Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

craked? :S

Discussion in 'General Discussion' started by Estrac, Apr 14, 2006.

  1. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    i recived a email that i need to answare in 48 hrs to see what happend.

    it says that i (my cpanel server) attacked some sites, and scan, etc..

    i check logs, i dont find anything wrong .. except:

    # ps aux
    .
    .
    .
    nobody 15052 0.0 0.0 1384 4 ? S Apr12 0:00 ./bash.tgz
    .
    .
    .
    wtf?

    i find this file:
    root@mail [/var/tmp]# ls la
    total 40
    drwxrwxrwt 4 root root 4096 Apr 13 11:55 ./
    drwxr-xr-x 21 root root 4096 Apr 11 23:20 ../
    -rwxr-xr-x 1 nobody nobody 21179 Apr 12 12:43 bash.tgz*
    drwxr-xr-x 2 nobody nobody 4096 Apr 12 10:32 PhpMyChat/
    drwxr-xr-x 2 nobody nobody 4096 Apr 13 17:09 trimite/
    root@mail [/var/tmp]#

    and is a binary file, hope was a script but it isnt :S

    does anyone had happend this?
    how this happend?

    any idea?

    i have last version of cpanel/whm, update os (redhat)

    i have acl's for ssh, imap

    maybe bruteforce?

    regards... thanks..

    estrac
     
  2. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    netstat -na

    tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:58858 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:1108 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
     
  3. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    more information...

    in messages i found:

    Apr 11 18:47:25 mail kernel: NET: 124 messages suppressed.
    Apr 11 18:47:26 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:28 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:31 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:33 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:34 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:36 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:37 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:38 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:39 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:41 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:41 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:47:42 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00
    Apr 11 18:47:56 mail kernel: Redirect from 207.230.231.229 on eth1 about 207.230.231.1 ignored.
    Apr 11 18:48:02 mail kernel: Advised path = MYIP -> 255.255.255.255, tos 00

    is the first time that i see this... any idea??
     
  4. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    25 views and anyone can make a simple post?

    ...

    :S

    estrac
     
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    164
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Looks like a simple back door etc etc.

    Is your /tmp partition secured?

    Type : df -h

    Look if there is a /tmp partition. If there is check /etc/fstab and look for your /tmp entry, it may be a little different, but what I've bolded is the big part:

    LABEL=/tmp /tmp ext3 noexec,nouser,nodev,rw 1 2


    Make sure It's not 'defaults' and has noexec,nouser,nodev

    Also, I noticed its in /var/tmp, do this:

    cd /var;rm -rf tmp;ln -s /tmp

    This will make a symbolic link to /tmp.

    If you need further assistance or would like your server checked / secured for free please PM me or email me at kris [@] hostmerit.com
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. randomuser2

    randomuser2 Member

    Joined:
    Dec 23, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    151
    tcp 0 0 0.0.0.0:58858 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:1108 0.0.0.0:* LISTEN

    What's listening on those ports? As root, run these 2 commands:

    netstat -antp | grep 58858
    netstat -antp | grep 1108

    That will return the pid of the process listening on those ports, like this:

    pid = 21358


    Now, as root, we run lsof -p <pid>


    Code:
    # /usr/sbin/lsof -p 21358 | head -10
    COMMAND   PID USER   FD   TYPE   DEVICE    SIZE    NODE NAME
    sshd    21358 root  cwd    DIR    253,0    4096       2 /
    sshd    21358 root  rtd    DIR    253,0    4096       2 /
    [b]sshd    21358 root  txt    REG    253,0  349224 6090764 /usr/sbin/sshd[/b]
    sshd    21358 root  mem    REG    253,0   27660 2452747 /lib/libcrypt-2.3.5.so
    sshd    21358 root  mem    REG    253,0   10244 6090508 /usr/lib/libkrb5support.so.0.0
    sshd    21358 root  mem    REG    253,0  126648 2452086 /lib/ld-2.3.5.so
    sshd    21358 root  mem    REG    253,0   96108 6099918 /usr/lib/libgssapi_krb5.so.2.2
    sshd    21358 root  mem    REG    253,0    7836 2452742 /lib/libcom_err.so.2.1
    sshd    21358 root  mem    REG    253,0   68864 2452740 /lib/libselinux.so.1
    
    
    
    Understand?


    Also, keep an eye on what processes nobody is running. If it's not httpd, then what is it? Hm..
     
  7. Estrac

    Estrac Well-Known Member

    Joined:
    Nov 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    thanks for your post

    but, before i readed your post, i kill bash.tgz that bin open 58858 port, i deleted the binary

    the other port 1108 is my sshd daemon

    on port 22 is listening portsentry with an iptables rule as, 23, etc..

    now i modify fstab tmp propieties as HostMerit comment,, tmp were with default option
    and remounted

    thanks a lot for your time

    Hostmerit let me try to secure as i can secure it and then i would like to check it :- )

    thanks

    Estrac
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice