The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I spy on a user and how is this person able to ssh when shell is disabled?

Discussion in 'General Discussion' started by shred, Aug 19, 2006.

  1. shred

    shred Member

    Joined:
    Dec 1, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    How can I spy on a user to see what they are doing when logged in? I have a new sign up, shell access is disabled yet it looks as if the user is logging in their account via ssh shell. I don’t understand how this is happening and I want to spy on this person to see what they are typing in the shell.

    I’m not 100% sure this person logging in via ssh shell to their account but when I do "last" I see:
    HTML:
    USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:37 - 19:37  (00:00)
    USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:37 - 19:37  (00:00)
    USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 19:24 - 19:24  (00:00)
    root     pts/0        xxxxxxxxxxx Fri Aug 18 18:34   still logged in
    root     pts/0        xxxxxxxxxxx Fri Aug 18 18:23 - 18:34  (00:10)
    root     pts/4        xxxxxxxxxxx Fri Aug 18 17:28 - 18:23  (00:55)
    USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 14:02 - 14:02  (00:00)
    USER_IN_QUESTION pts/4      00.000.000.000   Fri Aug 18 12:38 - 12:38  (00:00)
    
    (Sorry for the HTML Code: thing, I don't know how else to stop all the spaces from being deleted in the above for this post)

    Note that I edited the user's login to USER_IN_QUESTION and removed all IP numbers to read 000.00 and changed port numbers userID and groupID etc.

    Also, something interesting in the logs is this:

    messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
    user USER_IN_QUESTION by (uid=0)
    messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
    user USER_IN_QUESTION
    secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
    gid=99994
    secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
    uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
    secure.1:60778:Aug 18 12:27:15 MACHINE sshd[888]: Accepted password for USER_IN_QUESTION
    from 11.111.11.111 port 9999 ssh2

    I changed this IP number to all 1s (11.111) to mask the IP number and also to show that it's a different IP number. Note that it looks like the user ssh into the machine then added shell, but when I look in the password file the user is noshell. I don't know if that is a cpanel thing adding the user and group WITH shell=/bin/bash when creating the account or if the person did this. I guess I can check the date of the signup to see if it matches etc.

    Also, they uploaded an interesting file called nph-proxy.pl and is in public_html/cgiproxy/nph-proxy.pl Another file uploaded and deleted several times was fd_installer.pl and there is also an interesting file in the home directory called .rnd and I don’t have any idea what that file is. No other account has this file.

    I took a look at the cgi proxy script and it seems what it is for is so you can browse the Internet anonymously, however, I wonder what kind of abuse this could possibly be used for.

    Anyway, I want to log “everything” this user does on the system. I don’t want to delete the user without knowing for sure the person is up to no good. So far nothing bad has happened but I have to look into this.

    Below are some of the logs. I changed the log file for security purposes so I can post this publicly. All IP numbers have been changed to 000 or 111 or 222 and the user ID and machine name have been changed and are in CAPS.

    Thanks in advance!

    Below are some of the logs in the logs directory when I do a "grep -n USER_IN_QUESTION *"

    cron.1:13374:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99999]: (USER_IN_QUESTION) LIST
    (USER_IN_QUESTION)
    cron.1:13375:Aug 18 21:40:47 MACHINE SOME_PATH/bin/crontab[99991]: (USER_IN_QUESTION) LIST
    (USER_IN_QUESTION)
    exim_mainlog:66406:2006-08-18 12:18:34 SOME_EXIM_ID-0007Az-RF =>
    USER_IN_QUESTION@SOME_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx4.SOME_HOST.net
    [222.222.22.22]
    exim_mainlog:66416:2006-08-18 12:20:17 SOME_EXIM_ID-0007UP-5X =>
    USER_IN_QUESTION@SOME_EMAIL_HOST.net R=lookuphost T=remote_smtp H=SOME_EMAIL_HOSTmx1.SOME_HOST.net
    [222.222.22.22]
    messages.1:92181:Aug 18 12:27:15 MACHINE sshd(pam_unix)[999]: session opened for
    user USER_IN_QUESTION by (uid=0)

    messages.1:92184:Aug 18 12:27:48 MACHINE sshd(pam_unix)[9999]: session closed for
    user USER_IN_QUESTION
    messages.1:92188:Aug 18 12:31:02 MACHINE pure-ftpd: (?@000.00.0.00) [INFO]
    USER_IN_QUESTION is now logged in
    messages.1:92189:Aug 18 12:31:02 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
    [NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (82 bytes, 2.05KB/sec)
    messages.1:92190:Aug 18 12:31:03 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
    [NOTICE] Deleted fd_installer.pl
    messages.1:92191:Aug 18 12:31:03 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
    [NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//./fd_installer.pl uploaded (88 bytes, 2.19KB/sec)
    messages.1:92192:Aug 18 12:31:03 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
    [NOTICE] Deleted fd_installer.pl

