The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP !!!! Website hacked by Viagara and medicine links

Discussion in 'Security' started by host2host, Dec 26, 2007.

  1. host2host

    host2host Member

    Joined:
    Dec 26, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    All Cpanel Guys, I really need your help. I have two servers and all the sites are getting hacked there.The hyperlink code ofr Viagara and medcine links is inersted in the index and other pages. I know this types of issues are faced by many Cpanel users, I have tried everything but cant stop it. Guys I need your help please suggest.

    I have installed CSF firewall and set LFD trigger.
    I have changed pure-ftpd.conf to allow only connection from one IP to one account.
    I have also enabled Cpanel Hulk.
    I have changed the SSH port to 4589

    But still my sites are getting hacked and I am pissed off by this. I am a small reseller and loosing my small number of clients.When we tail the /var/log/messages for FTP logs I get following types of logs:

    Now if you check the logs IP 66.232.126.195 is doing FTp to the account and chaning the file in fraction of seconds, this ssame Ip is found doing FTp to many accounts. I have blocked tons of IP's still no effect.

    I have read all the posts on this in Cpanel but nothing.
    I have also upgared kernel, disabled php funcstions sepcified by Configserver.com
    I have disabled registers_globals, enable_dl everything bot I still cant stop this, please help me on this please help.


    Thanks.
    CEO
    Host2Host
     
  2. host2host

    host2host Member

    Joined:
    Dec 26, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Come guys, nobody here who can help me ?? Please please help me

    :( - :( - :( - :( - :( - :( - :( - :( - :( - :( -
     
  3. LordZ

    LordZ Registered

    Joined:
    Oct 1, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    What Cpanel version do you run?There was a issue with some version on Hostgator.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might read this thread or chime in there.
    http://forums.cpanel.net/showthread.php?t=62821

    Install mod_security.

    Make sure every single script you have on the server is up to date. (ie: Joomla, Mambo, phpbb, gallery, vbulletin)

    Make sure every single account is not using addons that are not safe. (ie: http://help.joomla.org/component/option,com_easyfaq/task,view/id,186/Itemid,268/)

    Kill anything *nuke

    Change every single password for your clients that may not be smart enough to do it for themeselves.

    Scour every account for out of date scripts they've forgotten they had installed. (it happens!)

    To name but a few steps you can take. ;)
     
  5. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Simply change account password to somethink hard to guess and do not put this password on your FTP program on local computer.
     
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    That doesn't account for if another account was compromised then that point of weakness was used to compromise other accounts.

    Hardening your PHP installation may also be a good idea (in addition to what InfoPro recommended). Documentation on how you can do this is available at:

    http://www.cpanel.net/support/docs/ea/ea3/ea3php_hardening_php.html
     
  7. kkargel

    kkargel Active Member

    Joined:
    Nov 28, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    The sad part is that if they own some of the other accounts they probably own root. If that has happened your ONLY recourse is to wipe the box and start over. Do NOT reinstall any account with the old password.

    If you absolutely cannot wipe the box then put up a second box and move accounts one at a time from the compromised box to the new box and be excessively paranoid about moving scripts you are not 100% sure of.

    Shut down ftp and SSH until you get the situation resolved. Disable ALL services you are not using on the box and firewall them. Disable SSHv1.

    A good check to use is chkrootkit . Google that and get the latest verifiable version from the source. That will go over the box and check for exploits.

    Move your system log files off to a logserver so that the culprit cannot so easily edit the logfiles to cover his tracks. At least then you will have some forensics to work with.

    Get hold of the good folks at hosts.com and let them know that they also have a compromised box.

    Good luck, I feel your pain. Contact me offlist if you would like me to run a vulnerability scan against your box from the world and let you know what is open on the box.
     
  8. host2host

    host2host Member

    Joined:
    Dec 26, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Sorry I did not specified in last post, that the servers are already
    phpsuexec enabled,
    mod_userdir protection enabled,
    SUEXEC enabled,
    php open_basedir protection enabled.

