Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

I need to find entrypoint of hacker into server?? Here is some info !!

Discussion in 'General Discussion' started by atul, Aug 6, 2004.

  1. atul

    atul Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    156
    Hello All,
    I have a compromised server ... I have posted query for the same ...
    Now my logwatch says this :
    My xferlogs are saying:
    --------------------- ftpd-xferlog Begin ------------------------

    TOTAL KB IN: 119KB (0MB)

    ---------------------- ftpd-xferlog End --------

    It seems that somebody uploaded something ...very little as 119KB ? Serious looking !!!

    IMAPd] Logout stats:
    ====================
    User | Logouts | Downloaded | Mbox Size
    --------------------------------------- | ------- | ---------- | ----------
    ??? domain=??? | 161 | |
    beth@pachak.com domain=pachak.com | 2 | |
    jlong domain=s3tech.net | 3 | |
    joel domain=swspeed.com | 12 | |
    westerman@aknb.org domain=aknb.org | 3 | |
    ----------------------------------------------------------------------------
    181 | 0 | 0



    **Unmatched Entries**
    Connection timed out, while reading line user=david@devianconsult.com host=pcp03161084pcs.parads01.nm.comca
    st.net [68.35.41.63]: 1 Time(s)
    Connection timed out, while reading line user=david@pachak.com host=pcp03161084pcs.parads01.nm.comcast.net
    [68.35.41.63]: 1 Time(s)
    Logout user=??? domain=??? host=UNKNOWN: 12 Time(s)

    So many dropped packets:
    --------------------- Kernel Begin ------------------------


    Dropped 56 packets on interface eth0
    From 61.110.238.96 - 5 packets to tcp(17300,17300,17300,17300,17300)
    From 64.179.97.193 - 3 packets to tcp(2745)
    From 69.39.92.168 - 3 packets to tcp(2745)
    From 69.91.24.102 - 9 packets to tcp(1025,2745,6129)
    From 69.137.65.77 - 3 packets to tcp(2745)
    From 69.144.221.228 - 6 packets to tcp(1025,2745,6129)
    From 69.167.198.187 - 4 packets to tcp(1025,2745,6129)
    From 213.236.248.149 - 10 packets to tcp(4561,44464,4561,44464,4561,44464,4561,44464,4561,44464)
    From 218.89.104.161 - 3 packets to tcp(5554,5554,9898)
    From 221.143.42.23 - 10 packets to udp(1026,1026,1026,1026,1026)

    Logged 10 packets on interface eth0
    From 61.11.23.142 - 6 packets to tcp(22)
    From 69.240.64.97 - 4 packets to tcp(22)

    ---------------------- Kernel End -------------------------
    pam_unix says:
    Unknown Entries:
    2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pcp09766260pcs.albqrq01.
    nm.comcast.net user=admin: 1 Time(s)

    -------------------------------------------------
    VERY SERIOUS LINE:
    PAM-listfile: Couldn't open /etc/ftpusers
    hosting.hidefweb.com (bgp01383292bgs.montbl01.nm.comcast.net[68.35.140.209]) - PAM(ryan@swspeed.com): User not
    known to the underlying authentication module.
    -----------------------------------------------------

    Now see some entries in access_log :
    root@hosting [~]# cat /usr/local/apache/logs/access_log | grep -i "/../"
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    141.158.23.68 - - [04/Apr/2004:13:08:55 -0600] "GET /level/99/exec/show%20conf HTTP/1.1" 400 409
    208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -

    Security experts can u help me to find what is entry point?What must have gone wrong?
    What should I do?
    Any suggestion ?
     
  2. OCX

    OCX Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    166
    208.41.103.26 - - [27/Jul/2004:18:14:09 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:18:14 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:21:11 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -
    208.41.103.26 - - [27/Jul/2004:18:24:04 -0600] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 -



    the kiddie thinks your on IIS server......nothinng to be worried about as far as thats concerned

    just ban the ip
     
  3. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    166
    I agree, I think it looking for IIS effected with Code Red.
     
  4. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    what makes you think you have a compromised server? only those apache logs? everybody gets tons of iis exploits tryouts on theyr apaches, so no worries there.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice