The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

my system is under attack

Discussion in 'General Discussion' started by beshoo, Feb 8, 2008.

  1. beshoo

    beshoo Member

    Joined:
    Apr 12, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Dear all .

    I have a big problem on my server .
    There is an hacker kip login to my system , I don’t know how , he can edit , delete what ever he wants form any account in the home directory .


    eg. : http://www.tirejafrin.com

    Well let me tell you about my server .
    It is CentOs 4 .
    Kernel is 2.6.9-023stab046.2-enterprise
    Temp is secured



    [root@server /tmp]#mount
    /dev/vzfs on / type reiserfs (rw,usrquota,grpquota)
    proc on /proc type proc (rw,nodiratime)
    devpts on /dev/pts type devpts (rw)
    /tmp on /var/tmp type none (rw,noexec,nosuid,bind)

    I did disable CGI/PL from the system . I did remove all pathes form httpd.conf so when you run any PL , internal server error will accord.

    PHP in the safe mode .

    disable_functions in php.ini as :

    dl, exec, shell_exec, system, passthru, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg


    Ftp program, is Pure-FTPd [TLS].

    Front page extensions [I am not sure about this section]

    ate the first time before updating the kernel , and securing tmp , I found some locale exploit file in ./tmp , but I did remove it as well .


    any way . how come this man can login to the system and do what ever he want .
    abut log files , I don’t find any lead .

    please may you tell me any other step I can do to stop this crazy man !
    you cooperation is highly recommended and appreciated.
    Kindly .
     
    #1 beshoo, Feb 8, 2008
    Last edited by a moderator: Feb 12, 2008
  2. nick1

    nick1 Member

    Joined:
    May 21, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    oh

    check /etc/passwd file and see if you can see unknown user has shall access.

    add root alert and block his IP when you find him.

    echo "ALERT - Root Shell Access on:" `date` `who` | mail -s "Alert: Root Access" root' >> /root/.bash_profile

    check /dev/shm if he has uploaded backdoor script.

    run cPanel script "hackcheck" to see if you've more users with root privileges.

    hire an admin to clean your server.

    Thank you,
     
  3. beshoo

    beshoo Member

    Joined:
    Apr 12, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    the bad news : well i am the server admin :)

    well about the "/bin/bash" , i did remove it all and convert it to : /usr/local/cpanel/bin/noshell

    about the /dev/shm , i am not sure , please have a look :
    PHP:

