The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked and now i can't delete the file...Operation not permitted :(

Discussion in 'General Discussion' started by ttmw, Mar 30, 2011.

  1. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I've just noticed someone hacked my site and placed files on the server (.xcache folder full of links etc.). Now i know this isn't a cpanel or WHM issue and is a back door in my site somwhere, but now the file is there, they have changed something so i cannot change it's permissions or delete the file, the only thing i can do via either FTP or file manager on cpanel is rename it i think.

    I have control of my WHM too, how can i delete the file if it tells me 'Operation not permitted' on file manager and sim,ilar on FTP, can i do anything via WHM? :(

    Any information on how hackers manage this would be great too if anyone happens knows the basics of it.
     
  2. fearmydesign

    fearmydesign Well-Known Member

    Joined:
    Aug 24, 2009
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    This same thing happened to me about two weeks ago. I don't have an answer for you, but in my case it happened to a site that had an OsCommercer installation, nothing else happened to any other sites, so I am 'guessing' they broke in through the website itself, maybe through the database... don't know enough to determine.
    Because this was a site that was not beinged used yet, I was able to delete all the files via FTP and delete the Databases created for the site... but I could not delete that .xcache folder you are talking about, so it would be good to know!!! I tried several times to delete it throught FTP and at first it looked as if it was, but then showed right back up... weird.
     
  3. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    It's such a pain! My site is also osCommerce based, but with a load of changes here and there. It's a common osCommerce hack apparently, im not sure how they get in yet, but if i find anything i'll let you know.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You can check the file and ownership permissions as well as if the file is set to immutable with these commands in root SSH:

    Code:
    ls -lah /home/username/public_html/pathtofile
    lsattr /home/username/public_html/pathtofile
    Here username would be the cPanel username and pathtofile would be the path to the set file. The first command will show the file and ownership permissions. If they are 000 or root:root, the root user should still be able to remove the file regardless with this command:

    Code:
    cd /home/username/public_html/pathtofolder
    rm filename
    Above username is again the cPanel username, pathtofolder is any subfolder where the file exists, and filename is the name of the file. You will be prompted to remove the file when typing the rm command as I do not like to put the -f flag to force without prompting a y/n response. I also have you changing to the directory (cd portion) to ensure you aren't removing any file at the / or any higher level. People can really get into trouble by running rm commands without ensuring they are at the correct directory path for the removal.

    Next, the "lsattr" command above, the second one, will show if there are any attributes set on the file. If you see a -i on the lsattr command, then run this command to unset that attribute:

    Code:
    chattr -i /home/username/public_html/pathtofile
    This will remove that immutable file attribute. What immutable does would be preventing changing and removing a file. If the file has that set on it, even the root user cannot remove the file and this is my suspicion on what might be happening if you haven't been able to remove it even as the root user in root SSH.

    If you only have cPanel and WHM but do not have root SSH, then please ask your hosting provider to look into the file permissions, ownership permissions and attributes on the file. They should be able to remove it for you.
     
  5. fearmydesign

    fearmydesign Well-Known Member

    Joined:
    Aug 24, 2009
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Thank you... I'll do the same. Question for you, how did you get your site back up and running? Did you restore from an earlier backup on the server? or did you keep an backup of the files and database on your local computer? ... because now I am worried, I have other OsCommerce sites.

    btw cPanelTristan, thank you.
     
  6. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    The hack hasn't completely removed my site or even stopped it functioning yet at all...i don't know how long the files have been there...there are others i have found just today as well. There's some great contributions for the eCommerce sites i have just modified and put up today....you can find them here : How to secure your osCommerce 2.2 site. - osCommerce Support Forum
     
  7. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I've been searching all over but cant find how to access SSH and where to put these commands in...could you point me in the right direction? I'm on a Mac if that matters for any clients or whatever else i need?
     
  8. fearmydesign

    fearmydesign Well-Known Member

    Joined:
    Aug 24, 2009
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    On your MAC go to Applications and then you will see the "Utilities" folder, click on that.... it will open all your utilities, in there you should see an icon labeled 'Terminal"... you can use that to connect via shell (SSH)... you have root access correct?
     
  9. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I have access to WHM, i'm guessing that's root? What do i use to log in before the code cPanelTristan suggested above? thanks
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are you logging into WHM as the root user? If you are not, then you do not have root level access to the machine but reseller access. WHM is not the same as root SSH. If you do have root user WHM access (logging into WHM as root username), then you should also have root SSH access.

    Please confirm the username you are logging into WHM as. If it is root user, then go to Finder on your Mac and type in Terminal to open up an SSH prompt window, then run the following to log into SSH:

    Code:
    ssh root@IP#
    Here IP# is the IP number of your machine. If you aren't certain the IP number, you can use the machine's hostname or a main domain on the machine instead of the IP number. At the prompt for the password, then enter the root password.
     
  11. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    ok here's the first few lines of what it returns...cutting the long list of similar files off.

