The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

craked? :S

Discussion in 'General Discussion' started by Estrac, Apr 14, 2006.

  1. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    i recived a email that i need to answare in 48 hrs to see what happend.

    it says that i (my cpanel server) attacked some sites, and scan, etc..

    i check logs, i dont find anything wrong .. except:

    # ps aux
    .
    .
    .
    nobody 15052 0.0 0.0 1384 4 ? S Apr12 0:00 ./bash.tgz
    .
    .
    .
    wtf?

    i find this file:
    root@mail [/var/tmp]# ls la
    total 40
    drwxrwxrwt 4 root root 4096 Apr 13 11:55 ./
    drwxr-xr-x 21 root root 4096 Apr 11 23:20 ../
    -rwxr-xr-x 1 nobody nobody 21179 Apr 12 12:43 bash.tgz*
    drwxr-xr-x 2 nobody nobody 4096 Apr 12 10:32 PhpMyChat/
    drwxr-xr-x 2 nobody nobody 4096 Apr 13 17:09 trimite/
    root@mail [/var/tmp]#

    and is a binary file, hope was a script but it isnt :S

    does anyone had happend this?
    how this happend?

    any idea?

    i have last version of cpanel/whm, update os (redhat)

    i have acl's for ssh, imap

    maybe bruteforce?

    regards... thanks..

    estrac
     
  2. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    netstat -na

    tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:58858 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:1108 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
     
  3. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    more information...

    in messages i found:

    Apr 11 18:47:25 mail kernel: NET: 124 messages suppressed.
    Apr 11 18:47:26 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:28 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:31 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:33 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:34 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:36 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:37 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:38 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:39 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:41 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:41 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:42 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:56 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:48:02 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00

    is the first time that i see this... any idea??
     
  4. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    25 views and anyone can make a simple post?

    ...

    :S

    estrac
     
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Looks like a simple back door etc etc.

    Is your /tmp partition secured?

    Type : df -h

    Look if there is a /tmp partition. If there is check /etc/fstab and look for your /tmp entry, it may be a little different, but what I've bolded is the big part:

    LABEL=/tmp /tmp ext3 noexec,nouser,nodev,rw 1 2


    Make sure It's not 'defaults' and has noexec,nouser,nodev

    Also, I noticed its in /var/tmp, do this:

    cd /var;rm -rf tmp;ln -s /tmp

    This will make a symbolic link to /tmp.

    If you need further assistance or would like your server checked / secured for free please PM me or email me at kris [@] hostmerit.com
     
  6. randomuser2

    randomuser2 Member

    Joined:
    Dec 23, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    tcp 0 0 0.0.0.0:58858 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:1108 0.0.0.0:* LISTEN

    What's listening on those ports? As root, run these 2 commands:

    netstat -antp | grep 58858
    netstat -antp | grep 1108

    That will return the pid of the process listening on those ports, like this:

    pid = 21358


    Now, as root, we run lsof -p <pid>


    Code:
    # /usr/sbin/lsof -p 21358 | head -10
    COMMAND   PID USER   FD   TYPE   DEVICE    SIZE    NODE NAME
    sshd    21358 root  cwd    DIR    253,0    4096       2 /
    sshd    21358 root  rtd    DIR    253,0    4096       2 /
    [b]sshd    21358 root  txt    REG    253,0  349224 6090764 /usr/sbin/sshd[/b]
    sshd    21358 root  mem    REG    253,0   27660 2452747 /lib/libcrypt-2.3.5.so
    sshd    21358 root  mem    REG    253,0   10244 6090508 /usr/lib/libkrb5support.so.0.0
    sshd    21358 root  mem    REG    253,0  126648 2452086 /lib/ld-2.3.5.so
    sshd    21358 root  mem    REG    253,0   96108 6099918 /usr/lib/libgssapi_krb5.so.2.2
    sshd    21358 root  mem    REG    253,0    7836 2452742 /lib/libcom_err.so.2.1
    sshd    21358 root  mem    REG    253,0   68864 2452740 /lib/libselinux.so.1
    
    
    
    Understand?


    Also, keep an eye on what processes nobody is running. If it's not httpd, then what is it? Hm..
     
  7. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    thanks for your post

    but, before i readed your post, i kill bash.tgz that bin open 58858 port, i deleted the binary

    the other port 1108 is my sshd daemon

    on port 22 is listening portsentry with an iptables rule as, 23, etc..

    now i modify fstab tmp propieties as HostMerit comment,, tmp were with default option
    and remounted

    thanks a lot for your time

    Hostmerit let me try to secure as i can secure it and then i would like to check it :- )

    thanks

    Estrac
     

Share This Page