The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I need help -- server got hacked, php injection

Discussion in 'Security' started by viniciusmunich, May 28, 2012.

  1. viniciusmunich

    Joined:
    Jan 29, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,
    I have 290 hosted sites.

    For some vulnerability in joomla, (what I'd consider), some people managed to insert malicious files in the tmp folder of some domains, and executed them.

    Several shell scripts encrypted (such as c99shell) were injected. Most of the process in my server was being killed every minute.

    I also found a script that list the cpanel users of all domains in my server and email bomber scripts.

    And what worries me most:

    Joomla stores the information related to the database in a file called configuration.php.

    90% of the sites that I host are made in Joomla.

    I found a perl script in some domains that scans for files configuration.php, config.php, wp-config.php in all domains on my server, and saves a copy in a file .txt

    That makes possible to have access to all databases on my server, everything, including WHMCS, Worldpress, Magento, and Drupal databases..


    My question is:

    I need to change the password for all databases, and also change them in the configuration.php file, but I do not know one way to do this automatically.

    Is there is a script that does this change either in the configuration.php file and in mysql?? (mysql user password)

    I have no idea how to do this. I'm using "grep" to find the malicious files on the server, since I have to delete them before making any changes to mysql.


    Last question: Was it a problem in Joomla (very onder 1.5 version) or was it because my /tmp folder was not in a isolated partition? (I use OpenVZ).


    I also have no rules in mod_security running, because they were causing problems in my wordpress sites.

    Furthermore, grep is dramatically increasing the server load..

    Any help will be highly appreciated.

    Edit: I have all the IPs in Apache logs, are from Nigeria .. But I'm sure these IPs will not help much.
     
    #1 viniciusmunich, May 28, 2012
    Last edited: May 28, 2012
  2. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Do you have basedir protection for PHP? What kind of PHP are you using (suPHP, DSO, FCGI etc).
     
  3. viniciusmunich

    Joined:
    Jan 29, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi nospa,

    I use suPHP with suEXEC on.


    Now I enabled the mod_security, but I'm having several problems with Joomla.

    I installed ClamAV and it removed 110 malicious scripts. I also installed Pyxsoft Anti Malware.

    But I still have to change all the mysql databases passwords and the configuration.php files.

    Here's the code in perl which was shot on my server:

    -removed code-
     
    #3 viniciusmunich, May 29, 2012
    Last edited by a moderator: May 30, 2012
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page