The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Client Web Got Hack, how to client my server

Discussion in 'General Discussion' started by rootlover, Apr 2, 2012.

  1. rootlover

    rootlover Member

    Joined:
    May 2, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Client Web Got Hack, how to clean my server

    hello everyone,

    newly my client got hack by someone, but i thing i have cleaned it by my self, i was terminated the account and i restore the backup, but i need more info how to make sure that my server is clean from the hacker file.

    i have the full php file that the hacker used to hack my client website, if any of cpanel forum moderator would like to see such as what kind like this source pm me than i will give you the source code.

    and maybe cpanel can denied or protect server from this kind of malware script

    thank
     
    #1 rootlover, Apr 2, 2012
    Last edited: Apr 2, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are you using mod_security on the machine? Additionally, which PHP handler are you using and do you have register_globals set to off in the php.ini file? You can find the handler using this command:

    Code:
    /usr/local/cpanel/bin/rebuild_phpconf --current
    Alternatively, you can check in WHM > Apache Configuration > PHP and SuExec Configuration area
     
  3. rootlover

    rootlover Member

    Joined:
    May 2, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    no, im not used mod_security.

    Code:
    root@server [~]# /usr/local/cpanel/bin/rebuild_phpconf --current
    Available handlers: suphp fcgi cgi none
    DEFAULT PHP: 5
    PHP4 SAPI: none
    PHP5 SAPI: suphp
    SUEXEC: enabled
    
    now, what should i do now to make sure my server is clean from malware script, remote backdoor or any other the hacker file, is there any shell command to check file on my server??

    do you have any suggestion tristan?

    thank
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    For one course of action, I suggested in your PM to submit a ticket. Otherwise, I would suggest recompiling Apache to use mod_security, to ensure register_globals are set to Off in /usr/local/lib/php.ini, to use the latest PHP (PHP 5.3.10) in EasyApache, and to disable the use of individual php.ini files that can override your settings (suPHP allows individual php.ini files in the cPanel user's home and higher).

    To disable allowing individual php.ini files, please change the following lines in /opt/suphp/etc/suphp.conf file:

    Code:
    [phprc_paths]
    ;Uncommenting these will force all requests to that handler to use the php.ini
    ;in the specified directory regardless of suPHP_ConfigPath settings.
    ;application/x-httpd-php=/usr/local/lib/
    ;application/x-httpd-php4=/usr/local/php4/lib/
    ;application/x-httpd-php5=/usr/local/lib/
    To the following instead:

    Code:
    [phprc_paths]
    ;Uncommenting these will force all requests to that handler to use the php.ini
    ;in the specified directory regardless of suPHP_ConfigPath settings.
    application/x-httpd-php=/usr/local/lib/
    application/x-httpd-php4=/usr/local/php4/lib/
    application/x-httpd-php5=/usr/local/lib/
    At that point, only the global /usr/local/lib/php.ini file will work for PHP 5.
     
  5. rootlover

    rootlover Member

    Joined:
    May 2, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    thank you tristan :)
     
  6. Oleg.Gricik

    Oleg.Gricik Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Tristan, if we change this, then will SetEnv PHPRC Path_to_php.ini work?
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Oleg G,

    Change which setting? There were multiple recommendations made, so please clarify.

    Thanks!
     
  8. Oleg.Gricik

    Oleg.Gricik Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Tristan,

    I mean, if we set the following in /opt/suphp/etc/suphp.conf file:
    Will manual correction in local .htaccess file work?

    For example.
    Will this work?
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Oleg,

    In my testing as you might expect, no you cannot add this to the .htaccess in /home/username/public_html/.htaccess to bypass the /opt/suphp/etc/suphp.conf file phprc_paths setting:

    Code:
    SetEnv PHPRC /home/username/public_html/php.ini 
    I changed memory_limit to 64M on my /home/username/public_html/php.ini file and added the above line to .htaccess.

    If you need to allow a use to bypass the settings, you'll have to use this guide to do it:

    https://forums.cpanel.net/f185/meth...ting-who-can-use-php-ini-files-167186-p2.html

    Thanks!
     
Loading...

Share This Page