hacker INTRUSION , PLEASE READ

[Radio_Head]

Hello,

I am under the attack of some indonesian group with these ip addresses :

[b:722e220768]202.134.2.20
202.159.4.154
202.159.4.137 [/b:722e220768]

They were able to create an ftp account with the user demo
on /etc/proftpd
(the user used for my cpanel demo account)

I have still to understand HOW were able to create this ftp account .

Once they gained ftp access they installed first a phpshell (phpmyshell) so they were able to go around the server and to make some damage on client accounts.

I removed the ftp demo account and I set php on safe_mode to disable the usage of programs like phpmyshell .

Today they were able to re-create the ftp demo user (!)
and installed a CGI shell this time (!)http://www.rohitab.com/cgiscripts/cgitelnet.html

In the same way they attempted to create damage between clients.

I am trying to understand how can they create the ftp demo account , anyone have any idea or had this bad experience ?
Since they insist to create the demo ftp account (account used for cpanel demo) , [b:722e220768]probaly there is a vulnerability on cpanel demo which permit to create ftp users on demo account .[/b:722e220768]


and , is there any way to block the usage the use of dangerous programs like
http://www.rohitab.com/cgiscripts/cgitelnet.html ??

Anyone may tell me some link to report the hacker intrusion ?


Thanks a lot

[ozzi4648]

[quote:1f8ef4a9c1][i:1f8ef4a9c1]Originally posted by Radio_Head[/i:1f8ef4a9c1]

Hello,

I am under the attack of some indonesian group with these ip addresses :

[b:1f8ef4a9c1]202.134.2.20
202.159.4.154
202.159.4.137 [/b:1f8ef4a9c1]

They were able to create an ftp account with the user demo
on /etc/proftpd
(the user used for my cpanel demo account)

I have still to understand HOW were able to create this ftp account .

Once they gained ftp access they installed first a phpshell (phpmyshell) so they were able to go around the server and to make some damage on client accounts.

I removed the ftp demo account and I set php on safe_mode to disable the usage of programs like phpmyshell .

Today they were able to re-create the ftp demo user (!)
and installed a CGI shell this time (!)http://www.rohitab.com/cgiscripts/cgitelnet.html

In the same way they attempted to create damage between clients.

I am trying to understand how can they create the ftp demo account , anyone have any idea or had this bad experience ?
Since they insist to create the demo ftp account (account used for cpanel demo) , [b:1f8ef4a9c1]probaly there is a vulnerability on cpanel demo which permit to create ftp users on demo account .[/b:1f8ef4a9c1]


and , is there any way to block the usage the use of dangerous programs like
http://www.rohitab.com/cgiscripts/cgitelnet.html ??

Anyone may tell me some link to report the hacker intrusion ?


Thanks a lot
[/quote:1f8ef4a9c1]

I posted about this problem awhile back. The fix was deployed by Cpanel very quickly on one of the new releases and that was to restrict ftp access to any account specified as demo. Did you upgrade to that version? Also, you should place the userid of the demo account in ftpusers just to be sure that nobody can ftp to a demo account.

Next, i have restriced all of Asia from even accessing my website. The decision was made along time ago when we had countless people from Asia charging up thousands of dollars in fraudulent credit card charges. I placed the following in my .htaccess file. It restricts Asisa from even connecting to my main site:

deny from InternetSeer.com
deny from monitor2.internetseer.com
deny from .id
deny from .interpacket.net
deny from .lt
deny from .mk
deny from .my
deny from .ro
deny from .yu
deny from 139.92
deny from 152.158
deny from 161.142
deny from 194.102.130
deny from 194.112
deny from 194.117
deny from 194.165
deny from 195.175.130
deny from 202.0
deny from 202.12
deny from 202.109
deny from 202.122
deny from 202.134
deny from 202.145
deny from 202.146
deny from 202.147
deny from 202.148
deny from 202.149
deny from 202.150
deny from 202.151
deny from 202.152
deny from 202.153
deny from 202.154
deny from 202.155
deny from 202.156
deny from 202.157
deny from 202.158
deny from 202.159
deny from 202.160
deny from 202.162
deny from 202.164
deny from 202.168
deny from 202.171
deny from 202.178
deny from 202.180
deny from 202.183
deny from 202.184
deny from 202.185
deny from 202.186
deny from 202.187
deny from 202.188
deny from 202.189
deny from 202.190
deny from 202.4
deny from 202.46
deny from 202.47
deny from 202.57
deny from 202.58
deny from 202.93
deny from 202.95
deny from 203.112
deny from 203.123
deny from 203.127
deny from 203.128
deny from 203.130
deny from 203.153
deny from 203.163
deny from 203.208
deny from 203.215
deny from 203.77
deny from 203.99
deny from 207.192.198
deny from 210.14
deny from 210.16
deny from 210.186
deny from 210.19
deny from 210.56
deny from 212.138
deny from 212.19
deny from 212.50
deny from 212.59
deny from 213.169
deny from 213.240
deny from 216.3.242.10
deny from 217.9
deny from 62.220.194
deny from 64.110
deny from 64.49
deny from 203.106
deny from 203.130.254
deny from 208.210.48
deny from 208.210.49
deny from 208.210.50
deny from 208.210.51

The Asians have nothing better to do then to go around hacker and crasking sites. They seems to have so much time on their hands.

Another thing you should do now that your server has been compromised is to check for rootkits. Install chkrootkit downloadable from their site. If you follow the link in my signature you will find instructions on how to install this software to check for signs of a rootkit on your server. You should also follow the documentation called &HAS YOUR LINUX BOX BEEN CRACKED& also on my site.

Go into /usr/sbin and do a ls -la. Make sure your binaries are all owned by root. If they are not your have possible root kits installed. Also check /usr/bin. Again make sure all binaries are owned only by root.

Check for hidden directories, use this command

find / -name &.*& -print -xdev | cat -v

Usually they will be placed in /tmp or /dev but could be anywhere.

You said they keep creating accounts. Possible root kit installed. They probably could have opened port 1524 which is hidden from view when you type netstat -an. Root kitted! I have a feeling already have a way to get into your system weather you like it or not.

Other things to do: Change your root pw immediately either from WHM or from root. If they are getting into WHM then they can lock you out permanently.

Chekc SSH: Make sure that the only way to ssh to your box is thru Admin followed by SU to root. This is a very basic security measure. Its better to set ROOTLOGINS = NO. This way nobody can ssh to your box as root and forced to use two passwords instead of just one. Again, this is something that needs to be setup carefully.

One last thing, if you dont have a decent firewall installed then your really asking for trouble. Try Bastille. It works great on Canel.

One other thing, you could e-mail me, i would be happy to check your server out for you. My forte is cracked systems. And i stop em dead in their tracks. Usually i can sniff out the damage and stop them from continuing the damage.

Good luck!

[mpope2]

I think it is a bad idea to put up a demo of your control panel on a live server. Multiple screenshots work fine, and if you want to show your clients a demo, just direct them to cpanel's site.

Anyway... I would possible put up a demo account on a server that has nothing else on it... but that would seem rather silly to pay the cpanel license fee every month just to have a demo...

[Radio_Head]

Thanks a lot !!. (It seems they didn't create a lot of damages.)

However how could be safe from this kind of perl script ?

http://www.rohitab.com/cgiscripts/cgitelnet.html

[cass]

oh btw...
you may want to disable telnet...
and keep only SSH running on a specified IP and PORT (non standard)

if you give ssh to your clients... well...
but if you not, you can hide ssh as much as possible this way, and disable telnet! it's buggy.

Regards.

[ozzi4648]

[quote:ab19d44b6b][i:ab19d44b6b]Originally posted by Radio_Head[/i:ab19d44b6b]

Thanks a lot !!. (It seems they didn't create a lot of damages.)

However how could be safe from this kind of perl script ?

http://www.rohitab.com/cgiscripts/cgitelnet.html [/quote:ab19d44b6b]

What? How do you know what damage was done? If they are getting in and installing scripts then they are either getting into your system thru a backdoor they created or you have serious security issues, services you have left open and not closed, where they are getting in. Besides, this program allows them to execute commands on the server. So since they already got in i would be very uneasy about saying, &They didnt do much damage& Wow very comforting picture http://www.rohitab.com/viewsnap.html?cgiscripts/cgitel-login.gif
and they can see everthing http://www.rohitab.com/viewsnap.html?cgiscripts/cgitel-unix.gif

It also tells my you have no firewall on this server otherwise they could not have used this program at all!