    messages.1:94009:Aug 18 19:37:56 MACHINE sshd(pam_unix)[99999]: session opened for
    user USER_IN_QUESTION by (uid=0)
    messages.1:94058:Aug 18 20:11:01 MACHINE sshd(pam_unix)[99999]: session closed for
    user USER_IN_QUESTION
    secure.1:60744:Aug 18 12:20:04 MACHINE groupadd[99992]: new group: name=USER_IN_QUESTION,
    gid=99994
    secure.1:60745:Aug 18 12:20:04 MACHINE useradd[99993]: new user: name=USER_IN_QUESTION,
    uid=99992, gid=99994, home=PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION, shell=/bin/bash
    secure.1:60778:Aug 18 12:27:15 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
    from 11.111.11.111 port 9999 ssh2
    secure.1:60780:Aug 18 12:27:45 MACHINE sshd[999]: Accepted password for USER_IN_QUESTION
    from 11.111.11.111 port 9999 ssh2

    messages.1:92220:Aug 18 12:31:43 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
    [NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/fd_installer.pl uploaded (2815 bytes,
    35.20KB/sec)
    messages.1:92221:Aug 18 12:31:44 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
    [NOTICE] Deleted fd_installer.pl
    messages.1:92222:Aug 18 12:31:45 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
    [NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/nph-proxy.pl uploaded (250288
    bytes, 760.75KB/sec)
    messages.1:92223:Aug 18 12:31:45 MACHINE pure-ftpd: (USER_IN_QUESTION@000.00.0.00)
    [NOTICE] PATH_TO_WEB_ACCOUNT_HOME_DIRECTORY/USER_IN_QUESTION//public_html/cgiproxy/README uploaded (39214 bytes,
    224.50KB/sec)
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The last entries don't necessarily indicate a shell login. The cPanel login shell actually allows a login and then termintes it, that's why it shows as successfuly, but is for the same second. That is, they logged in, got the "go away" message and were logged out.

    The nph-proxy.cgi is a typical hackers script. It's used to browse anonymously as you mentioned, but is commonly used by hackers to launch attacks against other servers.

    I would have to assume the useradd and groupadd lines are from when you created their cPanel account.

    I don't know what the fd_installer.pl does, you'd need to post it.

    You'd really need to check the domlog for their domain to see what they're up to.
     
  3. shred

    shred Member

    Joined:
    Dec 1, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Ok, I see, the person is trying to ssh in but can't. I tried ssh with one of my accounts that I know does not have shell access and you're right, it shows up as a login.

    As for the fd_installer.pl, it's been uploaded and deleted many times so I cannot post it. How do I check the "domlog" for the domain? What IS the domlog??? The domain name was not registered through me and the domain name dns servers are not updated to my server or not propagated yet. Also, it's an .info domain name and has the word "firewall" in the name. The person did pay with a credit card. I am going to refund 100% of the amount of the charge. I'm not sure if I should terminate this account or not, but either way I am going to issue a refund.

    Is there a way for me to tell if this person is launching an attack with this script?

    Thanks
     
  4. shred

    shred Member

    Joined:
    Dec 1, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Ok, I found the domlog directory. I did a cat on *thedomainname* and it did not give me any more info than what I have.
     
  5. dwykofka

    dwykofka Well-Known Member

    Joined:
    Aug 6, 2003
    Messages:
    394
    Likes Received:
    3
    Trophy Points:
    18
    Honestly I would call them and ask what they are doing on the server..

    Tell them that whatever they are doing is sending up red flags and get a detailed explanation from them and then you can decide if you want to host them any longer.

    You might find out that its a bad account i.e. stolen cc or bad info

    You might also find out that they have no clue about anything beyond frontpage and they might have been hacked. Either way I would go directly to the source..
     
  6. shred

    shred Member

    Joined:
    Dec 1, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I was think the same thing and I do have plans on calling them tomorrow.

    Thanks for the help
     
  7. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would consider the pat that the file is being uploaded to as somewhat suspicious... not often do you use a //./ path in much of anything good.
    All I can find on the fd_installer.pl file is 0 byte files. The standard files that seem to be dropped into the same directories are various sorts of proxies (cgi-proxy, as an example) and cgi-based port scanners.
    I'd do the phone method... but I also would not be overly shocked to discover the information that was supplied at signup as being forged, or "borrowed".
     
  8. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    SHRED,

    Why not just change your ssh port once in a while and you don't have to worry about login attempts. If you have jailshell customers this could be a problem, but I do not offer jailshell at all.

    Out of site, out of mind...
     
