The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

eggdrop

Discussion in 'General Discussion' started by gundamz, Apr 25, 2004.

  1. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    10165 (eggdrop) /tmp/.shp/.dat/eggdrop-1.6. /tmp/.shp/.dat
    /usr/local/apache/sbin/httpd-DSSL
    -m bin.txt

    --------------------------------------------------------------------------------
    10336 (eggdrop) /tmp/.sho/.dat/eggdrop-1.6. /tmp/.sho/.dat
    /usr/local/apache/sbin/httpd-DSSL
    -m bin.txt


    what are those? am i hack?

    In my tmp,

    drwxr-xr-x 3 nobody nobody 4096 Apr 21 22:54 .shc/
    drwxr-xr-x 3 nobody nobody 4096 Apr 17 19:00 .shh/
    drwxr-xr-x 3 nobody nobody 4096 Apr 24 08:37 .sho/
    drwxr-xr-x 3 nobody nobody 4096 Apr 24 08:35 .shp/
    drwxr-xr-x 3 nobody nobody 4096 Apr 21 22:56 .shw/
    drwxr-xr-x 3 nobody nobody 4096 Apr 17 18:55 .ssh/
     
  2. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    I am almost willing to bet you use cpanel... so many exploits, I see eggdrops go up all over the place... to be honest I am sorry I use it some times! In most cases (That I know of) they get in threw a demo account.

    Most people set them up in /tmp, so.. yeah, you got "0wn3d" ;)

    Just remove it and secure your box better.
     
  3. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    What gives you that idea? :confused: :cool:
     
  4. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    Cause just about every cpanel box with a public demo ends up with an eggdrop on it...
     
  5. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Oh I thought it was something a little more pedestrian such as the fact that he posted in a cpanel support forum ;) :p
     
  6. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    I did not enable demo for the server.

    And this hacker is able to restart my server.

    How he can do so via openssl?
     
  7. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    Um... I am no security expert, but A. Are you running cpanel? B. do you have users on this server?

    In some cases just being a user and having cpanel access can be a bad thing... anyway, best of luck!
     
  8. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    Look at who owns the files - 'nobody'. This means they were created by CGI (if you dont run suexec) or PHP (if you dont run phpsuexec).

    Probably some outdated code for which there's a vulnerability been released - PHP forums/bloggers/CMS's are favourites.

    Mount your temporary space noexec, make sure you're patched up to the eyeballs and consider other avenues such as open basedir restrictons.

    You have not necessarily been "0wn3d" but simple someone has managed to execute code as your apache user 'nobody'. Nevertheless, I'd recommend you at least find the problem code and run chkrootkit for peace of mind.
     
  9. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    I went to execute command to secure my /tmp now.

    /scripts/securetmp
     
  10. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    I've enabled suexec through WHM but I can't find how to enable phpsuexec. Any help?
     
  11. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    You would need to recompile php for that. The best would be either from whm or shell run the apache compile. Earlier php 4.3.7 was released so you could meanwhile compiling update your php to the latest.

    In WHM -> Software -> Update Apache

    Select all you need and compile away.

    If you prefer shell, as root run:

    /scripts/easyapache

    Select all you need and compile away ;)

    If you don't know what to select you could choose the 1-5 options presented by easyapache script. At times they help you to achieve whats required and later learn on what to include or exclude from the compile.
     

Share This Page