    drwxr
    -xr-x   3 root root   2.0K Feb  8 00:39 .
    drwxr-xr-x  27 root root   1.0K Feb  8 00:12 ..
    -
    rw-r--r--   1 root root   1.8K Dec 15  2006 .udev.tdb
    lrwxrwxrwx   1 root root     15 Dec 15  2006 MAKEDEV 
    -> ../sbin/MAKEDEV
    crw
    -rw-rw-   1 root root 5,   1 Apr 13  2006 console
    crw
    -------   1 root root 1,   6 Apr 13  2006 core
    lrwxrwxrwx   1 root root     13 Dec 15  2006 fd 
    -> /proc/self/fd
    crw
    -rw-rw-   1 root root 1,   7 Apr 13  2006 full
    prw
    -------   1 root root      0 May  5  2007 initctl
    crw
    -r-----   1 root kmem 1,   2 Apr 13  2006 kmem
    crw
    -------   1 root root 1,  11 Apr 13  2006 kmsg
    srw
    -rw-rw-   1 root root      0 Feb  7 13:27 log
    crw
    -r-----   1 root kmem 1,   1 Apr 13  2006 mem
    crw
    -rw-rw-   1 root root 1,   3 Apr 13  2006 null
    crw
    -r-----   1 root kmem 1,   4 Apr 13  2006 port
    crw
    -rw-rw-   1 root root 5,   2 Apr 13  2006 ptmx
    drwxr
    -xr-x   2 root root      0 Feb  7 13:27 pts
    crw
    -rw-rw-   1 root tty  2176 Apr 13  2006 ptya0
    crw
    -rw-rw-   1 root tty  2177 Apr 13  2006 ptya1
    crw
    -rw-rw-   1 root tty  2178 Apr 13  2006 ptya2
    crw
    -rw-rw-   1 root tty  2179 Apr 13  2006 ptya3
    crw
    -rw-rw-   1 root tty  2180 Apr 13  2006 ptya4
    crw
    -rw-rw-   1 root tty  2181 Apr 13  2006 ptya5
    crw
    -rw-rw-   1 root tty  2182 Apr 13  2006 ptya6
    crw
    -rw-rw-   1 root tty  2183 Apr 13  2006 ptya7
    crw
    -rw-rw-   1 root tty  2184 Apr 13  2006 ptya8
    crw
    -rw-rw-   1 root tty  2185 Apr 13  2006 ptya9
    crw
    -rw-rw-   1 root tty  2186 Apr 13  2006 ptyaa
    crw
    -rw-rw-   1 root tty  2187 Apr 13  2006 ptyab
    crw
    -rw-rw-   1 root tty  2188 Apr 13  2006 ptyac
    crw
    -rw-rw-   1 root tty  2189 Apr 13  2006 ptyad
    crw
    -rw-rw-   1 root tty  2190 Apr 13  2006 ptyae
    crw
    -rw-rw-   1 root tty  2191 Apr 13  2006 ptyaf
    crw
    -rw-rw-   1 root tty  2,   0 Apr 13  2006 ptyp0
    crw
    -rw-rw-   1 root tty  2,   1 Apr 13  2006 ptyp1
    crw
    -rw-rw-   1 root tty  2,   2 Apr 13  2006 ptyp2
    crw
    -rw-rw-   1 root tty  2,   3 Apr 13  2006 ptyp3
    crw
    -rw-rw-   1 root tty  2,   4 Apr 13  2006 ptyp4
    crw
    -rw-rw-   1 root tty  2,   5 Apr 13  2006 ptyp5
    crw
    -rw-rw-   1 root tty  2,   6 Apr 13  2006 ptyp6
    crw
    -rw-rw-   1 root tty  2,   7 Apr 13  2006 ptyp7
    lrwxrwxrwx   1 root root      4 Dec 15  2006 ram 
    -> ram1
    brw
    -r-----   1 root disk 1,   0 Apr 13  2006 ram0
    brw
    -r-----   1 root disk 1,   1 Apr 13  2006 ram1
    lrwxrwxrwx   1 root root      4 Dec 15  2006 ramdisk 
    -> ram0
    crw
    -r--r--   1 root root 1,   8 Apr 13  2006 random
    lrwxrwxrwx   1 root root     15 Dec 15  2006 stderr 
    -> /proc/self/fd/2
    lrwxrwxrwx   1 root root     15 Dec 15  2006 stdin 
    -> /proc/self/fd/0
    lrwxrwxrwx   1 root root     15 Dec 15  2006 stdout 
    -> /proc/self/fd/1
    crw
    -rw-rw-   1 root root 5,   0 Apr 13  2006 tty
    crw
    -rw-rw-   1 root tty  3176 Apr 13  2006 ttya0
    crw
    -rw-rw-   1 root tty  3177 Apr 13  2006 ttya1
    crw
    -rw-rw-   1 root tty  3178 Apr 13  2006 ttya2
    crw
    -rw-rw-   1 root tty  3179 Apr 13  2006 ttya3
    crw
    -rw-rw-   1 root tty  3180 Apr 13  2006 ttya4
    crw
    -rw-rw-   1 root tty  3181 Apr 13  2006 ttya5
    crw
    -rw-rw-   1 root tty  3182 Apr 13  2006 ttya6
    crw
    -rw-rw-   1 root tty  3183 Apr 13  2006 ttya7
    crw
    -rw-rw-   1 root tty  3184 Apr 13  2006 ttya8
    crw
    -rw-rw-   1 root tty  3185 Apr 13  2006 ttya9
    crw
    -rw-rw-   1 root tty  3186 Apr 13  2006 ttyaa
    crw
    -rw-rw-   1 root tty  3187 Apr 13  2006 ttyab
    crw
    -rw-rw-   1 root tty  3188 Apr 13  2006 ttyac
    crw
    -rw-rw-   1 root tty  3189 Apr 13  2006 ttyad
    crw
    -rw-rw-   1 root tty  3190 Apr 13  2006 ttyae
    crw
    -rw-rw-   1 root tty  3191 Apr 13  2006 ttyaf
    crw
    -rw-rw-   1 root tty  3,   0 Apr 13  2006 ttyp0
    crw
    -rw-rw-   1 root tty  3,   1 Apr 13  2006 ttyp1
    crw
    -rw-rw-   1 root tty  3,   2 Apr 13  2006 ttyp2
    crw
    -rw-rw-   1 root tty  3,   3 Apr 13  2006 ttyp3
    crw
    -rw-rw-   1 root tty  3,   4 Apr 13  2006 ttyp4
    crw
    -rw-rw-   1 root tty  3,   5 Apr 13  2006 ttyp5
    crw
    -rw-rw-   1 root tty  3,   6 Apr 13  2006 ttyp6
    crw
    -rw-rw-   1 root tty  3,   7 Apr 13  2006 ttyp7
    crw
    -r--r--   1 root root 1,   9 Apr 13  2006 urandom
    b
    -----x---   1 root root 0,  19 Feb  7 13:27 vzfs
    crw
    -rw-rw-   1 root root 1,   5 Apr 13  2006 zero




    i did remove all frontage extention !


    any more stips can i make !
     
    #3 beshoo, Feb 8, 2008
    Last edited: Feb 8, 2008
  4. JofleyUK

    JofleyUK Member

    Joined:
    Sep 26, 2007
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    0
    Any decent Dedicated server hosting company will help you out there, I wouldn't trust anyone else to admin my server unless they worked for the company.
     
  5. TheHeartSmasher

    TheHeartSmasher Active Member

    Joined:
    Jul 14, 2006
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Install configserver firewall, to lock down access so you can do what you need to do without others interfering.

    Also in the WHM Security section for ssh and ssh add localhost and your ip(s) to the access list so only your ip will be able to access shell along with the server itself.

    In configserver firewall add your ip(s) to the allowed list so you will not get banned.

    Then go through their security checks then complete the removal of the unwanted data on the server or use the configserver services for help.

    http://www.configserver.com/cp/csf.html

    Also search your entire file system for words like shell, c9, .ru, .cn, nulled, hacked, etc.

    Make sure cpanel's bruteforce protection is enabled along with passwordless authentication and use keys.
    Make sure that all the users accounts are not running as nobody but running as the user account. suPHP
    Install munin so you can see how much bandwidth and other resources are being used.

    Search the mail directories for spam emails, or spam email scripts.
     
    #5 TheHeartSmasher, Feb 11, 2008
    Last edited: Feb 11, 2008
  6. WebJIVE

    WebJIVE Well-Known Member

    Joined:
    Sep 30, 2007
    Messages:
    53
    Likes Received:
    3
    Trophy Points:
    8
    Just my 2 cents after one of my customer accounts was compromised. Look for any suspicious .pl files in directories where .PHP files normally live (eggdrop and mocks are two common ones). These files are usually buried deep within the accounts and can be hard to find.

    I would suggest using the find and other commands to root these out. While they don't usually compromise the server, they do provide a doorway for spammers to send email and the mocks is usually installed for an IRC proxy.

    Good luck....
     
Loading...

Share This Page