The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CGI - Hacking?

Discussion in 'General Discussion' started by MarkReaktor7, May 22, 2005.

  1. MarkReaktor7

    MarkReaktor7 Member

    Joined:
    Jan 6, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hey guys!

    I have a quick question.
    A customer of mine has claimed that he been hacked via CGI scrtipts (namely entropymail.cgi IIRC). Anyhow, this user claims that someone has gone in, run a command which tarred up their whole home dir and then then moved it to a place that someone could download it (ie into the public_html folder)

    First of all, is this plausible?
    heres what the hacker allegedly used:
    Code:
    entropymail.cgi?|tar -cf user.tar /home/user/|
    
    Now, i am sceptical that it would be so easy to hack soemthign which is built into cpanel (i know for a fact this user hadnt installed/used anything) but theres also the possibility that they have signed up for an account themselves (the hacker that is) and they have then use the aforementioned cgi thing to exploit this users site.

    What i want to know is is this possible and if so, how would i go about fixing this massive security hole?

    - MARK
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I cannot find a script called entropymail.cgi on my servers, is this a script that the user installed themselves, or have you got the wrong script name?
     
  3. MarkReaktor7

    MarkReaktor7 Member

    Joined:
    Jan 6, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    hey chirpy,

    I have loked also, and i cant see anything called entropymail but i beleive he used one of the entropy scripts on the servers. Although, this is a dude who got hacked asking the hacker how he did it. It turns out the hacker did sign up to our company and it looks as though as he has installing phpmyadmin and somehow obtained all the files in the persons home directory.

    Not only am i worried about the security of the server, i dont like peoples source files getting leaked. Hence why i came here for advise.

    This user signed up for a small plan, which DIDNT have CGI enabled. So i can only say that it was a inbuilt script.
    Since then i have disabled all of cpanels inbuilt CGI stuff via the featurte manager thing. For some reason i cant get rid of cgiemail though.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    I suggest you run rkhunter and chkrootkit to make sure that your server is not vunerable. Data forensic is real time consuming and exahusting. If you think that your server is unsecure, OS reload is your best option.
     
Loading...

Share This Page