Hi,
First, a short intro. I'm a photographer and designer for a small business with multiple domains, all of which are hosted at Canaca.com. I've always taken care of my own basic network and hosted files for home or private use but I've never dealt with anything that would require manual editing or updating of scripts such cPanel or Apache.
Last week our server was compromised, rooted and used to both send mass emails and host false bank pages as part of a phishing scam targetting multiple banks. The host company suspended our account, shutting down all of our web sites. 4 days later we finally got in touch with a real live person in order to have them reset our account passwords.
After 3 days of sifting through our servers and researching how we were compromised I stumbled upon this forum and I'm hoping I get some needed help.
On to the Exploit.
In the process of cleaning up the mess I've found 13 folders as well as 3 files in my "public_html" that are locked off with permissions set to 0000. One is a php script and the other 2 files are .zip files which are beyond a shadow of a doubt the attacker's compressed phishing websites. I can't do anything to these files or folders since I don't have access rights. I have no idea whether it's the hacker or the host company that set the permissions on those files or folders. Can I reclaim ownership of those files? How would I do that?
I've also uncovered 2 other scripts to which I have access rights however. The first one (named: cp1.php) seems like cPanel stack overflow. The second (named: mail.php) seems like an email server hack since our servers were used to send out hundreds of emails on the day the file was uploaded to our system.
So far the only solution we've been offered to fix the problem is the creation of a new account to which we would then have to upload all of our account and recreate all of our settings. Their explanation is that our account has been compromised to such an extent that they can't guarantee it's intergrity any longer. They haven't provided any kind of explanation as to how the attackers gainded access nor have they show any interest in my multiple emails about what I discovered through my own investigation of our files.
Canaca's system is currently running:
cPanel Version 11.25.0-RELEASE
MySQL version 5.0.89-community
cPanel Build 43473
Apache version 2.2.15
PHP version 5.2.13
cPanel Pro 1.0 (RC1)
And now for the questions
Can I claim ownership of the hacker's files and folders (the ones with permissions set to 0000)? How would I do that?
Seeing as how this exploit revealed a weakness int he version of cPanel our hosting company is using, and seeing as how they haven't demonstrated any knowldege of the specifics of the attack, is it possible for me to patch it myself? What would I need to do to determine the exact form of the counter-measure?
Finally, is it standard operating procedure in the case of such to attack to have to create a whole new account? Is this just revealing our hosting company's relative lack of knowledge? My gut reaction tells me that unless the Hosting Company's servers were themselves rooted they should have no problem eliminating any unwanted access but as I stated earlier, I'm not a network analyst.
Any help or advice would be much appreciated as I know I won't be getting any from Canaca's tech support.
Thanks in advance,
Marc-Andre Renaud
Aararat Consulting
First, a short intro. I'm a photographer and designer for a small business with multiple domains, all of which are hosted at Canaca.com. I've always taken care of my own basic network and hosted files for home or private use but I've never dealt with anything that would require manual editing or updating of scripts such cPanel or Apache.
Last week our server was compromised, rooted and used to both send mass emails and host false bank pages as part of a phishing scam targetting multiple banks. The host company suspended our account, shutting down all of our web sites. 4 days later we finally got in touch with a real live person in order to have them reset our account passwords.
After 3 days of sifting through our servers and researching how we were compromised I stumbled upon this forum and I'm hoping I get some needed help.
On to the Exploit.
In the process of cleaning up the mess I've found 13 folders as well as 3 files in my "public_html" that are locked off with permissions set to 0000. One is a php script and the other 2 files are .zip files which are beyond a shadow of a doubt the attacker's compressed phishing websites. I can't do anything to these files or folders since I don't have access rights. I have no idea whether it's the hacker or the host company that set the permissions on those files or folders. Can I reclaim ownership of those files? How would I do that?
I've also uncovered 2 other scripts to which I have access rights however. The first one (named: cp1.php) seems like cPanel stack overflow. The second (named: mail.php) seems like an email server hack since our servers were used to send out hundreds of emails on the day the file was uploaded to our system.
So far the only solution we've been offered to fix the problem is the creation of a new account to which we would then have to upload all of our account and recreate all of our settings. Their explanation is that our account has been compromised to such an extent that they can't guarantee it's intergrity any longer. They haven't provided any kind of explanation as to how the attackers gainded access nor have they show any interest in my multiple emails about what I discovered through my own investigation of our files.
Canaca's system is currently running:
cPanel Version 11.25.0-RELEASE
MySQL version 5.0.89-community
cPanel Build 43473
Apache version 2.2.15
PHP version 5.2.13
cPanel Pro 1.0 (RC1)
And now for the questions
Can I claim ownership of the hacker's files and folders (the ones with permissions set to 0000)? How would I do that?
Seeing as how this exploit revealed a weakness int he version of cPanel our hosting company is using, and seeing as how they haven't demonstrated any knowldege of the specifics of the attack, is it possible for me to patch it myself? What would I need to do to determine the exact form of the counter-measure?
Finally, is it standard operating procedure in the case of such to attack to have to create a whole new account? Is this just revealing our hosting company's relative lack of knowledge? My gut reaction tells me that unless the Hosting Company's servers were themselves rooted they should have no problem eliminating any unwanted access but as I stated earlier, I'm not a network analyst.
Any help or advice would be much appreciated as I know I won't be getting any from Canaca's tech support.
Thanks in advance,
Marc-Andre Renaud
Aararat Consulting