iframe / javascript hacks?

[rvskin]

Is anyone using RVSkin?

I had my server hacked last night from a .tr address and the hacker went through my ENTIRE user list, using cPanel itself.

A snippet from my /usr/local/cpanel/logs file shows;

Why hacker bother to upload file through cPanel File Manager despite he get the cPanel username and password. Ability to FTP to the server can do a lot damage than hacking through cPanel interface. It must have a reason behind it. Is it possible that one of your reseller has a weak password and got hack? And hacker know you are using cPanel, so they just browse to cPanel accounts using reseller password and jump around to other accounts.

[JamesSmith]

None of our servers have RVSkin installed.

[carock]

One of my servers was attacked a few days ago and defaced several sites on the server.

The entry point was osCommerce. One of my users installed it manually which does not have ANY security on the admin section. The attacker uploaded a php file through creating a new product and put this file name in the image upload for the product.

The php file is not named the same every time, but inside it is this c99shell.php. This creates a shell type interface through the web browser much like cPanel's file manager. They can browse through any directory with r_x perms. They are looking for files with world rw perms. Three other sites had files set with either 666 or 777 perms. One site was Joomla with a 777 on a configuration file. They replaced the contents of that file with some html code displaying their hacked by ... On another site, they replaced the index.php file that had 666 perms.

They were able to see all the accounts on the server by doing ls /home through that php shell script.

According to the code in the script, you can see it's origin here: http://ccteam.ru/releases/c99shell

I told my users to restrict their file perms as much as their applications allow. I have also instructed them to properly secure any application they install without using the cPanel installer.

These guys also have posted all their attacked sites at this place. http://www.zone-h.org/component/opti...cks/Itemid,45/

Chuck

Chuck

[jack01]

Thanks for reporting this, although it is apparently not related to the issue we are discussig in this thread.

[Murtaza_t]

Damnn... This is a real BullSh*t.. how do they get the FTP passwords is a huge question mark here....

One of my freinds got his server hacked yesterday and in the same patern.. the only difference on his server was he did not have "redirect to SSL ports" enabled in tweak as some of his clents had probs accessing SSL ports, otherwise his server has same security as ours.

Is it cPanel..? But then how did plesk servers with 1and 1 got hacked..? Man we really look fool infront of hackers..

I will look for more info and post here if I get any.

[gundamz]

I believe they are able to get through via MS frontpage. No one be able to know all accounts password and simply ftp in/out as they wish.

I would advise to remove frontpage from apache and remove all extension from all accounts completely.

[jack01]

I believe they are able to get through via MS frontpage. No one be able to know all accounts password and simply ftp in/out as they wish.

I would advise to remove frontpage from apache and remove all extension from all accounts completely.

Are you saying that you don't believe the exploit is obtaining many FTP user/pass combos to login via FTP? Because that is exactly what is happeneing.

Can you explain yourself please, why do you suspect FrontPage to the extent of advising complete removal of it from the server?

[fich]

Can anybody confirm they have had this problem but dont have frontpage extens. turned on??

[jack01]

Can anybody confirm they have had this problem but dont have frontpage extens. turned on??

see iframe / javascript hacks?

[gundamz]

But are you really sure extensions on each site have been removed?

[jack01]

gundamz, can you answer my question please...thanks

[gundamz]

Are you saying that you don't believe the exploit is obtaining many FTP user/pass combos to login via FTP? Because that is exactly what is happeneing.

Can you explain yourself please, why do you suspect FrontPage to the extent of advising complete removal of it from the server?

If you mean that there is an exploit in pure-ftpd, every cpanel server that used pure-ftpd would have been compromised. Why attack only a few servers?

And the last exploit we know is Microsoft frontpage. This product is no longer supported by microsoft and there is still a bunch of big security hole. I notice that pages that is hosted under an frontpage enabled account have their index page completely wipe out. Far more worse than just an iframe insertion.

They could have exploit the hole in frontpage and do a turn around to connect via ftp on the server. I am not sure how they do it but i am sure they can't be getting all the ftp passwords so EASILY.

[serversphere]

Thanks for reporting this, although it is apparently not related to the issue we are discussig in this thread.

How can you say this when no one knows what exactly is the cause? Having read through the entire thread again this morning I see more evidence pointing to a two staged PHP shell attack then any other explanation. Not understanding how you can so decisively dismiss this as a possible cause...

[easyhoster1]

Well...Here is some interesting stuff;

http://www.securityfocus.com/archive...100/0/threaded

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2165

http://securitytracker.com/alerts/2007/Apr/1017931.html

The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd

[jack01]

How can you say this when no one knows what exactly is the cause? Having read through the entire thread again this morning I see more evidence pointing to a two staged PHP shell attack then any other explanation. Not understanding how you can so decisively dismiss this as a possible cause...

OK, I was referring to carock's post, he suspects exploit of permissions on PHP files, but we have phpsuexec which does not even run PHP if perms are 777 etc. Also he seemed to be referring to defaced sites as opposed to the rather 'quiet' inline iframe pulling in of js etc.

Also, as far as I understand c99shell.php type scripts still have to obey the openbase_dir and safe_mode On directives, or am I missing something? With these security configs in place can phpshell still do 'ls /home' successfully?