The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DDOS Attacks from my Server ...need help

Discussion in 'General Discussion' started by Higgins, May 29, 2005.

  1. Higgins

    Higgins Well-Known Member

    Joined:
    Jan 31, 2003
    Messages:
    82
    Likes Received:
    0
    Trophy Points:
    6
    Since today we have DDOs Attacks from our Server. It starts with a simple wget.pl File in /tmp Dir, then we can see many perl processes and the Attack starts. The wget.pl file is owned by nobody but when i grep in Domlogs for "wget" or "tmp" or what ever i couldnt find anything.
    During the Attack i run lsof | grep PID and got:

    Also i have APF installed but it does not block these attacks. So i have no clue how this File goes to the tmp Directory with User nobody but i couldnt find it in the Logs.

    Cann anyone please help me out ?
     
  2. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    You run this ?

    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;

    i take it the attack is outgoing? or is it incoming ?
     
  3. Higgins

    Higgins Well-Known Member

    Joined:
    Jan 31, 2003
    Messages:
    82
    Likes Received:
    0
    Trophy Points:
    6
    Yes i did this, and the Attacks are outgoing.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's most likely to be a vulnerable php script on the server and the most likely vulnerable app these days is either phpBB or phpNuke. You should install WHM > Addon Modules > Addon Script Manager > refresh your browser and scroll down on the left to the bottom and click on Addons > Addon Script Manager and force update any phpBB, and if installed phpNuke, installations. You should also look at installing mod_security either through WHM or manually and add a good set of secfilter lists (search the forums for mod_security).
     
  5. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    Whats just gonna suggest mod_security. I dont think that Addon Manager works for those who installed phpBB using their own method, if installed by Cpanel script it'll find it but not for certain 100%


    For Apache 1 heres what I use

    wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz;tar -zxf modsecurity-1.8.7.tar.gz;cd mod*;cd apache1;/etc/httpd/bin/apxs -cia mod_security.c;pico /usr/local/apache/conf/httpd.conf;service httpd restart

    in httpd.conf place this in

    Code:
    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On
    
    # Change Server: string
    SecServerSignature "Apache"
    
    
    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off
    
    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly
    
    # The name of the audit log file
    SecAuditLog logs/audit_log
    
    # Should mod_security inspect POST payloads
    SecFilterScanPOST On
    
    # Action to take by default
    SecFilterDefaultAction "deny,log,status:403"
    
    ## ## ## ## ## ## ## ## ## ##
    ## ## ## ## ## ## ## ## ## ##
    
    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
    
    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    
    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    
    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
    
    # phpBB filter 
    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
    
    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    SecFilterSelective ARG_p|ARG_page "^(http|https|ftp):/ "
    SecFilterSelective THE_REQUEST "cd /dev/shm "
    SecFilterSelective THE_REQUEST "/usr/bin/gcc "
    
    </IfModule>
    In the mean time delete everything in /tmp besides your mysql.sock file maybe reboot the system to to freshen everything up
     
  6. johnisinfinite

    Joined:
    May 20, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Somebody has a php script which makes the wget.pl file and runs it as nobody. The easiest solution to this would be to rebuild apache to support php suexec so that php scripts get executed as the user who owns them instead of "nobody". This increases security overall and helps you track down such scripts.

    Other than that, only solution I can think of is to check the creation date of wget.pl and check your apache logs for that time
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Just in case you recompile Apache with Phpsuexec, you'll need to chmod 755 all Php scripts in the /home directory. Otherwise, php scripts won't work.
     
  8. wa4fat

    wa4fat Well-Known Member

    Joined:
    Dec 30, 2001
    Messages:
    51
    Likes Received:
    1
    Trophy Points:
    8
    My server apparently also under attack

    I have been experiencing an apparently similar DDOS attack recently, which consumes all my server's resources and eventually (if undetected) brings the box down. A tell-tale file in the /tmp directory is the only evidence I've been able to locate, and a GOOGLE of the text in this file points to a few mentions of DDOS code, either via IRC or through some exploit in PHPBB. A sample of the wording in this file includes:

    Password too long!
    Disable sucessful
    Removed all spoofs
    What kind of subnet address is that? Do something like: 169.40
    NOTICE %s :TSUNAMI <target> <secs>

    I'd be grateful for any suggestions as to what you might do to prevent this from occurring, or to locate the source.

    Thanks very much in advance!
     
  9. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You'll need to secure your server. The problem I see with many people, including our clients, is that they won't secure their servers either out of ignorance, or don't know how, or don't want to spend money on hiring a company to secure their servers. The vast majority of clients come to us screaming for help after the damage is being done to their servers.

    I suggest you search this forum and find threads discussing security issues.
    http://forums.cpanel.net/search.php?searchid=577414
    http://forums.cpanel.net/search.php?searchid=577415
     
  10. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    The cpanel advanced guest book script is the most commony exploited script we havbe to deal with. It will accept character substitution hacks allowing people to write files to other locations in the account.
    Its popular with phishing scammers for getting their html into your accounts.

