The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Account hacked many times.Help urgent!

Discussion in 'Security' started by filth80, Feb 13, 2011.

  1. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Hello, the account of one client is hacked many times in a day.He is running last version of php fusion.The attacker replaces the index.php with index.html.I tried chainging the password for ftp, cpanel, etc, but no chance.What can I do to help him?Please help, I need it urgent.
     
  2. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Install maldet, Scan on it:

    For installing:
    Code:
    wget http://www.rfxn.com/downloads/maldetect-current.tar.gz; tar -xfz maldetect-current.tar.gz; cd maldetect-*; ./install.sh
    For scanning:
    Code:
    maldet --scan-all /home?/USER/public_html
    Replace USER with its accoun'ts username or replace the whole path to the path of his files.
     
  3. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for this, great tool, but sadly, without help.Didn't find anything on scan.
     
  4. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    make sure that you scanned properly, we had a same problem since we using it everything is working fine. our DC has installed it & Scanned entire server & found some suspected files, which we got removed from the server thereafter everything is working fine.
     
  5. Cindu

    Cindu Well-Known Member

    Joined:
    Feb 7, 2011
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    Yes, you need to scan the entire server. Also please check whether your /tmp partition is secured and whether there are any scripts running in it.
    It will be also good if you enable open base dir security in the server.
     
  6. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    maldet --scan-all /home?/?/public_html I used this command to scan the entire server and found nothing.This comand is not good?Open_basedir Protection is enabled.
     
    #6 filth80, Feb 14, 2011
    Last edited: Feb 14, 2011
  7. Cindu

    Cindu Well-Known Member

    Joined:
    Feb 7, 2011
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I could see that the command is correct. Don't you get log file or hits of the infected files. If so it seems there are no vulnerable files in the server. You also need to check the logs of services, how this has been done!
     
  8. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    I rescanned and found 2 infected files.I removed them and for now everything seems ok.I'll keep you informed.Thanks for your great help, I appreciate it.
     
  9. Cindu

    Cindu Well-Known Member

    Joined:
    Feb 7, 2011
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    You are entirely welcome and it is good hear that now everything seems to be okay! Keep us informed ! Cheers!
     
  10. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    What i told you is maldet is such nice & useful tool.
     
  11. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    The hacker attacked again.He is using c99 shell.How can i protect from it?Please help!I'm desperate.
     
  12. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you reviewed the domlogs for the domain to see how this attacker keeps accessing the account? Check the file stamps for the files uploaded, then go through the domlogs at /usr/local/apache/domlogs/domain.com to see what command was passed for which script to get onto the account. Disable that script or have the user update it to a secure version.

    Next, are you allowing register_globals to be on? If so, switch this to off for the php.ini file.

    Finally, next time you see the processes running for that user, do not kill them if you have been but first run lsof -p on the process and also cat the environmental details to get which script they attacked and where they uploaded files and what they are doing:

    Code:
    lsof -p PID#
    Where PID# is the process PID number for the user that is running perl or whatever script. This will show the libraries and what the script is doing.

    Code:
    cat /proc/PID#/environ
    Again, here PID# is the process PID number for that user for the perl script. This will show the environmental data for the process, which shows what script they passed commands into to upload file(s) onto the account.

    If you cannot get the account secured, you probably simply need to have them entirely wipe their account and start fresh, or suspend their account.

    Thanks.
     
  13. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    register_globals are off.The thing is, I'm not online when the attacker is doing it.I can access the logs but i can't understand them, i mean, everything seems ok.If I install mod_security it helps?And how do i install the rules for mod_security?Thank you.

    LE: I found some lines in the logs with the attacker's ip but i don't understand how he did the attack.I found in logs "c99.php" file.If anyone can help me, i'll PM the log to him.Please help.
     
    #13 filth80, Feb 16, 2011
    Last edited: Feb 16, 2011
  14. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are you killing the processes or checking the processes for that user to see if any are running? When the account is hacked, the very first thing that should be done is to check for suspicious processes by that user:

    Code:
    ps aux | grep username
    Then to run the lsof and cat processes I noted to get the details on the process and what script was hit. You also need to view the timestamps for the file(s) uploaded and go through the domlogs for those specific times.

    As for not understanding the logs, what is not understood specifically about them? They normally look like this and are pretty straightforward:

    The 12.12.12.12 is the IP, the date is the date, the GET part is the action and script that had the action performed along with it being HTTP/1.1 protocol, the 200 is the status code (200 is success, you can see a list of codes at this location), the 14423 is the size, the http portion is the url that called the GET action, the Mozilla portion contains the browser and opearating system details.

    Finally, mod_security installable in EasyApache (Apache Update) in WHM or using /scripts/easyapache in root SSH for the default rulesets we provide.
     
