CGI - Hacking?

[MarkReaktor7]

Hey guys!

I have a quick question.
A customer of mine has claimed that he been hacked via CGI scrtipts (namely entropymail.cgi IIRC). Anyhow, this user claims that someone has gone in, run a command which tarred up their whole home dir and then then moved it to a place that someone could download it (ie into the public_html folder)

First of all, is this plausible?
heres what the hacker allegedly used:

Code:

entropymail.cgi?|tar -cf user.tar /home/user/|

Now, i am sceptical that it would be so easy to hack soemthign which is built into cpanel (i know for a fact this user hadnt installed/used anything) but theres also the possibility that they have signed up for an account themselves (the hacker that is) and they have then use the aforementioned cgi thing to exploit this users site.

What i want to know is is this possible and if so, how would i go about fixing this massive security hole?

- MARK

[chirpy]

I cannot find a script called entropymail.cgi on my servers, is this a script that the user installed themselves, or have you got the wrong script name?

[MarkReaktor7]

hey chirpy,

I have loked also, and i cant see anything called entropymail but i beleive he used one of the entropy scripts on the servers. Although, this is a dude who got hacked asking the hacker how he did it. It turns out the hacker did sign up to our company and it looks as though as he has installing phpmyadmin and somehow obtained all the files in the persons home directory.

Not only am i worried about the security of the server, i dont like peoples source files getting leaked. Hence why i came here for advise.

This user signed up for a small plan, which DIDNT have CGI enabled. So i can only say that it was a inbuilt script.
Since then i have disabled all of cpanels inbuilt CGI stuff via the featurte manager thing. For some reason i cant get rid of cgiemail though.

[AndyReed]

I suggest you run rkhunter and chkrootkit to make sure that your server is not vunerable. Data forensic is real time consuming and exahusting. If you think that your server is unsecure, OS reload is your best option.