The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone attacked by JaMaYcKa?

Discussion in 'General Discussion' started by cyberturk, Dec 24, 2006.

  1. cyberturk

    cyberturk Member

    Joined:
    Jul 26, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
  2. jsnape

    jsnape Well-Known Member

    Joined:
    Mar 11, 2002
    Messages:
    174
    Likes Received:
    0
    Trophy Points:
    16
    Seems to be a single script running the sites I checked - one thing in common:
    Powered by MemberStar

    A google hacking - mod_security rule should sheild servers somewhat.
     
  3. cyberturk

    cyberturk Member

    Joined:
    Jul 26, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    hmms this guy is hacking lots of cpanel sites 2-3 days

    http://www.vertivo.com/support/

    i saw this on WHT you can search other sites with his nick for 2-3 days.
     
  4. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    I'm pretty confident that there's something 0day out there. I don't know the guy's name, but there's someone that is literally terrorizing one of our dedicated customers. He can seemingly take over Cpanel accounts at will.

    He's rooted 3 machines already. One of them twice.
     
  5. rachweb

    rachweb Well-Known Member

    Joined:
    Jun 26, 2004
    Messages:
    268
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    amsterdam
    The script that is running on that adress, Is that a commercials script such as phpbb, modernbill etc or self writing script?
     
    #5 rachweb, Dec 24, 2006
    Last edited: Dec 24, 2006
  6. cyberturk

    cyberturk Member

    Joined:
    Jul 26, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    i gave it as a sample. This was kayako but there are lots of different servers and this guy is becoming root on server and change all of the index.html pages. You can saw them on WHT forum
     
  7. rachweb

    rachweb Well-Known Member

    Joined:
    Jun 26, 2004
    Messages:
    268
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    amsterdam
    The most problem is that users of commercials scripts not updating the script when a new version is released with many securtiy fixes. This have I seeing with our customers.

    If there is a exploit on Cpanel then is best way to contact Cpanel directly.
     
  8. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    I have a question for any and all Cpanel server admins out there.

    When you log into your machine as root and type:

    last

    How many of you see IP addresses in the list that start with 82. ?
     
  9. rachweb

    rachweb Well-Known Member

    Joined:
    Jun 26, 2004
    Messages:
    268
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    amsterdam
    There is no 1 on my servers ;)
     
  10. Dillard

    Dillard Well-Known Member

    Joined:
    Feb 26, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    The Netherlands
    Hmm, one of those guys is attacking one of our Cpanel-servers (http://www.zone-h.org/component/option,com_attacks/Itemid,45/filter_defacer,HoLySeCuRity TeaM/)

    Allthough we haven't been rooted he's scanning our IP's and trying all sorts of hackingtools for Joomla/phpBB/Coppermine etc.

    So far I haven't found any solid trace in the logfiles of how he's operating (therefor I was also thinking of a 0day exploit), but I continueing to look around.

    They seem to operate from Turkey; IP's 88.232.xxx.xxx and 88.234.xxx.xxx (same provider)

    Any addon's/updates are greatly appreciated!
     
  11. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Please contact us with any information that is found about these attacks that can help prevent future attacks. Point fo entry information being high up on the usefulness list. Thanks
     
  12. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Were those affected running Fantastico?
     
  13. Dillard

    Dillard Well-Known Member

    Joined:
    Feb 26, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    The Netherlands
    No, we don't offer Fantastico.

    @Davedark: we still not sure how to got in. It was a simple defacement (the server itself was not comprimised) but in the logs there's no clue pointing to what they did (or which account is used to inject a php-shell for example).

