The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked site

Discussion in 'General Discussion' started by AlCpan, Apr 3, 2007.

  1. AlCpan

    AlCpan Registered

    Joined:
    May 25, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    My server was hacked and I can see "passwd" or "passwd,v" files in few accounts at:
    /home/user~/etc/

    Is that normal, or these files were created by hacker?
     
  2. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    This is normal. What problems are you having and how did you determine you were hacked.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Do you mean you can see these files through a browser or shell?
    Did you run rkhunter and chkrootkit applications to scan for vulnerabilities? In some cases, it is nearly impossible to be certain that a system hasn't been compromised; if the system is online and running, and if the intruder was really good. Contact your host and ask them to investigate.
     
  4. acidstudioz

    acidstudioz Active Member

    Joined:
    Feb 13, 2006
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    That isnt normal the hacker probably compromised a script on your server the one i can mostly thinking of is a php script that doesnt escape php inputs you might want to check that out

    Also as ServerTune said run chkrootkit etc.
     
    #4 acidstudioz, Apr 3, 2007
    Last edited: Apr 3, 2007
  5. AlCpan

    AlCpan Registered

    Joined:
    May 25, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I saw my scripts on competitor's website. Some of config files on my server where changed to drop my site from Google SERPs (I've lost all rankings), I've restored some settings,but I don't know what else hacker changed.

    I can see these files from cPanel's File Manager. I've ran chkrootkit and found nothing. Host said "we found nothing".

    I have few PHP scripts, written by myself, but how to check code is secure? Is there any online tool?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    As jayh38 has said, having a passwd file in /home/username/etc/ is perfectly correct, you'll also find them in /home/username/etc/domain.com/ and they hold the passwords for email account logins and so, in themselves, are no evidence of hacking.
     
  7. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Chirpy --

    SO THEORETICALLY --

    The asswipe who keeps playing with my servers has the ability to do a cpanel exploit.. (the ROOT exploit we all thought was fixed) they could go into etc/ and pick up shadow and decrypt the password.. and upload all the spam they frickin want?

    Is that it?

    That is what I have a frickin prblem with right now.. I'm being slammed by AOL spam reports and Comcast blacklists.. all because of this bull*!


    Soeone decides to attack a site. uses cPanel ROOT exploit.. goes into /home/user/etc/domain.com/shadow and decrypts password. ftps in. uploads test/ to cgi-bin and uploads dm.cgi and all that sh*t.. then spams happily at 3 am while I am sleeping.

    CAN SOMEONE (davedark????????) LOOK INTO THIS PROBLEM> IT IS FRICKIN SERIOUS!
    and NO!!! It is NOT a hacked server.. all of my cpanel servers have this issue and I have every program known to mankind (or cPanel hosts at least) to keep it secure!

    Brenden
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You cannot decrypt the password, it's one way encoded. It would have to be brute-forced.

    The problem is the hacker getting into the account in the first place through a vulnerable script on that account - that's the hole that needs closing by you or the owner of the account.

    What cPanel root exploit are you referring to? If you're aware of one you should inform cPanel since the last known ones were patched months ago.
     
  9. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Ok first things first. You said your DC found no evidence of an attack so I would tend to believe that someone somehow acquired your password. If the intruder(s) was neat, then they probably doctored the logs.

    I would like to know if you are running a firewall and have you secured your box or hired someone to do so? If you are able to salvage backups (provided you at least create daily backups) I would recommend having the datacenter reload your cpanel and get a fresh start from archives.

    Do have your server secured by a professional. If this is not possible, then at the very least, install and use Chirpy's CSF, you will find this and other excellent free tools on his site. DO change your ssh port to something uncommon and search for many tutorials here for securing your server.

    If you had / did all of this in the past, then sorry for the useless information.
     
Loading...

Share This Page