The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is it Compromised ?

Discussion in 'Security' started by big_bull, Sep 15, 2010.

  1. big_bull

    big_bull Well-Known Member

    Joined:
    Nov 19, 2006
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    I found a php script c99.php inside public_html of a user who was causing load on server, there was another perl file called c100.pl, will you please shed light on these two files?

    Also is it ok to
    chmod 750 /usr/bin/*
    for security reason, will that cause issues on server or cause problems for clients?
     
  2. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    I'm not sure but if you google the names, ALL results sounds extremely bad !

    If those files are added aswell as .pl scripts, Then I can only assume in your WHM you have open_basedir restrictions disabled ! VERY BAD - Enable this.

    same with allow_url_fopen - Put this to OFF !

    This will basicly stop Bad People to execute php commands.

    What would I do if I was you ?

    1) Remove those files.
    2) Install CHKRootKit and do a FULL scan
    3) Install RootKit Hunter and do a FULL scan

    You may wish to download those files and open them in wordpad to see exactly what the PHP scripts were trying to get at...
     
    #2 GaryT, Sep 15, 2010
    Last edited: Sep 15, 2010
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Be careful of advice from users with low post counts, they are often beginners and while well meaning, can miss obvious stuff.

    It sounds like you've had an account hacked. You should do the following:

    • As mentioned above, move the c99 and c100 files elsewhere
    • change all passwords on the affected account immediately

    You also want to run the following:
    Code:
    grep accountname /var/log/messages 
    What you are doing here is looking for the files being uploaded - the good news is that if you can see them being uploaded, it's just the user's password that has been compromised. If so, get the user to check their PC for a virus or trojan as that is usually how people get compromised.

    If you don't find an FTP line, it's likely there was a compromised script in the account, so you'll have to do some more work to find what was used - basically you have to go through the public_html and the logs, looking for hacking attempts or old software.

    Probably a good idea to also run the root kit checks above, just to be sure, and to look at getting your server hardened, if it isn't already.
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Sorry - and chmod 750 /usr/bin/* is a very very bad idea, don't do it.

    More specifically, removing execute from a few programs actually is common sense - for instance, wget, curl and GET - as they are often used to load further evil software onto the server. Mode 750 on those files is a good idea. You can copy the files to something with another name in /usr/local/bin and make those files 755 for specific users needing them - eg for wget, copy it to /usr/local/bin/wget_a2 and then tell trusted users if they need it - hardly anybody will.
     
  5. TechBrein

    TechBrein Member

    Joined:
    Jul 31, 2006
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    c99.php is a popular PHP shell. You have a vulnerable application on your website or FTP account has been compromised. Do not chmod the binaries to 750, that would break a lot of things and secure your server instead. To be honest, securing a system is a very important task and should be given its due if you care for your server and the data inside it.
     
Loading...

Share This Page