    Because together we know more :) I will share some findings, perhaps one of you has a clue:

    - Somehow they scanned some accounts on world-writable directories. In these directories they placed a index.html. By most accounts this was done only to one of the subdirectories, like admin, images or sortlike.
    - The structure of the index.html was very simple, no HTML-tags were used, it was a one-liner. The owner was nobody, which indicates that it was done through PHP (Perl would give the 'user' ownership).
    - Because of the simplicity of the index.html I expect they didn't downloaded it (wget is disabled for non-wheel users) but used something like 'echo "Hacked By FataLStyLe / [www.sniper-forum.org] [www.holysecurity.org] msn:admin@sniper-forum.org" > /homedir/index.html'

    Since the file had 'nobody' as user, I expect PHP to be used (phpshell?), but since we have an openbase-dir in place, this doesn't make any sense. The only way to come around openbasedir is to attack the main account of the server (which points to /var/www).

    Again: haven't found anything in the logfiles yet. Since the timeline matches up, I don't expect them to been able to alter the logfiles (the defacement itself was basic, this would implicated much more knowledge and access on our server).

    If they injected some malicious PHP-code they must have used POST, since that's much harder to track in your logfiles.

    Perhaps to got into a Joomla-site and uploaded some code, perhaps they found a flaw in some application, we're not sure.

    Any suggestion is appreciated!
     
  14. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Was the directory itself writable to 'nobody'? If so, any account on the system could have overwritten/replaced the file. This is a really good reason to use phpsuexec if you've never looked at it - could save you a lot of time.
     
  15. Dillard

    Dillard Well-Known Member

    Joined:
    Feb 26, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    The Netherlands
    Yes, some directories of clients were on world-writable. But although we can't prevent to "guard the house, while the door is open", I'm still curious how they abused on of the accounts on my server to let a small shell-script run.

    We looked into phpsuexec a long time ago, but it gave a lot of problems to PHP-applications. I've heard good stories about mod_ruid, so I will take a look into this.
     
  16. celliott

    celliott Well-Known Member

    Joined:
    Jan 2, 2006
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    One of my servers got attacked through OpenSSL I think as it was running 0.9.7a and since cPanel reports it as the latest version I never thought to update it..

    Updated to 0.9.8d now and cleared up the mess he made. Seems good now.
     
  17. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    If all your PHP scripts run as nobody, no abuse is needed as such; they already have write permission to ANYTHING in ANY ACCOUNT owned by nobody, or anything with generic write permission. This is one reason why phpsuexec is so important; without it every user on your host currently has access to at least read every other user's PHP files, including database passwords. It just doesn't make sense. Not that there aren't problems with phpsuexec - mainly performance, and some minor code changes needed in VERY unusual circumstances (ie PHP_AUTH_USER) - but they are much less than the problems without it.

    The problems caused by phpsuexec fall into two main categories once you understand the issues -- permission problems, and problems with .htaccess php_value / php_* directives. The permissions problem is easily solved with a few chowns and I think cpanel provides a script for that. The php_value problem is also easy to solve. You'll find only one in a hundred (or less) accounts uses php_* directives in .htaccess files, so there will be few to fix, and the fix is simply to move the directive after the php_value command into a php.ini file in each directory you want affected. There are quite a few threads on this in forums.cpanel.net and it's worth checking there; also you can hire one of the smart dudes (configserver.com, platinumservers, or rack911) to do the changeover for you - they should be able to do it in a few hours if you have less than 1000 accounts on the server. Check out the forums and you'll find others agreeing with me.

    If you're using cpanel, it's a waste of time reinventing the wheel by checking out mod_ruid - even if it's better, it's always wisest to stick with what's standard. Standard is better than better! -- an old programming maxim, but it's just as true now as it ever was.
     
  18. Adrnalnrsh

    Adrnalnrsh Well-Known Member

    Joined:
    Apr 6, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    AZ
    Some of you guys may think I am crazy, but the first thing I do is add them (hacker, provided it's a deface and they advertise their IM) to my instant messenger list and contact them. I find out what they did, some tell you some don't. Regardless, PHP needs to be locked down, mod_security with a grip of rules needs to be in place, using CSF & LFD, also running LSM and having egress/outbound filtering in the firewall helps. LFD with the mod_sec feature is the tits.
     
  19. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    How? Using cPanel?
     
  20. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    anyone have a good rule or 2 to add to the mod_security config?
     
Loading...

Share This Page