The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacking help

Discussion in 'General Discussion' started by shann, Nov 28, 2002.

  1. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Hi,

    If some body hack the site, which file is have to look at to track the person.

    I have looked at domologs , didn't fidn any info.

    any help appreciate.

    Thansk
     
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    The following are notes I made to myself after a recent hack...

    ================
    Things to look for after a hack --

    FIND a USER AS ROOT
    cat /etc/passwd | grep 0:0

    (Should see only one user with root access (You!) If more than 1, investigate!!

    FIND OPEN PORTS
    lsof | grep LISTEN
    Look for ports open -- ?

    CHECK THESE SERVICES
    /usr/sbin/nscd
    /bin/in.telnetd
    /bin/mjy
    /usr/sbin/in.fingerd
    /bin/ps
    /sbin/ifconfig
    /usr/bin/du
    /bin/netstat
    /usr/bin/top
    /bin/ls
    /usr/bin/find

    The following directories may also be created by a hacker:

    cd/.lib
    /usr/src/.puta
    /usr/info/.t0rn
    /dev/.lib

    NETSTAT
    netstat -l

    CHECK MODIFIED FILE TIMES
    find / -mtime -1 -print
    (Where N is the number of days previously to check

    COMPARE OUTPUT OF LS
    Inside each modified directory you should compare the output of
    echo * with ls. If ls has been trojaned and configured to hide
    anything, the echo command will show

    The worm keeps itself active during reboots by appending some lines to /etc/rc.d/rc.sysinit
    disguised with the comment 'Name Server Cache Daemon..'. It also deletes /etc/hosts.deny and
    appends lines to /etc/inetd.conf to leave a root shell on port 1008. Finally, it emails the
    contents of /etc/passwd, /etc/shadow and the output from ifconfig -a, to an address in the
    china.com domain

    /etc/rc.d/rc.sysinit ## Search for &Cache&, ususally at the end of the file
    /etc/inetd.conf

    Utilities Included in Rootkit IV

    Programs That Hide the Cracker's Presence

    ls, find, du — will not display or count the cracker's files.

    ps, top, pidof — will not display the cracker's processes.

    netstat — will not display the attacker's traffic, usually used to hide daemons such as eggdrop, bindshell, or bnc.

    killall — will not kill the attacker's processes.

    ifconfig — will not display the PROMISC flag when sniffer is running.

    crontab — will hide the cracker's crontab entry. The hidden crontab entry is in /dev by default.

    tcpd — will not log connections listed in the configuration file.

    syslogd - similar to tcpd.

    Trojaned Programs That Have Backdoors

    chfn — root shell if rootkit password is entered in as new full name.

    chsh — root shell if rootkit password is entered as new shell.

    passwd — root shell if rootkit password is entered as current password.

    login — will allow the cracker to log in under any username with the rootkit password. If root logins are refused, user rewt will work. It also disables history logging.

    Trojaned Network Daemons

    inetd — root shell listening on port rfe (5002). After connection, the rootkit password must be entered in as the first line.

    rshd — trojaned so that if the username is the rootkit password, a root shell is bound to the port (i.e. rsh [hostname] -l [rootkit password]).

    Cracker Utilities

    fix — installs a trojaned program (e.g., ls) with the same timestamp and checksum information.

    linsniffer — a network sniffer for Linux.

    sniffchk — checks to make sure a sniffer is still running.

    wted — wtmp editor. You can modify the wtmp.

    z2 — erases entries from wtmp/utmp/lastlog.

    bindshell — binds a root shell to a port (port 31337 by default).

    ================
     
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Great list, but I would change one command.

    FIND a USER AS ROOT
    cat /etc/passwd | grep 0:0

    Change that to
    cat /etc/passwd |grep x:0

    Reason being is you can have a root UID with a different GUID.

    We have a few different root accounts for admins and each has there own GUID. So 0:0 will not catch those but x:0 will.

    Again great list though.
     
  4. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    hi

    Thank you so much guys.

    Thanks Again
     
  5. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    /scripts/hackcheck

    will check to make sure some system rpm's match the orig version. If you pass this test it doesnt mean that you havnt been hacked. Just means alot of the utils you'd use to see a hackers utils running are a-ok.
     
Loading...

Share This Page