The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malicious Script hnc.cgi ?

Discussion in 'General Discussion' started by smile, Nov 11, 2008.

  1. smile

    smile Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    0
    Hello,

    Since last few hours I keep seeing a process run by a user named hnc.cgi . I killed it and then it appeared again. I searched the entire directory of the user where this process was launched but I could not find anything over there too.
    The process just keeps coming up again and again.

    Can somebody throw some light on this, what is this hnc.cgi process and if its a malicious file being run.
     
  2. ebizindia

    ebizindia Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    72
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Kolkata, India
    cPanel Access Level:
    Root Administrator
    cgi-bin directory?

    Look in the cgi-bin directory. Also look for files named good.txt, bad.txt etc. There may be a trojan sending out spam from your server.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    /tmp is the directory where these files are saved/downloaded. I suggest you seek professional help to secure and harden your server. You can also search these forums on how to secure your server, if you're comfortable with Linux and cPanel.
     
  4. smile

    smile Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    0
    Nothing in cgi-bin and the tmp is clean. Any other possibility that you can see ?
     
  5. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    The one time I've seen hnc.cgi, it was in the location that ebizindia stated, which was the user's cgi-bin/ directory.

    Here it is being uploaded:

    Code:
    [b]Sep 25 05:52:19[/b] host pure-ftpd: (victim@195.189.226.220) [NOTICE] /home/victim//www/cgi-bin/hnc.cgi uploaded  (35024 bytes, 67.26KB/sec)
    then executed:

    Code:
    example.com:195.189.226.220 - - [b][25/Sep/2008:05:52:19 -0400][/b] "GET /cgi-bin/hnc.cgi HTTP/1.0" 200 1 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    and then removed:

    Code:
    [b]Sep 25 05:52:20[/b] host pure-ftpd: (victim@195.189.226.220) [NOTICE] Deleted www/cgi-bin/hnc.cgi
    You're not finding it on the filesystem because it's probably getting deleted immediately after being executed. Check your syslogs for any FTP activity related to the file:

    # cd /var/log
    # zgrep hnc.cgi messages*

    edit: also check any domain logs in /usr/local/apache/domlogs for "hnc.cgi" as well.

    more edit: in case I wasn't all too clear, the issue in the logs shown above occurred because the attacker had, somehow, obtained the user's cPanel password, which allowed them to upload the file via FTP. Once you find the cause of the script getting onto your server, make sure you change that user's password, tell them to never use any old passwords they've used before (since at least 1 is known by someone else), and it would probably be a good idea for the user to install/update/run a full antivirus scan on their own computer, in case that was the cause of their password getting stolen (e.g., the customer's home computer is trojaned, being keylogged, etc).

    Do let us know what you find out please.
     
    #5 jpetersen, Nov 14, 2008
    Last edited: Nov 14, 2008
  6. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    To break up the posts a bit, I'm making a separate reply.

    To answer your question: the script could be legit, unless it's not. The one I saw is not. Check the first few lines of the script. If it looks like this:

    Code:
    # head -2 hnc.cgi
    #!/usr/bin/perl -w
    # HSH.net client
    then it's a script for sending spam.

    Here's a very small part of it which shows the fake mail user agent strings that the script uses:

    Code:
            my $mailer =
            [
                    "Exim 3.12",
                    "Qmail 2.67",
                    "Sendmail 3.84/3.84",
                    "mLogic",
                    "WebPOP 1.0",
                    "Gentoo"
            ];
    
    If you're on any spam related feedback loops like the one AOL provides, check the headers of the spam complaints. If you see any of those user agent strings in the headers, then you might have an hnc.cgi issue on your server.

    If you're unable to locate the cause of the problem, I would definitely recommend hiring an admin to help you investigate.
     
Loading...

Share This Page