who steal passwords. Is no one antivirus who find all threats. Update your antivirus regularly and use a firewall.
Do not use 2 antivirus programs in the same time (i have 2 installed, but only 1 is active). When i suspect problems i scan with both antiviruses (not both in the same time).
Security Blog > Community > NETGEAR® ProSecure™: Redefining Comprehensive Network Security for Small and Medium Sized Businesses.
Virus Description: Trojan-PSW:W32/Sinowal.CP
Also, there are viruses who are stealing very easy passwords memorised in Firefox or other browser. Do not save passwords in web browser, even with Master passwords.They get encrypted file and are decripting with a tool , is very easy.
The causes are pretty well covered in the rest of this thread, and through other sources.
The current attack of Gumblar virus and variants appears to originate from user's PC becoming infected and giving away their FTP login details. These details are then used by a botnet to download and re-upload files to their web space, as well as sometimes uploading other files, including most frequently "image.php".
I am assuming the FTP details are being sniffed in transit as I seem to have had users of several FTP clients affected. Also doesn't appear to be a keylogger, as I've had reports from a client who has the passwords stored and as such never types, or even pastes them. Because of these assumptions, clients only using SFTP shouldn't have any trouble from this (for now at least).
The only solution is to change all passwords and clean the infected computer and website. I've seen reports that Malwarebytes is effective at cleaning this from an infected PC.
We have some reports about some situations when only SFTP was used to connect at server , and the mallware iframe was injected ? If is yes, probably was a php script uploaded via CMS.
If there are not this kind of situations (with sftp) , we can think at ftp or root passwords.
More statistics from persons with sites infected with this kind script will be very good.(reports from owners of hosting companies with these problems) will be helpfully. You do it for you and for your customers.
More statistics here please to identify a pattern..
It seems the method has changed, they log in with an IP, download the file, log out and then log in again with different IP and upload the infected file. Is there a way to stop this?
Jul 1 16:33:42 ourserver pure-ftpd: (?@86.29.5.222) [INFO] username is now logged in
Jul 1 16:33:44 ourserver pure-ftpd: (username@86.29.5.222) [NOTICE] /home/username//public_html/index.php downloaded (8491 bytes, 121958.51KB/sec)
Jul 1 16:33:45 ourserver pure-ftpd: (username@86.29.5.222) [INFO] Logout.
Jul 1 16:33:49 ourserver pure-ftpd: (?@89.135.109.49) [INFO] username is now logged in
Jul 1 16:33:51 ourserver pure-ftpd: (username@89.135.109.49) [NOTICE] /home/username//public_html/index.php uploaded (8335 bytes, 15.44KB/sec)
Jul 1 16:33:51 ourserver pure-ftpd: (username@89.135.109.49) [INFO] Logout.
Jul 1 16:33:55 ourserver pure-ftpd: (?@92.68.94.237) [INFO] username is now logged in
Jul 1 16:33:56 ourserver pure-ftpd: (username@92.68.94.237) [NOTICE] /home/username//public_html/index2.php downloaded (5031 bytes, 236.04KB/sec)
Jul 1 16:33:57 ourserver pure-ftpd: (username@92.68.94.237) [INFO] Logout.
Jul 1 16:34:02 ourserver pure-ftpd: (?@114.76.89.138) [INFO] username is now logged in
Jul 1 16:34:08 ourserver pure-ftpd: (username@114.76.89.138) [NOTICE] /home/username//public_html/index2.php uploaded (4993 bytes, 4.85KB/sec)
Jul 1 16:34:09 ourserver pure-ftpd: (username@114.76.89.138) [INFO] Logout.
Jul 1 16:34:16 ourserver pure-ftpd: (?@79.138.237.213) [INFO] username is now logged in
Jul 1 16:34:21 ourserver pure-ftpd: (username@79.138.237.213) [NOTICE] /home/username//public_html/indexx.php downloaded (8327 bytes, 282.24KB/sec)
Jul 1 16:34:23 ourserver pure-ftpd: (username@79.138.237.213) [INFO] Logout.
