The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block confspy.pl

Discussion in 'Security' started by gustavoulyssea, Dec 28, 2011.

  1. gustavoulyssea

    gustavoulyssea Registered

    Joined:
    Dec 28, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I found many hacked accounts in my servers and I found this confspy.pl running stealing passwords.

    Google tells about it, a perl that is able to fetch files outside user´s directory.

    The problem is that I cannot block its execution. There are many renamed versions of the file, it relies on perl.

    Did anyone experience this problem and come to a solution?

    Just to let you know that my server runs suPHP.

    Best regards,
    Gustavo Ulyssea
     
  2. faisikhan

    faisikhan Well-Known Member

    Joined:
    Dec 12, 2011
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Islamabad, Pakistan
    cPanel Access Level:
    Root Administrator
    Hi

    1. Yeah seems that your account is hacked so you will have to suspend it immediately.
    2. Try to Remove the scripts where ever you find, delete the installed files and clear the Exim mail queue.
    3. Please make sure that the attack wasn’t able to probe any deeper into the server so you have to monitor it closely.
    4. All the accounts will need to be changed ASAP.
    5. Roll back the original affected CPanel account to an earlier backup and change all the account's FTP, SSH and MySQL passwords.
    6. As a precaution, change all the passwords (like the above) for any account which was listed within the hacker’s confspy.pl file which you found.
    7. Update WordPress/Joomla/CMS plugins/versions to the latest available, this can be the root cause as using older packages mostly helps hackers to enter such files.
    8. I hope you have firewalls enabled and running & if not please do so.
    9. At last if any thing couldn't help ya, immediately contact your host :)
     
  3. gustavoulyssea

    gustavoulyssea Registered

    Joined:
    Dec 28, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Dear faisikhan,

    Thank you very much for your reply.

    Actually we are the host provider :)

    My security team worked hard on that issue yesterday and we came to the following:

    - Changing all users FTP/cPanel passwords;

    - As there´s a high number of CMS installed I am unable to force clients to update. After changing the passwords we sent notifications to all clients and asked for upgrading CMS´s and changing passwords keeping MySQL and FTP passwords different - *that´s where configspy works on*.

    OK, the previous problem was solved, but still there will be other CMS accounts hacked as we know.

    We got to server security, changed default suPHP options and set up each user to only one php.ini and added lines blocking security that could allow configspy to work.

    We also changed all public_html permissions to 750. suPHP works well, no clients complaints yet and users cannot read other clients files with perl.

    Best regards,
    Gustavo Ulyssea
     
  4. faisikhan

    faisikhan Well-Known Member

    Joined:
    Dec 12, 2011
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Islamabad, Pakistan
    cPanel Access Level:
    Root Administrator
    Hi

    I know it is a bit difficult task to update the Versions and Plugins of the CMS & if you would like to discuss the problem with any experienced Web Host specialist he will surely recommend to you about the updates, else the problem will be the same. What type of Antivirus are you using currently? Is that updated too?
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Of note, if you know how the attack occurred, you might try adding a rule to mod_security to ensure any future attacks that might trigger the script would be denied. You haven't provided enough details to know how the attack actually occurred from domlogs entries to even try to make a rule for it in mod_security.

    If you do not already use mod_security, it can be configured by running WHM > EasyApache (Apache Update) in the Apache Modules Short Options section (Step 5) or by running /scripts/easyapache in command line.
     
  6. ilihost

    ilihost Member

    Joined:
    Jul 28, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    We are using pyxsoft antimalware and it is doing a very good job protecting our servers. We recommend it. /http://www.pyxsoft.com
    It blocks all http uploads with perl files.

    Regards,

    Pablo.
     
Loading...

Share This Page