Exploits somehow getting on server!!

[tank]

I have a client who's website keeps getting targeted by exploits. Thankfully CXS exploit scanner caught these. They tried to upload more than 400 hundred files. I have changed all the passwords for the second time now. It is a vbulletin installation. Any ideas on what I can do to protect this site better. What log should i check?

The files were not uploaded via ftp. Should I change something in the .htaccess file?

Thanks guys

 

[quizknows]

They need to check that their VB install is updated with all patches. The vast majority of exploits that happen to those sites don't use FTP or cPanel access, but they exploit a flaw in an out-dated install of vBulletin or one of the components/add-ons.

 

[tank]

Yea ok well I will take a look into that as well. Disable the plugins and start from their.

Good idea. I am the admin of those forums as well and I normally have everything up to date. Maybe just axe the mods.

--
Is their a way i can find an IP that is doing this?

 

[quizknows]

Take the time stamp of any bad / newly uploaded files, and start looking for around that time in the domains access logs. Usually /home/$username/access-logs/domain.com

Usually you'll find a POST (sometimes a GET) within 1-2 seconds of the malicious file upload. That should point out your vunlerable mod or other issue.

Be sure to go into cPanel for the domain and enable raw access log archiving, in case you miss something for a day. That way you won't lose the logs every time stats run.

 

[cPanelMichael]

Hello

While it's likely related to a flaw in your individual script, it's also a good idea to review the overall security of your system. The cPanel Security Advisor is a useful tool for this:

"WHM Home » Security Center » Security Advisor"

Thank you.

 

[tank]

@quiz

Great ideas: I have done that first idea and as for the second idea of looking at raw access logs, I did not see any logs that coincided with that exact time. Let me check again, I might have missed something.

@Michael
The only thing that I see Michael is I need to rebuild Apache to get some updates.

I will check the raw access logs. I also went ahead and updated the mods/hacks and I got rid of the hacks i don't need on the site.

 

[tank]

Update:
I found that my clients web forum actually had a security flaw. This is shell is running. Any ideas how to remove this shell script.
!C99madShell v. 2.0 madnet edition!

--I secured the site because it was located in a restricted area so I did a .htaccess block.

 

[Infopro]

This thread may be of some use to you:
/http://www.vbulletin.org/forum/showthread.php?t=301727

At the same time, I would think that your server has been compromised, not just that account. That's a bit more serious.

If you're unsure of the path forward, I suggest you hire someone who can help. The cPanel AppCat has listings for System Administration, you can find those, here:
cPanel App Catalog

 

[quizknows]

There has been no information provided in this thread that would support a server-wide compromise, just a site CMS compromise, unless the cmdshells are owned by root or other websites are affected. Single sites get hacked all the time without the server itself being compromised.

 

[Infopro]

There has been no information provided in this thread that would support a server-wide compromise, just a site CMS compromise, unless the cmdshells are owned by root or other websites are affected. Single sites get hacked all the time without the server itself being compromised.

There's been enough for me.

 

[LDHosting]

There's been enough for me.

There has not been a single comment so far that would suggest a root compromise.

 

[tank]

Yep I read all of those threads on this. The server is not compromised as far as i can tell. Everything is caged that I have. Its a vbulletin flaw that is through the admin control panel that allows the user to execute uploads, database commands. Basically its a known plugin problem with the site as of September this year. When i turned off the plugins the thing disappeared.

The Shell thing can only stay in their user account because everything is caged with cloud linux and in addition even without the cage installed they don't have permission to run any commands whats so ever. All the commands were owned by the user. Just for fun I uncaged and then i gave normal jailed access to see if this thing could run any commands, but it can't do anything. I also tried getting out of the folder and it was only read only. I could not create any directory and or upload anything and or view any other user account.

I would totally agree to get it checked out if I think it was compromised but being that I even lowered my security on a few things to see if the shell script could do anything and it can't.

So the server was not rooted.

 

[cPanelPeter]

Hello,

The c99 and r57 shell scripts that compromise a website can very easily be used to compromise an entire server. It's strongly recommended that you hire a security consultant to review your server to make certain that is not the case.

That's all InfoPro was stating here.

 

[quizknows]

The c99 and r57 shell scripts that compromise a website can very easily be used to compromise an entire server.

If that were an entirely true statement, there would be a lot more rooted cPanel boxes.

c99 shells (or any php shell really) can only exploit a server at a root level if you're running a vulnerable out-dated kernel with a privilege escalation vulnerability. Barring storing your root password in a plain text config file or something else severely negligent, a compromised site that had a simple PHP shell uploaded to it can't be used to root a server without a kernel exploit too.

The vast majority of site compromises do not require or result in root level exploits.