Jul 1 16:34:28 ourserver pure-ftpd: (?@61.202.127.182) [INFO] username is now logged in
Jul 1 16:34:33 ourserver pure-ftpd: (username@61.202.127.182) [NOTICE] /home/username//public_html/indexx.php uploaded (8175 bytes, 5.99KB/sec)
Jul 1 16:34:33 ourserver pure-ftpd: (username@61.202.127.182) [INFO] Logout.
Last edited by whplus; 07-01-2009 at 06:54 AM.
Whplus - Web Hosting Murah
http://www.whplus.com
In this case, the blocking of port 21 for certain countries it is sufficient to minimize this problem.
I find an interesting thread , click here . Things are interesting starting with post #25 ( here post #25).
Read all posts of user Richard_Bennett, very interesting ...
Richard_Bennett
Since this foruns sometimes get off the air, I´m pasting the Richard_Bennett ´s post quoted above...
Very good indeed
----
Gathering from the IP address posted by Impartial it looks like the site was infected by a 'drive-by-download' used for spreading banking trojans.
These are generally not targetted at specific sites, but take advantage of known weaknesses in software like Drupal or Joomla to infect a site with an 'iframe attack'.
When a Windows user visits the site (Apple and Linx are currently not targetted) the iframe attack will attempt to download a trojan (like sinowal or Torpig) onto their computer.
This trojan then installs itself onto the victims master boot record, and during boot it attaches to a legitimate windows process. This is known as a 'bootkit' and makes it very hard to detect by anti-virus software.
You can try to scan your system with GMER - Rootkit Detector and Remover which can have a degree of success in detecting them.
The trojan then remains active in the background monitoring the computer. Any passwords for email, FTP, websites, online banking etc are logged and sent 'home'. Specialised hacks are downloaded to prompt the user for additional information (like your ATM pincode etc) while the user is doing their online banking.
Often the administrator of a web-site becomes infected themselves, their admin passwords for the websites or FTP are stolen, and the websites are re-infected with an iframe attack simply using the admins credentials.
I presented a research paper on this last month at an OWASP security meeting. The paper and slides should be online in the next few weeks, I'll post a link when they are - it is almost as compelling reading as the economy.
Of course this hack could have a different cause... there are many possibilities.
Best regards.
-----------
FeeL Buarque
SysAdmin.
BRazil IP range
Hello there..
One of my Brazilian Clients using " OI ISP " had problems loghing in.. He was using the 187.xxx IP.
187 faixa de ips brasil - Pesquisa Google
You should add 187 too!
Good Luck
-----------
FeeL Buarque
SysAdmin.
So far no site has been hacking for a IP starting with 187. This can happen but blocking the other Ips dramatically minimizes the problem of hacking sites.
Ips in the Brasil start in
187
189
192
200
201
All other IPs are blocked. Some exceptions...
Konrath
Last edited by konrath; 07-01-2009 at 11:05 PM.
I just wanted to jump in and add my statistics to the thread. I run 8 cpanel/whm servers located in three datacenters in the US. Instances of this hack were applied to 6 of my servers on the Mornings of July 2 and 3.
After discovering the initial hacked site on the 4th, I was able to locate infected files using the following command:
That snippet was the only consistent code I could find in the hacked files (located at the end of the modified line).Code:#grep -rl "<script>check_content()</script>" /home/*
After I gathered the list of files across the 6 servers, the only consistent finding was that it only infected .htm, .html, and .php files. Sometimes every file inside the that user's directory, sometimes only a few and always at least a couple files from the webalizer and webalizerftp folders. The code was found on the last line of the file and the attacker did not seem to be creating new lines, just appending to what was there.
The attack was made through FTP, one account at a time, using the account's password. No brute force was detected.
We have since modified passwords and sanitized the files. I've been running the grep daily and no more infected files have been found.
My theory: Trojan/rootkit/keylogger-type virus on a user's PC simply gathering ftp credentials. I did have a few clients call in the few weeks prior asking why their anti-virus software said they had a Trojan-horse.
Reply With Quote