    Code:
    drwxr-xr-x 11 myusername myusername  52K Mar 30 20:49 ./
    drwxr-x--- 35 myusername nobody    12K Mar 30 17:22 ../
    drwxr-xr-x  2 nobody   nobody   4.0K Mar 28 09:53 12/
    -rw-r--r--  1 myusername myusername 3.4K Feb 15 02:17 account_notifications.gif
    -rw-r--r--  1 myusername myusername 3.5K Feb 15 02:16 account_orders.gif
    -rw-r--r--  1 myusername myusername 3.5K Feb 15 02:17 account_personal.gif
    
    How do i tell the permissions? thanks :) ..getting there slowly :)
     
  12. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    The permissions are 644 for the files and myusername:myusername for the owner. You can actually get a graphical listing of the file permissions if you run this command instead:

    Code:
    stat -c '%a %n' /home/myusername/public_html/pathtofile
    Above myusername would be the cPanel username and pathtofile the path to the set file you are trying to get the permissions for. If you are getting 644 and myusername:myusername for the file that is an exploit file mentioned previously, then the file permissions and ownership are not the issue. At that point, check the attributes using that lsattr command previously provided instead.

    Also, if you want to understand how to count the file permissions, this is how it works:

    r = 4 (r is read)
    w = 2 (w is write)
    x = 1 (x is execute)

    You count up the permissions for each section for the files you've listed:

    rw- = 4 + 2 + 0
    r-- = 4 + 0 + 0
    r-- = 4 + 0 + 0
    total = 644

    If any of this is confusing, please let me know.

    Thanks!
     
  13. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I just ran the lsattr command and it just outputs the list of the file paths of the .xcache and contents of the file, i can't see any '-i' anywhere on any files.

    Can i try and use the :

    Code:
    cd /home/username/public_html/pathtofolder rm filename
    like previously mentioned, i don't want to try unless i'm told because i know i have the potential to screw things over big style here if i type the wrong thing.lol

    Also, when i run:

    Code:
    stat -c '%a %n' /home/myusername/public_html/pathtofile
    it returns '750'
     
  14. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    For the previously provided commands to remove the file, please please ensure to do first:

    Code:
    cd /home/username/public_html/pathtofolder
    Then ensure you are in the right folder:

    Code:
    pwd
    This command shows the current working directory (it means specifically print working directory). At that point, you can try to remove the file:

    Code:
    rm .xcache
     
  15. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    it says "rm: cannot remove directory `trashxcache': Is a directory" i have thousands of files within that folder, i wont be able to go through them all, how do i remove the lot? thanks :)
     
  16. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    So this is a folder not a file? I thought it was a file for some reason. That's problematic as you are going to have to use the -rf flags, which I really hate to use. You are certain this is an exploit directory, right? If you aren't, it's better to move it instead:

    Code:
    mv .xcache /root
    The prior files you pasted from the folder were all gif files and wouldn't be exploits at all, so that's why I'm a bit concerned you are removing something that you might not want to be removing that's needed for this site to work.

    Before removing the folder, please run the following and paste the output here:

    Code:
    ls -ld .xcache
    The command to remove the folder would be (ensure again you are in the right directory before running this):

    Code:
    rm -rf .xcache
    Of note, the rm -rf will remove the directory and its contents.
     
  17. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    that outputs...

    drwxr-x--- 2 nobody nobody 372736 Mar 16 10:58 .xcache/
     
  18. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    This explains why you couldn't remove it using cPanel, since it is owned by nobody:nobody and I am still wondering if this is truly an exploit. What are the entire contents of that folder? If all happen to be .gif files, then it cannot be an exploit as those are image files.

    Do you happen to run XCache for OPCode caching for PHP on the machine? If so, this might be what is happening.
     
  19. ttmw

    ttmw Member

    Joined:
    Mar 30, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    i think i may have got the wrong dir in that previous reply...

    ls -lah /home/myusername/public_html/images/.xcache returns

    Code:
    drwxr-x---  2 nobody   nobody   364K Mar 16 10:58 ./
    drwxr-xr-x 11 myusernme myusername  52K Mar 30 20:49 ../
    -rw-r--r--  1 nobody   nobody    26K Mar  4 14:12 100-methyl-alcohol-reagent-acs-grade.htm
    -rw-r--r--  1 nobody   nobody    19K Mar  1 20:17 100-reagent-alcohol.htm
    -rw-r--r--  1 nobody   nobody    24K Mar  6 06:25 1980s-new-wave-artists.htm
    -rw-r--r--  1 nobody   nobody    24K Mar  6 06:10 1980s-new-wave-hits.htm
    
    Sorry about that! i must have got the dir below with all images. All files are similar spam .htm files. Sorry for the mistake! :eek:
     
  20. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Ah, then simply run:

    Code:
    cd /home/myusername/public_html/images
    rm -rf .xcache
    If that is indeed the folder with the spam contents.
     
Loading...

Share This Page