    We would prefer to have the ability to stop the guest book appearing in cpanel but I am not going to edit the skin on 100+ servers.
     
  11. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    we had similar problem in one of the servers too!
    problem was phpbb again! this time I found out WHM Addon Script Manager doesn't update all phpBB installations! well, I guess it shouldn't be responsible for manual installations anyway! but I think it only detects /forum folders....

    in our case hacker was over flowing eth0
    hacker wrote this files to /tmp using phpbb:

    .\ .\ ./ a2.pl cof.txt log.txt ret.pl ses sesions theme_info.cfg udp.pl

    notice that the first one is a folder name: . . .

    well I was lucky that my cron job found them :) and I was able to get on top of it right away...

    anyway, new version of phpbb is out(.15) but cpanel still installes .13

    I have the source to his files, anyone knows where can I send these files to help preventing the same problem for others?
     
  12. GordonH

    GordonH Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    On a related issue this is why I will not use fantastico.
    It would be very bad if there were exploits of the scripts it installed as we would have to patach all the sites manually.
     
  13. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    someone sent me a pm about the script, here is the code:
    full article can also be found at:
    http://www.myserver.us/articles/checking-server-for-hackers-sample-script-tmp-directory-check.html


    Code:
    #! /usr/bin/perl
    
    ###################################################################
    # Author: Mohammad Ranji
    # Script will check into XXX directory to see
    # if there is any file that has YYY keyword in it
    # this is useful to find possible hacks for example
    # perl files in /tmp 
    # for full article visit 
    # http://www.myserver.us/articles/checking-server-for-hackers-sample-script-tmp-directory-check.html
    ###################################################################
    
    
    #########################################################
    ###################### CONFIG #############################
    #########################################################
    
    #this is used to send email
    #if you don't have this module comment this part out
    #and set send_email=0
    use MIME::Lite;
    
    
    $send_email=1;                                             #change to 0 if you want to disable sending emails
    $to="your-pager\@domain.com";                     #dont forget \@ instead of @
    $from="you\@domain.com";
    $mailserver="mail.example.com";
    @what=("perl","#!/bin/");                                #add more keywords to look for if needed
    $lookin="/tmp"; #directory to look into
    $script_location="/checktmp/";                         #where is this script?
    
    #########################################################
    #################### END CONFIG #########################
    #########################################################
    
    
    chdir $script_location || die "Can't cd to $script_location: $!\n";
    
    
    for($i=0; $i< scalar(@what); $i++){
    
    @files=`grep @what[$i] $lookin -R`;
    for($j=0; $j< scalar(@files); $j++){
    found(@what[$i],@files[$j]);
    }
    }
    
    sub found{
    
    my $what = $_[0];
    my $where= $_[1];
    
    
    #lets log what we found into a file first
    #finding filename for today
    $file=`date '+%F'`.".log";
    $file=~ s/ /_/g;
    #replacing all spaces with _ if any exists
    
    $file=~ s/\n//g;
    #replacing \n with ""
    
    if (-e "$file"){
    #file exists for today
    open(LOG,">>$file") || die("Cannot Open $file");
    } else {
    #create new file
    open(LOG, "+>>$file") || die("Cannot Open $file");
    #file created
    close(LOG);
    
    open(LOG,">>$file") || die("Cannot Open fileg");
    #open for append
    }
    
    
    $date=`date`;
    print LOG "$what was found in $where at $date\n";
    
    
    $subject="Alert";
    $message="$what was found in $where at $date.";
    
    #should we email what we found?
    if($send_email==1){
    email("$to","$from", $subject, $message);
    }
    }
    
    sub email
    {
    # get incoming parameters
    local ($to, $from, $subject, $message) = @_;
    
    # create a new message
    $msg = MIME::Lite->new(
    From => $from,
    To => $to,
    Subject => $subject,
    Data => $message
    );
    
    
    # send the email
    MIME::Lite->send('smtp', $mailserver, Timeout => 60);
    $msg->send();
    }
     
    #13 ehsan, Jun 7, 2005
    Last edited: Jun 7, 2005
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then you need to update your cPanel installation as it has been installing v2.0.15 for weeks now.
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Have you informed cPanel about this? I.e. logged it in bugzilla and emails security@cpanel.net?
     
  16. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Why do I need to update cpanel installation when it is suppose to fetch the update from cpanel server for add-ons! Specially when I use add-on update module?
     
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It entirely depends what version of cPanel you are running? If it's pre 10.0.something then it's old, insecure, and running the old update system and you should upgrade it to the current tree of your choice. If it's newer than that, then what version are you running and what do you have set for each of the options under WHM > Update Config?
     
Loading...
Similar Threads - DDOS Attacks Server
  1. ApparentMedia
    Replies:
    1
    Views:
    418

Share This Page