The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

having a serious problem

Discussion in 'General Discussion' started by heymichelle, Apr 7, 2005.

  1. heymichelle

    heymichelle Well-Known Member

    Joined:
    Feb 25, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hello,
    I don't know if this has anything to do with cpanel, but I have a server and for 2 weeks now, all the domains I am hosting for, seems like they are being directed to a different site. Its almost like these sites are being hijacked.

    This has happen twice, and when you try to go to a domain, its showing a completely different domain its trying to go to.

    Any suggestions would be very helpful.
     
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Check the domain at dnsreport.com and see if the information looks correct.
     
  3. gracefive

    gracefive Member

    Joined:
    Jan 24, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    maybe its a namedirective in httpd config file
     
  4. heymichelle

    heymichelle Well-Known Member

    Joined:
    Feb 25, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    how can I check this?

    namedirective in httpd config file
     
  5. gracefive

    gracefive Member

    Joined:
    Jan 24, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Is the website it is showing on same server?

    (domainnameAA.com goes to domanBB.com on same server)
    If so you can add a namevirtualhost above the problem domain name

    NameVirtualHost your-iphere:80


    ad itabove the problem(aaa.com) domain as this :

    NameVirtualHost your-iphere:80

    <VirtualHost sameIPhere>
    ServerAlias www.aaa.com aaa.com
    ServerAdmin webmaster@aaa.com
    DocumentRoot /home/aaaa/public_ht


    usr/local/apache/config/httpd.config
     
    #5 gracefive, Apr 8, 2005
    Last edited: Apr 8, 2005
  6. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    and you got a troyan on your website aswell , which wants to force itself onto the PC of the visitor , you got some serious problems !
     
  7. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    the same thing happening with my server. Were you able to fix it.
    all domains are being redirecting to another site with trojan in it however when i use ip address instead of domain everything looks normal
     
  8. gflamerich

    gflamerich Well-Known Member

    Joined:
    Jul 21, 2003
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    We had same problem, but our datacenter solves

    Here is what they found
    Two scripts flame.php and flame.so

    "It appears the account 'account' uploaded the files below that were causing PHP to change the httpd.conf file after it was loaded into memory."
    "Also.. I have disabled the dl() function in your PHP.ini. This should prevent this type of attack from being used in the future."

    We call the owner of the account and they did'n uploud anything today, but when we asked if they could give their password to someone else, they told us they have a very easy password. So we think any simple script could guess the pw. Then we change the pw.

    "This was an extremely difficult little bugger to track down. It's process would run for only a few seconds (long enough to make the memory modification) and then kill itself.

    I have modified php.ini's file to disable the dl() function, which was what this script was using to cause the problems. So it should not be able to be used again."


    Hope this helps
     
  9. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    disabling dl function in php fixed it like magic. Thanks lot. still need to know how this happened and which account was responsible :mad:
     
  10. gflamerich

    gflamerich Well-Known Member

    Joined:
    Jul 21, 2003
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    find the account responsible

    You should look at /usr/local/apache/domlogs/

    If the script at your box are the same as mine, look for flame.php and flame.so
    You should alos delete those files.

    By the way, in our case, the owner of the account is a friend, so we are sure he didn't, but his pasword was so easy that we figure that any script could guess it. Is not a mistery, Cpanel uses the 8 first leters of a domain for user and is you set a silly pw, then you are out.
     
  11. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    there are hundred of files in the folder domlogs, is there a command where i can search all at once?
     
  12. gflamerich

    gflamerich Well-Known Member

    Joined:
    Jul 21, 2003
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    Yes, you should use grep

    #grep flame. /usr/local/apache/domlogs/*
     
  13. sureshot

    sureshot Member

    Joined:
    Mar 6, 2003
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Code:
    grep flame. *
    from within the folder
     
  14. gflamerich

    gflamerich Well-Known Member

    Joined:
    Jul 21, 2003
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    You also want to drop the conectios to that file

    Go to /etc/httpd/logs and find if any IP is triying to reach that file

    grep flame. err*

    You will find an IP ( in my case was 64.246.62.105)

    Then drop that conections witn an iptables entry like this

    iptables -I INPUT -s 64.246.62.105 -j DROP

    (replacer the IP with the one at your logs)
     
  15. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    wow the same exact ip was accessing flame.php with me too: 64.246.62.105
    whois record shows it is hosted at ev1. someone should report this
     
  16. heymichelle

    heymichelle Well-Known Member

    Joined:
    Feb 25, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    still having problems

    Can anyone help me fix this problem, since I really don't know how to access php directory, etc...
     
  17. heymichelle

    heymichelle Well-Known Member

    Joined:
    Feb 25, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    please step by step


    I did find the exact ip, now what exactly do I do?
     
  18. heymichelle

    heymichelle Well-Known Member

    Joined:
    Feb 25, 2002
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    make sure i am doing this right


    okay I found this and changed to Off, is this correct?

    enable_dl = Off
     
  19. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6

    that is not correct. you need to find the line disabled function = and add dl next to it
     
  20. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    I think its unlikely that a php file running with nobody privileges on an account could infect the whole server by injecting code into downloaded pages, but it may be part of the rootkit, I think that you may have found a way to 'patch' the effects of the hack - It may still be on your system. I have had similar cases and believe the kernel was compromised (as the link below explains.)

    Have you tried installing this rootkit detection software (rkhunter and chkrootkit are known not to pick up this type of root kit) http://tsd.student.utwente.nl/skdetect/skdetect-0.4b.tar.gz

    More info I found here too: http://www.spywarewarrior.com/xpire-splitinfinity-serverhack_malwareinstall-condensed.pdf

    Take note that you don't need tobe running old versions of openssl or mod_ssl for hackers to obtain access to install these root kits, they can just as happily download files and issue commands using the multitude of php script exploits that are out there. Mod_security and a good set of rules is pretty much a definitely needed thing these days.

    Obviously local users can upload what they like, so you need to be vigilant too.
    I would also recommend the usage of a strong kernel, there are various sources for kernel patches to secure the linux kernel further.

    I would be interested to know if the skdetect truns up anything positive on the boxes that the posters mentioned within this thread.
     
    #20 DigitalN, Apr 8, 2005
    Last edited: Apr 8, 2005
Loading...

Share This Page