    Still dont know how they are hacking in. When I tail the /var/log/messages

    I get ftp logs of one ip doing ftp to various accounts on the server :eek:

    Please can anyone suggest how is this happening as all my tweaks and settings are finished at this point :confused::confused::confused::confused::confused::confused::confused::confused:
     
  9. kkargel

    kkargel Active Member

    Joined:
    Nov 28, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    What is the user they are logging in as to accomplish the ftp's? They must be logging in as someone. Who owns the files after they are placed?

    Look through your ftpusers for suspicious entries.

    Look for wheel users that shouldn't be there.

    Look for users with UID/GID < 100
     
  10. host2host

    host2host Member

    Joined:
    Dec 26, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    They are loggin in all users, the ftp log shows they try loggin in each user for some they get authentication failed, they try again and then in few attempts they get in.

    For this multiple attempts I have enabled Cpanel Hulk, I have enabled CSF lfd trigger, I have enabled the pure-ftpd setting for only one ftp connection from one IP but still they are not stopping.

    Also in /etc/group wheel as only root as user.

    But do you guys know one thing of cpanel:

    ftp://FTPuser:Root Password@serverIP
    whill make you login in that FTP account ?

    I mean if you have root password then you can login to any FTp account of the server.

    On the basis of this rule Ihave also disabled root login to server, I have changed root password to a 32 charachter strong password but still its not being stoped.

    Can anyone help ?

    :(:(:(:confused::confused::confused::eek::eek:
     
  11. kkargel

    kkargel Active Member

    Joined:
    Nov 28, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Have you tried running chrootkit or rkhunter on the box to check for exploits yet?
     
  12. linux7802

    linux7802 Well-Known Member

    Joined:
    Dec 14, 2007
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Linux

    you need to be sure about permission and ownership for your account is correct or not then check the database for your site where you have seems the site hack problem remove links form your database.:)

    I hope it will help you.

    bye
    Linux7802:)
     
  13. SimplyIT

    SimplyIT Member

    Joined:
    Feb 27, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Have you checked in the /tmp folder to see if they've managed to upload their own script? They could be bypassing everything else with that.
     
  14. host2host

    host2host Member

    Joined:
    Dec 26, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    /tmp was the first thing I checked
     
  15. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Is this still going on?

    If you change the password on a few selected accounts do they still get in minutes later with ftp or do they get locked out at that point?. If you kill FTP for 30 minutes and restart does the attack start back up again?. If this is a bot related attack many will abandon if they cannot access their target after a short period.

    Did you check your binaries to be sure you are not running a exploited service like FTP, shell, etc? Dont just run rootkit checkers but actually look at the ftp binaries date stamp and anything else that looks like its getting used. If you run pure-ftpwho do you see them connected all the time or popping in and out ?
     
    #15 nyjimbo, Dec 27, 2007
    Last edited: Dec 27, 2007
  16. DennisTG

    DennisTG Registered

    Joined:
    Jan 23, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    if its the same issue to why servage and others has been hacked..
    /slap on you..
    the spam that has happened past 3 weeks has been due to kernels not beeing updated (for one..).
    Start making sure you updated the kernel and all other scripts that is running.
    Especially all those "one click install" scripts that come with things such as fantastico.

    make the propper updates, install mod_security, thighten your apache+php install.

    install firewall and other kinds of protection while your at it if you havent already.
    Good luck.
     
  17. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    I wonder if host2host have been able to solve this problem :cool:
     
  18. bls24

    bls24 Well-Known Member

    Joined:
    May 12, 2007
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    How often are Kernels released (on average)?
    And where do you see if you have the latest version? I know what version I have, but whereabouts on the CentOs site are they located to see if your version matches the latest one?
     
  19. markfrompf

    markfrompf Well-Known Member

    Joined:
    Mar 27, 2006
    Messages:
    176
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles, CA
    You should probably also firewall out the IP range since you found it in your logs - Then when you're all secured, unfirewall it and see if he gets back in.

    Also, this one hit us a month or so ago: C99MadShell
     
  20. iFAdam

    iFAdam Registered

    Joined:
    Jun 1, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Register_Globals = OFF

    This will thwart a heap of attacks, and make sure you have a .htaccess file in place to prevent some malicious types of URL calls.
     
Loading...

Share This Page