[Radio_Head]

[quote:70bc1299fc][i:70bc1299fc]Originally posted by cass[/i:70bc1299fc]

oh btw...
you may want to disable telnet...
and keep only SSH running on a specified IP and PORT (non standard)

if you give ssh to your clients... well...
but if you not, you can hide ssh as much as possible this way, and disable telnet! it's buggy.

Regards.[/quote:70bc1299fc]

The program above is not a clien shell and ssh is disabled .
php myshell and the program above are respectly a php and perl
script which &emulate& ssh without having ssh enabled.
You can avoid phpmyshell enabling php safe mode , but don't seem possible to avoid the usage of cgi shell emulator such as the program above .

[Radio_Head]

[quote:395caec408][i:395caec408]Originally posted by ozzi4648[/i:395caec408]

[quote:395caec408][i:395caec408]Originally posted by Radio_Head[/i:395caec408]

Thanks a lot !!. (It seems they didn't create a lot of damages.)

However how could be safe from this kind of perl script ?

http://www.rohitab.com/cgiscripts/cgitelnet.html [/quote:395caec408]

What? How do you know what damage was done? If they are getting in and installing scripts then they are either getting into your system thru a backdoor they created or you have serious security issues, services you have left open and not closed, where they are getting in. Besides, this program allows them to execute commands on the server. So since they already got in i would be very uneasy about saying, &They didnt do much damage& Wow very comforting picture http://www.rohitab.com/viewsnap.html?cgiscripts/cgitel-login.gif
and they can see everthing http://www.rohitab.com/viewsnap.html?cgiscripts/cgitel-unix.gif

It also tells my you have no firewall on this server otherwise they could not have used this program at all![/quote:395caec408]

I performed some search and analyzed log file .
The usage of php and cgi shell are logged so I know perfectly what they have done . Dialtone (my server provider) helped
me to investigate for open ports and other problems which could be have done , but nothing has been found .

Then I followed instruction on your site (great site) and installed chkrootkit-0.38 . No infected file was found .


Now I am trying to understand 2 things

1) How to be safe from perl script which emulated ssh (such as the program above) ... ?

2) how could be possible for the hacker to create an ftp account from control panel demo ...?!?

ozzi4648 your http://linux.cvf.net site is great I am learning a lot .
About Bastille , it seems is an alpha version , I could mess the server with it ? May I remove it if something will go wrong ?

PMFirewall works fine on Bastille ?




Thank you !

[Radio_Head]

Anyone installed PMFirewall or Bastille ?

[dgbaker]

[quote:d91e9d3250][i:d91e9d3250]Originally posted by Radio_Head[/i:d91e9d3250]

Anyone installed PMFirewall or Bastille ?
[/quote:d91e9d3250]

We had/have Bastille running, reason I say &had& is that after our last kernel upgrade Bastille no longer functions on some of our servers, I have yet to re-install it. For some reason it can no longer find iptables table nat.

Bastille does take some work to maintain, especially for setting up which ports to be opened or closed. But it does work extremly well otherwise.

[Solokron]

I just had a user using smssend. I installed it and of course warned them I would have to disable it if the load became excessive and if found used for SPAM etc etc.

It ended up taking up the load on the processor extensively. And then IMAP was down for aprox. ten minutes according to websitepulse . After suspending the account and removing smssend I found in their directory phpshell, JSP File Browser, a proxy txt file and some irc crap.

For more information on php shell check out http://www.gimpster.com/wiki/PhpShell

Besides PHP Safe mode, does anyone have any ideas on killing off these new users of phpshell and myshell?

[haze]

Originally posted by Solokron
Besides PHP Safe mode, does anyone have any ideas on killing off these new users of phpshell and myshell?

Search here and on google for mod_security

[Dreamer]

http://www.webhostgear.com/62.html

[Solokron]

This looks better than the admin0 forum. Thanks Dreamer!

Originally posted by Dreamer
http://www.webhostgear.com/62.html

[Dreamer]

Originally posted by Solokron
This looks better than the admin0 forum. Thanks Dreamer!

Browse the site for other interesting how-tos Everything is as simplified as possible which makes it damn easy to implement.