jsnape

Well-Known Member
Mar 11, 2002
174
0
316
Seems to be a single script running the sites I checked - one thing in common:
Powered by MemberStar

A google hacking - mod_security rule should sheild servers somewhat.
 

LS_Drew

Well-Known Member
Feb 20, 2003
187
0
166
I'm pretty confident that there's something 0day out there. I don't know the guy's name, but there's someone that is literally terrorizing one of our dedicated customers. He can seemingly take over Cpanel accounts at will.

He's rooted 3 machines already. One of them twice.
 

cyberturk

Member
Jul 26, 2005
13
0
151
The script that is running on that adress, Is that a commercials script such as phpbb, modernbill etc or self writing script?
i gave it as a sample. This was kayako but there are lots of different servers and this guy is becoming root on server and change all of the index.html pages. You can saw them on WHT forum
 

rachweb

Well-Known Member
Jun 26, 2004
268
0
166
amsterdam
i gave it as a sample. This was kayako but there are lots of different servers and this guy is becoming root on server and change all of the index.html pages. You can saw them on WHT forum
The most problem is that users of commercials scripts not updating the script when a new version is released with many securtiy fixes. This have I seeing with our customers.

If there is a exploit on Cpanel then is best way to contact Cpanel directly.
 

LS_Drew

Well-Known Member
Feb 20, 2003
187
0
166
I have a question for any and all Cpanel server admins out there.

When you log into your machine as root and type:

last

How many of you see IP addresses in the list that start with 82. ?
 

Dillard

Well-Known Member
Feb 26, 2003
114
0
166
The Netherlands
Hmm, one of those guys is attacking one of our Cpanel-servers (http://www.zone-h.org/component/option,com_attacks/Itemid,45/filter_defacer,HoLySeCuRity TeaM/)

Allthough we haven't been rooted he's scanning our IP's and trying all sorts of hackingtools for Joomla/phpBB/Coppermine etc.

So far I haven't found any solid trace in the logfiles of how he's operating (therefor I was also thinking of a 0day exploit), but I continueing to look around.

They seem to operate from Turkey; IP's 88.232.xxx.xxx and 88.234.xxx.xxx (same provider)

Any addon's/updates are greatly appreciated!
 

DaveUsedToWorkHere

Well-Known Member
Dec 28, 2001
689
1
318
Please contact us with any information that is found about these attacks that can help prevent future attacks. Point fo entry information being high up on the usefulness list. Thanks
 

Dillard

Well-Known Member
Feb 26, 2003
114
0
166
The Netherlands
No, we don't offer Fantastico.

@Davedark: we still not sure how to got in. It was a simple defacement (the server itself was not comprimised) but in the logs there's no clue pointing to what they did (or which account is used to inject a php-shell for example).

Because together we know more :) I will share some findings, perhaps one of you has a clue:

- Somehow they scanned some accounts on world-writable directories. In these directories they placed a index.html. By most accounts this was done only to one of the subdirectories, like admin, images or sortlike.
- The structure of the index.html was very simple, no HTML-tags were used, it was a one-liner. The owner was nobody, which indicates that it was done through PHP (Perl would give the 'user' ownership).
- Because of the simplicity of the index.html I expect they didn't downloaded it (wget is disabled for non-wheel users) but used something like 'echo "Hacked By FataLStyLe / [www.sniper-forum.org] [www.holysecurity.org] msn:[email protected]" > /homedir/index.html'

Since the file had 'nobody' as user, I expect PHP to be used (phpshell?), but since we have an openbase-dir in place, this doesn't make any sense. The only way to come around openbasedir is to attack the main account of the server (which points to /var/www).

Again: haven't found anything in the logfiles yet. Since the timeline matches up, I don't expect them to been able to alter the logfiles (the defacement itself was basic, this would implicated much more knowledge and access on our server).

If they injected some malicious PHP-code they must have used POST, since that's much harder to track in your logfiles.

Perhaps to got into a Joomla-site and uploaded some code, perhaps they found a flaw in some application, we're not sure.

Any suggestion is appreciated!
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Was the directory itself writable to 'nobody'? If so, any account on the system could have overwritten/replaced the file. This is a really good reason to use phpsuexec if you've never looked at it - could save you a lot of time.
 

Dillard

Well-Known Member
Feb 26, 2003
114
0
166
The Netherlands
Yes, some directories of clients were on world-writable. But although we can't prevent to "guard the house, while the door is open", I'm still curious how they abused on of the accounts on my server to let a small shell-script run.

We looked into phpsuexec a long time ago, but it gave a lot of problems to PHP-applications. I've heard good stories about mod_ruid, so I will take a look into this.
 

celliott

Well-Known Member
Jan 2, 2006
460
0
166
United Kingdom
One of my servers got attacked through OpenSSL I think as it was running 0.9.7a and since cPanel reports it as the latest version I never thought to update it..

Updated to 0.9.8d now and cleared up the mess he made. Seems good now.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Yes, some directories of clients were on world-writable. But although we can't prevent to "guard the house, while the door is open", I'm still curious how they abused on of the accounts on my server to let a small shell-script run.
If all your PHP scripts run as nobody, no abuse is needed as such; they already have write permission to ANYTHING in ANY ACCOUNT owned by nobody, or anything with generic write permission. This is one reason why phpsuexec is so important; without it every user on your host currently has access to at least read every other user's PHP files, including database passwords. It just doesn't make sense. Not that there aren't problems with phpsuexec - mainly performance, and some minor code changes needed in VERY unusual circumstances (ie PHP_AUTH_USER) - but they are much less than the problems without it.

We looked into phpsuexec a long time ago, but it gave a lot of problems to PHP-applications. I've heard good stories about mod_ruid, so I will take a look into this.
The problems caused by phpsuexec fall into two main categories once you understand the issues -- permission problems, and problems with .htaccess php_value / php_* directives. The permissions problem is easily solved with a few chowns and I think cpanel provides a script for that. The php_value problem is also easy to solve. You'll find only one in a hundred (or less) accounts uses php_* directives in .htaccess files, so there will be few to fix, and the fix is simply to move the directive after the php_value command into a php.ini file in each directory you want affected. There are quite a few threads on this in forums.cpanel.net and it's worth checking there; also you can hire one of the smart dudes (configserver.com, platinumservers, or rack911) to do the changeover for you - they should be able to do it in a few hours if you have less than 1000 accounts on the server. Check out the forums and you'll find others agreeing with me.

If you're using cpanel, it's a waste of time reinventing the wheel by checking out mod_ruid - even if it's better, it's always wisest to stick with what's standard. Standard is better than better! -- an old programming maxim, but it's just as true now as it ever was.
 

Adrnalnrsh

Well-Known Member
Apr 6, 2005
74
0
156
AZ
Some of you guys may think I am crazy, but the first thing I do is add them (hacker, provided it's a deface and they advertise their IM) to my instant messenger list and contact them. I find out what they did, some tell you some don't. Regardless, PHP needs to be locked down, mod_security with a grip of rules needs to be in place, using CSF & LFD, also running LSM and having egress/outbound filtering in the firewall helps. LFD with the mod_sec feature is the tits.
 

PPNSteve

Well-Known Member
Mar 13, 2003
413
3
168
Somewhere in Ilex Forest
cPanel Access Level
Root Administrator
Twitter
Seems to be a single script running the sites I checked - one thing in common:
Powered by MemberStar

A google hacking - mod_security rule should sheild servers somewhat.
anyone have a good rule or 2 to add to the mod_security config?