The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exploits somehow getting on server!!

Discussion in 'Security' started by tank, Dec 17, 2013.

  1. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    I have a client who's website keeps getting targeted by exploits. Thankfully CXS exploit scanner caught these. They tried to upload more than 400 hundred files. I have changed all the passwords for the second time now. It is a vbulletin installation. Any ideas on what I can do to protect this site better. What log should i check?

    The files were not uploaded via ftp. Should I change something in the .htaccess file?

    Thanks guys
     
    #1 tank, Dec 17, 2013
    Last edited: Dec 17, 2013
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    They need to check that their VB install is updated with all patches. The vast majority of exploits that happen to those sites don't use FTP or cPanel access, but they exploit a flaw in an out-dated install of vBulletin or one of the components/add-ons.
     
  3. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Yea ok well I will take a look into that as well. Disable the plugins and start from their.

    Good idea. I am the admin of those forums as well and I normally have everything up to date. Maybe just axe the mods.

    --
    Is their a way i can find an IP that is doing this?
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Take the time stamp of any bad / newly uploaded files, and start looking for around that time in the domains access logs. Usually /home/$username/access-logs/domain.com

    Usually you'll find a POST (sometimes a GET) within 1-2 seconds of the malicious file upload. That should point out your vunlerable mod or other issue.

    Be sure to go into cPanel for the domain and enable raw access log archiving, in case you miss something for a day. That way you won't lose the logs every time stats run.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,764
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    While it's likely related to a flaw in your individual script, it's also a good idea to review the overall security of your system. The cPanel Security Advisor is a useful tool for this:

    "WHM Home » Security Center » Security Advisor"

    Thank you.
     
  6. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    @quiz

    Great ideas: I have done that first idea and as for the second idea of looking at raw access logs, I did not see any logs that coincided with that exact time. Let me check again, I might have missed something.

    @Michael
    The only thing that I see Michael is I need to rebuild Apache to get some updates.

    I will check the raw access logs. I also went ahead and updated the mods/hacks and I got rid of the hacks i don't need on the site.
     
  7. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Update:
    I found that my clients web forum actually had a security flaw. This is shell is running. Any ideas how to remove this shell script.
    !C99madShell v. 2.0 madnet edition!

    --I secured the site because it was located in a restricted area so I did a .htaccess block.
     
    #7 tank, Dec 21, 2013
    Last edited: Dec 21, 2013
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This thread may be of some use to you:
    /http://www.vbulletin.org/forum/showthread.php?t=301727

    At the same time, I would think that your server has been compromised, not just that account. That's a bit more serious.

    If you're unsure of the path forward, I suggest you hire someone who can help. The cPanel AppCat has listings for System Administration, you can find those, here:
    cPanel App Catalog
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    There has been no information provided in this thread that would support a server-wide compromise, just a site CMS compromise, unless the cmdshells are owned by root or other websites are affected. Single sites get hacked all the time without the server itself being compromised.
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    There's been enough for me.
     
  11. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    o_O There has not been a single comment so far that would suggest a root compromise.
     
  12. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Yep I read all of those threads on this. The server is not compromised as far as i can tell. Everything is caged that I have. Its a vbulletin flaw that is through the admin control panel that allows the user to execute uploads, database commands. Basically its a known plugin problem with the site as of September this year. When i turned off the plugins the thing disappeared.

    The Shell thing can only stay in their user account because everything is caged with cloud linux and in addition even without the cage installed they don't have permission to run any commands whats so ever. All the commands were owned by the user. Just for fun I uncaged and then i gave normal jailed access to see if this thing could run any commands, but it can't do anything. I also tried getting out of the folder and it was only read only. I could not create any directory and or upload anything and or view any other user account.

    I would totally agree to get it checked out if I think it was compromised but being that I even lowered my security on a few things to see if the shell script could do anything and it can't.

    So the server was not rooted.
     
    #12 tank, Dec 22, 2013
    Last edited: Dec 22, 2013
  13. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The c99 and r57 shell scripts that compromise a website can very easily be used to compromise an entire server. It's strongly recommended that you hire a security consultant to review your server to make certain that is not the case.

    That's all InfoPro was stating here.
     
  14. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If that were an entirely true statement, there would be a lot more rooted cPanel boxes.

    c99 shells (or any php shell really) can only exploit a server at a root level if you're running a vulnerable out-dated kernel with a privilege escalation vulnerability. Barring storing your root password in a plain text config file or something else severely negligent, a compromised site that had a simple PHP shell uploaded to it can't be used to root a server without a kernel exploit too.

    The vast majority of site compromises do not require or result in root level exploits.
     
    #14 quizknows, Dec 22, 2013
    Last edited: Dec 22, 2013
Loading...
Similar Threads - Exploits somehow getting
  1. iso99
    Replies:
    3
    Views:
    940

Share This Page