The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

http being hijacked

Discussion in 'Security' started by noimad1, Jan 26, 2015.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    This is not cPanel specific, but more of a general security question.

    So last year I dealt with a server that had been rooted and the attacker was modifying the http output before it was delivered to the end-user to inject malicious code. They were using this to do multiple items such as redirect to adult sites, display popup ads, and display inline ads on my clients site. And just to confirm, because I know someone will bring this up, but it was not being injected into the actual files in the hosting account. It was being done on the httpd server level. We believe they modified some binaries, but we weren't able to track it down completely....just had to move the client to a fresh clean server. It was very sophisticated, down to the point where they weren't serving up the malicious code to everyone...only about 25% of the traffic. They also logged administrator IP's and never gave malicious content to them either.

    Now we have another client who is complaining about this (on a smaller scale) happening to them. It started me wondering if there is a way that I could view/log the html right before it is sent out to the end user to monitor for any malicious content being injected.

    I've tried to use tcpdump a bit, but it gives the encrypted/binary information as well. I'd love to see if I can log the html being given directly to the user.

    Anyone have any ideas if this is possible? Or Any other ideas on how to find out if malicious content is being served by our websites (McAfee and other external web scanners come back negative....but that could be because their scanning IP's have been logged, or they aren't included in that 25% when the scan happens).
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
  3. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the info, I'll look at mod DumpIO to see what that does. I had already tested for the CDorked on this server, but the memory came back clean, and there doesn't seem to be any trace of it. Not to say that it isn't a variation of it?
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I've heard there's a new variation on it but I haven't had time to investigate it.

    DumpIO is pretty nice, though your logs will be absolutely massive. Obviously only use it for debugging.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Yea, that was the first server that was compromised. We moved that client to a new server. Right now I'm just trying to confirm if this server is for sure compromised. Do you think something like snort would pick up this malicious code being added to the sites?
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Snort could probably do it if you can get any data to make a signature from. Maybe the emerging threats rules could pick it up.
     
Loading...

Share This Page