The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked

Discussion in 'General Discussion' started by 4hosted, Sep 27, 2007.

  1. 4hosted

    4hosted Member

    Joined:
    Feb 27, 2004
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Hi, recently hacked from 1 (1) tiny php script... unbelievable.

    Anyway when trying to restart apache it starts like the following :

    /usr/local/apache/bin/httpd -k start
    /usr/local/apache/bin/httpd -k start

    now im guessing this is wrong and part of the hack... could anyone help me find out how this is happening,

    also our php.ini was redirecting to ZEND folder which is unusual as before it was /usr/local/lib/php
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Do you have chkrootkit and rkhunter installed on your server? If not, you need to install, configure and run these two applications to get a report of the damage done on your server. Overall, you need to clean up your server, secure and harden your server. There are many threads in these forums discuss server security.
     
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    The first part is weird, because httpd doesn't have a -k option associated with it, from what I'm familiar with. Is that what you are typing to try and restart it?

    The Zend redirect is most likely because Zend Optimizer was installed on the system. It redirects php.ini to it's own version.

    What has happened to lead you to believe you were hacked? As Servertune suggested, try installing a rootkit sniffer and see what results you get.
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Its probably a process that is showing up as httpd in a PS because of the way the perpetrator set it up to do so. He'll have to do an lsof to figure out what it really is.

    M
     
  5. S-Combs

    S-Combs Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Seems the box was recently upgraded and not hacked.


    httpd -h
    Usage: /usr/local/apache/bin/httpd [-D name] [-d directory] [-f file]
    [-C "directive"] [-c "directive"]
    [-k start|restart|graceful|graceful-stop|stop]
    [-v] [-V] [-h] [-l] [-L] [-t] [-S]
    Options:
    -D name : define a name for use in <IfDefine name> directives
    -d directory : specify an alternate initial ServerRoot
    -f file : specify an alternate ServerConfigFile
    -C "directive" : process directive before reading config files
    -c "directive" : process directive after reading config files
    -e level : show startup errors of level (see LogLevel)
    -E file : log startup errors to file
    -v : show version number
    -V : show compile settings
    -h : list available command line options (this page)
    -l : list compiled in modules
    -L : list available configuration directives
    -t -D DUMP_VHOSTS : show parsed settings (currently only vhost settings)
    -S : a synonym for -t -D DUMP_VHOSTS
    -t -D DUMP_MODULES : show all loaded modules
    -M : a synonym for -t -D DUMP_MODULES
    -t : run syntax check for config files
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Thanks! Apache 2 perhaps? Never used -k, I always use apachectl. In any event I don't see anything to indicate a machine was hacked. I think we need more info.
     
  7. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    Apache 2.x uses '/usr/local/apache/bin/httpd -k start' or 'httpd -k start -DSSL' (apachectl calls this so no one would really notice a difference as it's automatically called from the init scripts)

    If you are seeing this, you or someone else has upgraded apache to 2.0 or 2.2. This is no reason to think the system was hacked. If a system was hacked you would see processes going crazy, weird errors, etc.
     
  8. 4hosted

    4hosted Member

    Joined:
    Feb 27, 2004
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Sorry your correct, it was because i rebuilt apache.

    We were hacked by the c99.php script, it seemed to defunct our httpd.conf 443 lines.

    I never noticed the apache rollback function which is in all honesty a complete godsend!!

    i messed about for 8 hours trying to fix the httpd.conf and php.ini, rebuilding apache, using rebuildhttpdconf, everything, when this simple option, if i had noticed it earlier, would have made it a 10 second job.

    i ran rkhunter and although it never found anything (thankfully) i reformatted anyway.. just incase.
     
  9. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    c99shell can definitely create problems.

    You might want to look into running mod_security to stop php shells from gaining access or running commands.
     
  10. 4hosted

    4hosted Member

    Joined:
    Feb 27, 2004
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
  11. Frank Broughton

    Frank Broughton Active Member

    Joined:
    Feb 8, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Any suggested rules Todd?
     
  12. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    gotroot.com has a great set of rules, however these aren't specific to cpanel servers.

    The specific ruleset I recommend is http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rootkits.conf

    These rules are for modsec2, and the rules within there should be good enough to stop most php shell attacks.

    I also recommend the rules in http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/rules.conf but be cautious when enabling these as they might interfere with custom applications that you may be using.
     
Loading...
Similar Threads - Hacked
  1. xtronica
    Replies:
    9
    Views:
    659

Share This Page