The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacking

Discussion in 'General Discussion' started by mahdionline, Oct 6, 2004.

  1. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    a site of my customer today hacked. the hackers replace the index page and put a new page !

    i find out this hacker have a site on my server. what's the problem ? how this hacker do this ?

    I want to find out who , when , whay hacked this site ?

    I am beginner in linux and I donot know what can i watch the log of server ( FTP access , HTTP access , other port ).

    Regard
     
  2. Norman

    Norman Well-Known Member

    Joined:
    Sep 20, 2004
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    I would strart hitting those logs..

    After you get your customer up and working again.. try to go through the:
    /var/log/messages
    and the httpd logs (different on some servers)

    Just start going through the logs to see if you can see when and how they got in.
    Might have even been a FTP attack, so make sure you check your xfer logs as well.


     
  3. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    cd /usr/local/apache/domlogs
    grep wget *;grep lynx *;grep rcp *;grep scp *;grep fetch *;grep curl *;grep "/tmp" *;grep Wget *
     
  4. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    What exactly does this do?
     
  5. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    If a script was exploited I will tell you which script.
     
  6. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    If you have not enabled php open_basedir, this is relative easy to do.
     
  7. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    What is php open_basedir?
     
  8. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    From the php website:

    open_basedir string
    Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.

    When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink.

    The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().

    Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.

    The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"

    Note: Support for multiple directories was added in 3.0.7.

    The default is to allow all files to be opened
     
  9. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Just what field are you a security expert in, Abe Froman? Since it obviously isn't computer/server security.
     
  10. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    No kidding that line he pasted is somethign i had posted before. He knows nothing about security exepct what people have posted and he stuck in notepad :)
     
  11. webits

    webits Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    What does this DO??

    Seriously what does this Do ?
    grep wget *;grep lynx *;grep rcp *;grep scp *;grep fetch *;grep curl *;grep "/tmp" *;grep Wget
     
  12. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    It searches your clients access logs for those words.

    Its basically useless.
     
  13. mahdionline

    mahdionline Well-Known Member

    Joined:
    Oct 18, 2003
    Messages:
    127
    Likes Received:
    0
    Trophy Points:
    16
    I want any user just can access to it's files and folders. how can i set the open_basedir in php.ini :confused:

    regard
     
  14. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Your best bet is to log into WHM, click Tweak Security, click Open_Basedir Protection and enable it there.
     

Share This Page