  9. shred

    shred Member

    Joined:
    Dec 1, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hey, that's a great idea!!! Sorry for being ignorant but, how do I change the ssh port??? As far as jailshell customers, that could be taken care of with a simple PHP script or some other kind of script for those users I would think. (if you have any) I don't have any customers that care about it. I did once but that person seemd to disappear from the face of the earth.

    Also, it looks like this person is trying to login ssh in multiple ports, such as 3501 57672 etc. When I try these ports I get host unreachable. The thing is, with this person the logs say password accepted for this person with these ports.

    I will be calling this person today.

    As far as the cgi scripts, I did a "chmod a-rwx" on the scripts and cgi directories so at least they wont work. I also locked down the use_mod_dir to make sure this script wont be executed with the http://IP_NUMBER/~$HOME/
    This persons domain name STILL has not been changed to my name servers. I'm pretty sure I will be deleting this account today.

    Back to my original question, how can I spy on a user that has shell access??? I would like to know this for the future just in case.

    Oh, and I'm a little worried of what may happen when I delete this account today. I hope I don't get a DOS attack or something.

    Thanks for the help!
     
  10. shred

    shred Member

    Joined:
    Dec 1, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Ok, I have changed the ssh port, however when I restart ssh WHM says ssh failed to restart. However even though ssh failed to restart I can ssh into the new port anyway. Also the old port does not accept ssh connections which is what I want, but I don't know what to make out of the ssh fail on restart.

    Also, update about the customer, I tracked down the person's "real" phone number, not the one that was provided and found out that the credit card is stolen yet the person didn't know. So I was the person to infrom them about their credit card being stolen. Now if it were possible to catch the person who used the credit card.

    As for the account, well, lets just say I made it so the person can't get in. I just hope they were not able to do anything to cause damage.
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That always happens as the cPanel restart procedure only checks for SSH on port 22.
     
  12. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    fd_installer.pl is for a Flash decompiler. nph-proxy as you have seen is just a web based proxy, the user can browse to whatever websites he visits. Review your access logs and you will probably see the URLs that the user has accessed and also check the source IP, so you can see if maybe its the user at work or something or if alot of people are using it....

    And as was mentioned the SSH sessions were for only a few seconds, Try to create a test account on your server and SSH in. It will allow you to login and display something like:

    Probaby the user was trying to SSH in to use wget to download the scripts, instead of trying to upload them.
     
  13. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
     
  14. sepedatua

    sepedatua Registered

    Joined:
    Feb 24, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    fd_installer.pl

    Its an online installer for James Marshall CGIProxy. Most probably the connection comes from http://install.xav.com
     
    #14 sepedatua, Aug 29, 2006
    Last edited: Aug 29, 2006
  15. electric

    electric Well-Known Member

    Joined:
    Nov 5, 2001
    Messages:
    697
    Likes Received:
    1
    Trophy Points:
    18
    One point that is important about this thread...

    You should *always* call the client to confirm their account. I can't imagine setting up an account on our servers for someone who has provided an invalid phone number. Anyone who is signing up for a hosting account and is giving you their credit card info online should not have a problem with receiving a phone call to confirm the order. In fact, our customers love it, and it's a great opportunity to show them first-hand that you offer great support/service, etc...

    Plus, it reduces fraud and this kinds of "hacker issues" to just about zero.

    :cool:
     
  16. hostit1

    hostit1 Well-Known Member

    Joined:
    Jul 24, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    0
    If you want to spy on a user try Eash (Enterprise Auditing Shell) is a really neat keylogger system.

    You can replay a users ssh sessions. I have learned a lot just by watching peoples sessions.

    We have this installed on all our servers.

    I recommend not enabling ssh unless a user asks for it.

    I also recommend using jump boxes or require a user to access SSH from a dedicated IP address. This will help increase your security.

    Tim Rice
    Host It Now Networks
     
  17. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    While I agree that anyone signing up should provide valid information, in addition, should welcome phone calls, however, the value of this would be highly dependant on the value of the service.

    if someones signing up for a $3/month hosting account, it's hardly worth the time to call each of these people.

    if they're signing up for a $80/month hosting account, then they probably deserve at least one phone call just to say hi.
     
  18. hostit1

    hostit1 Well-Known Member

    Joined:
    Jul 24, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    0
    Really valid points. If you receive many hosting acounts per day, you may want to look at varilogix (there are other solutions as well). This will allow you to add coding to your webpage and will call the new perspective customer asking them to approve the hosting subscription. You can also block international cellphones . . . etc.

    I think that there is a minimal charge ($1 per call), but it is worth it.

    varilogix integrates with WHMAutopilot and Lpanel.

    We used to get about $10,000 worth of fraudulent charges a month. varilogix has cut this down to about $0 - $50 a month.
     
Loading...

Share This Page