The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I am Hacked... just found vadimII on my server

Discussion in 'General Discussion' started by checked, Feb 15, 2005.

  1. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Suddenly I checked the processed and found that there are few malicious codes on my server under /var/spool/samba :eek:

    I am running Redhat 9 + apache 1.33 + PHPSuexec. I have checked and found that 1 or 2 of them are IRC Bots and other I don't know but there name seem suspicious.

    Please tell me that How do I prevent users to access these types of folders ?


    I just found an vadimII under /var/spool/samba and I don't know whether I am hacked or not. I have suspended the user.

    Please tell me how do I checked that whether my server is hacked or not :eek: :eek: :eek:
     
  2. AdminWAY

    AdminWAY Member

    Joined:
    Feb 15, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    You should really get a professional too look at the server and diagnose it, you may have to have the server restored, there is alot of server administration companies out there that have reasonable rates and can help you out.
     
  3. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I have resolved it.................my server is not compromised anymore.

    but I still have a question that I found VadimII at 2 locations : /dev/shm and /var/spool/samba and one place it was created with some user and at second location it belongs to some other user. I mean that one place the owner user was different and at the second place the ownser was different.

    Both the users belongs to our 2 different clients and I am really wondering that who was the culprit :eek:
     
  4. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
    Check their passwords, we had a client who created users and passwords the same and he was cracked by a brute force.

    Also, check into good mod security rules to prevent folks who do hack from doing bad things.

    Here is a good rule I saw during the phpworm issues:

    SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("

    This tends to make it hard for scripties to do shell stuff. It also kills the phpBB google worm ;)

    Another thing you should look into are rootkits. rkhunter and chkrootkit. Run those just in case :)

    HTH
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I've seen that rule a lot also, but it doesn't work exactly like you would expect, because \s* is not recognized properly.

    \s*\( should mean 0 or more whitespace characters followed by a (

    While this rule blocks system(..) , it does NOT block system (..).
    At least not when I tried it :)

    Using [[:space:]]* is what worked for me :)
     
  6. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
    so use this:

    SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|f open|fwrite)\s*\("

    and this:

    SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|f open|fwrite)\s *\("

    ?


    What does your rule look like to prevent this?
     
  7. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Are you talking about having mod_security Apache Module ?

    unfortunately I am not having it
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then install it. As was already recommended above, if you don't know how to do these things, you should hire someone who does. there's little point in cleaning up a successful exploitation and nothing more as it will simply happen again.
     
  9. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Just use [[:space:]]* instead of s* like this:

    SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|f open|fwrite))([[:space:]]*)\("

    This blocks the commands regardless of the number of spaces used. The ( ) around [[:space:]]* are probably not necessary.


    You could also also add ARGS_VALUES like this :

    SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(system|exec|passthru|popen|shell_exec|proc_open|f open|fwrite))([[:space:]]*)\("

    You could consider using SecFilter instead of SecFilterSelective with this rule though, since you want to block POST requests as well, not only GET requests.
    I haven't had any false positives using SecFilter with this rule, it just depends on the type of sites you have on the server.
     
    #9 jamesbond, Feb 15, 2005
    Last edited: Feb 15, 2005
  10. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
    Thanks double o' seven :) Great ideas!
     
  11. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Can anyone please explain a little bit that what does this following directive meant for......I mean what does it do ?

    SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(system|exec|passthru|popen|shell_exec|proc_open|f open|fwrite))([[:space:]]*)\("
     
    #11 checked, Feb 23, 2005
    Last edited: Feb 23, 2005
  12. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
  13. checked

    checked Well-Known Member

    Joined:
    May 3, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    thanks denis that is really helpful :)
     
  14. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
    I just found that this got through somehow:

    Do you think adding esystem in there woudl help? I am tring to figure out how come it did not catch it....

    I am thinking of using this now:

     
    #14 denisdekat09, May 30, 2005
    Last edited: May 30, 2005
Loading...

Share This Page