  15. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
  16. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    This is the part of the logs when the attacker appeared yesterday:

    62.42.192.56 - - [16/Feb/2011:15:11:05 +0200] "GET / HTTP/1.1" 200 19744 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:11 +0200] "GET /news HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:11 +0200] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:11 +0200] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:12 +0200] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /themes/UnderCover/styles.css HTTP/1.1" 200 6863 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /images/favicon.ico HTTP/1.1" 200 1598 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /infusions/user_info_panel/uip_css.css HTTP/1.1" 200 123 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:15 +0200] "GET /news.php HTTP/1.1" 200 20734 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /themes/UnderCover/images/bullet.png HTTP/1.1" 200 4016 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /themes/UnderCover//fader.js HTTP/1.1" 200 5229 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /includes/lib_ignas2526.js HTTP/1.1" 404 - "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /includes/jquery.js HTTP/1.1" 200 72173 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /includes/jscript.js HTTP/1.1" 200 5843 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /includes/lib_ignas2526.js HTTP/1.1" 404 - "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/printer.gif HTTP/1.1" 200 83 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/2.gif HTTP/1.1" 200 241 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/3.gif HTTP/1.1" 200 292 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/panel_on.gif HTTP/1.1" 200 355 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/bullet.gif HTTP/1.1" 200 296 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /images/smiley/smile.gif HTTP/1.1" 200 854 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /images/hi5.jpg HTTP/1.1" 200 11099 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/nav-bg.png HTTP/1.1" 200 585 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/nav-up.png HTTP/1.1" 200 1663 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /images/facebook.jpg HTTP/1.1" 200 5003 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/side_left.png HTTP/1.1" 200 278 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/welcome.gif HTTP/1.1" 200 42409 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/stiri.png HTTP/1.1" 200 95 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/meniu.png HTTP/1.1" 200 16029 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /images/news/top.jpg HTTP/1.1" 200 59610 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/capmain.png HTTP/1.1" 200 1893 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /images/youtube.jpg HTTP/1.1" 200 9870 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /asculta.m3u HTTP/1.1" 200 100 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/stiri.jpg HTTP/1.1" 200 10694 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/header.swf HTTP/1.1" 200 277994 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/button.png HTTP/1.1" 200 9092 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/side_right.png HTTP/1.1" 200 278 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:19 +0200] "GET /themes/UnderCover/images/backgroundfooter.png HTTP/1.1" 200 2270 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/fundal.jpg HTTP/1.1" 200 2192757 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"

    And this is the part where "c99" appears:


    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php HTTP/1.1" 200 6286 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=home HTTP/1.1" 200 209 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=search HTTP/1.1" 200 250 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=forward HTTP/1.1" 200 119 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=refresh HTTP/1.1" 200 200 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=back HTTP/1.1" 200 119 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=up HTTP/1.1" 200 199 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=buffer HTTP/1.1" 200 163 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=sort_asc HTTP/1.1" 200 85 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=ext_lnk HTTP/1.1" 200 572 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=ext_diz HTTP/1.1" 200 1027 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=ext_php HTTP/1.1" 200 79 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=small_dir HTTP/1.1" 200 164 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=download HTTP/1.1" 404 - "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=change HTTP/1.1" 200 290 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=arrow_ltr HTTP/1.1" 200 88 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:42 +0200] "GET /themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 7014 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_htaccess HTTP/1.1" 200 117 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=download HTTP/1.1" 200 161 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_jpg HTTP/1.1" 200 175 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_pls HTTP/1.1" 200 1034 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_m3u HTTP/1.1" 200 1034 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_gif HTTP/1.1" 200 175 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_html HTTP/1.1" 200 230 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_swf HTTP/1.1" 200 254 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_eml HTTP/1.1" 200 1034 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
    62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_error_log HTTP/1.1" 200 1034 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"

    Any suggestions?It might be from some sort of uploadin application in php-fusion which my client is using?And another question: can this be done if the attacker knew the admin password from php-fusion?Because ftp and cpanel password was changed several times using password generator in WHM, but without success.
     
    #16 filth80, Feb 17, 2011
    Last edited: Feb 17, 2011
  17. LinuxTechie

    LinuxTechie Well-Known Member

    Joined:
    Jan 22, 2011
    Messages:
    502
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    Please block the IP asap. Did you install mod security in the server? As it is a web based firewall it will help to resolve this issue.
     
    #17 LinuxTechie, Feb 17, 2011
    Last edited: Feb 17, 2011
  18. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    I blocked the ip, but he could use proxy I guess.I installed mod_security but how do i configure it?I have it in plugins in WHM, but how to add the rules?What I need to add in httpd.conf and where?
     
    #18 filth80, Feb 17, 2011
    Last edited: Feb 17, 2011
  19. LinuxTechie

    LinuxTechie Well-Known Member

    Joined:
    Jan 22, 2011
    Messages:
    502
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    It seems CXS costs an amount. But its worth too. It is always good to install mod sec in a production server which is free of cost.
     
  20. filth80

    filth80 Well-Known Member

    Joined:
    Dec 11, 2009
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Yes, this is what i'm trying to do.I installed mod_security, but how can i configure it and how to add rules?
     
Loading...

Share This Page