The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is it hacked? ( pls help)

Discussion in 'General Discussion' started by shann, Jun 1, 2003.

  1. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Hi,

    I can see the files in my home dir.
    bs.c
    ptrace.c
    a.out

    How did it came? Was it hacked?

    Some one help me.

    Thanks

    cPanel.net Support Ticket Number:
     
  2. chakky

    chakky Well-Known Member

    Joined:
    Sep 22, 2002
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Yes its got to be hacked.If you login as a user and run that script and if your kernel is the old one with the ptrace vulnerability, whoever runs it will get root privileges.

    You better do upgrade your kernel with the ptrace patch

    cPanel.net Support Ticket Number:
     
  3. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Thanks for your quick reply.

    Can I update kernnel using any cpanel autamated script?. Please help.

    Thanks in advnace.

    cPanel.net Support Ticket Number:
     
  4. Jeewhizz

    Jeewhizz Well-Known Member

    Joined:
    Mar 12, 2003
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    London, England
    no. If you are running redhat you can use up2date in SSH :)

    cPanel.net Support Ticket Number:
     
  5. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    shann,

    All Linux kernels, even 2.4.20 have a vulnerability with pstrace. You can easily get cracked. We've see a lot of hacked servers because of this because malicious users can remote exploit pstrace with easy, they just need access to a older forum/boards, upload the hack and in a few seconds they have total root access.

    (1) Download and run chkrootkit from http://www.chkrootkit.org/ - It will tell you if you have hidden processes running.

    (2) Check the /tmp directory on your machine for more unusual files. If you find any, go ahead and chmod 0 all of them and then chattr +i as well. You might also want to check for a file called /sbin/xc. This is the most popular kit for the pstrace exploit. If you find the file, go ahead and remove it or chmod 0, chattr +i.

    (3) Unfortunately you are going to have to reformat your drives and re-install your OS, cPanel, etc. It is the only way out.

    As a suggestion, you might want to consider recompiling the kernel with the grsecurity patch. It will certainly protect your machine from the pstrace exploit. We run grsecurity on all machines; it closes most holes :D

    Good luck!
     
    #5 bert, Jun 1, 2003
    Last edited: Jun 1, 2003
  6. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Hi,

    I have upgaded to kernel 2.4.20 and also updated teh security pathces.

    Do I still have to reformat my hard drive?

    Any input is appreciated.

    Thanks
    Shan

    cPanel.net Support Ticket Number:
     
  7. ndj1022

    ndj1022 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    You can if you want, but if you do make sure you backup all the files you need saved.

    cPanel.net Support Ticket Number:
     
  8. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    Shann,

    If your server was hacked, I would definetely wipe out the hard drive and do a fresh install of OS and cPanel. You never know what was left behind. You of course do not have to do it, but it is certainly good to do so for peace of mind :)

    cPanel.net Support Ticket Number:
     
  9. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    May i add, that if you are going for a reformat, to consider a different OS with a kernel that has yet to have really serious issues in the last year.

    FreeBSD comes to mind =). I run it on the servers i admin, cant do without it. So far every securiy related incident has been linux, making me able to sit back, and sip my cup of coffee while i see hundreds of sys admins frantically upgrade.

    cPanel.net Support Ticket Number:
     
  10. sphost

    sphost Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    hi

    sorry for all of you pros out there, but this is my first dedicated server, and i need much help here.

    i did search my box using locate bs.c and i found those :

    /home/.cpan/build/IO-Tty-1.02/xssubs.c
    /usr/share/doc/ncurses-devel-5.3/test/bs.c
    /usr/lib/syslinux/copybs.com
    /usr/lib/cups/cgi-bin/jobs.cgi
    /usr/src/linux-2.4.22-1.2149.nptl/arch/ppc/math-emu/fabs.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/ppc/math-emu/fmsubs.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/ppc/math-emu/fnabs.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/ppc/math-emu/fnmsubs.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/ppc/math-emu/fsubs.c
    /usr/src/linux-2.4.22-1.2149.nptl/fs/lockd/svcsubs.c


    also locate ptrace.c i found :

    /usr/src/linux-2.4.22-1.2149.nptl/arch/alpha/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/arm/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/cris/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/i386/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/ia64/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/m68k/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/mips/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/mips64/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/parisc/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/ppc/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/ppc64/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/s390/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/s390x/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/sh/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/sh64/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/sparc/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/sparc64/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/arch/x86_64/kernel/ptrace.c
    /usr/src/linux-2.4.22-1.2149.nptl/kernel/ptrace.c


    and a.out :

    /home/.cpan/build/IO-Tty-1.02/conf/a.out
    /usr/include/linux/a.out.h
    /usr/include/a.out.h
    /usr/include/bits/a.out.h
    /usr/include/asm.old/a.out.h
    /usr/include/linux.old/a.out.h
    /usr/include/asm-i386/a.out.h
    /usr/local/cpanel/3rdparty/bin/a.out
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-alpha/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-arm/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-cris/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-i386/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-ia64/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-m68k/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-mips/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-mips64/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-parisc/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-ppc/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-ppc64/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-s390/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-s390x/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-sh/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-sh64/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-sparc/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-sparc64/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/asm-x86_64/a.out.h
    /usr/src/linux-2.4.22-1.2149.nptl/include/linux/a.out.h


    does this means am infected ? am using fedora

    i appreciate your help
     
  11. bert

    bert Well-Known Member

    Joined:
    Aug 21, 2001
    Messages:
    602
    Likes Received:
    0
    Trophy Points:
    16
    All of those files are supposed to be there, they are part of your kernel.
     
Loading...
Similar Threads - hacked pls help)
  1. xtronica
    Replies:
    9
    Views:
    659

Share This Page