Nonexistent domains on server?

000

Well-Known Member
Jun 3, 2008
427
18
68
Becouse in "MyHostName.domain.com" I have ONLY ONE DOMAIN,
I put this code PHP (from file PHP) in /home :

PHP:
   $dir = preg_replace('/www\.|www/i', '', $_SERVER['SERVER_NAME']);
then I save INTO $dir some info as REFERER, IP, memory_get_usage(1), etc...

Sorry, allowme I repeat: I have ONLY ONE DOMAIN in this server.

My sorpraise is FOREVER, after of 2 or 3 days /home look as this:


LOG.PNG


Logically that is activity hacker, but how is possible the var
PHP:
$_SERVER['SERVER_NAME']
return domains non-exist in server?

or...

I have a trojan into my server?

Thanks by your help
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,758
313
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Yes I would say the odds are that you were hacked I would back up your site since it's only one and wipe the server and restore the backup. Then check your site for vulnerabilities.
 

000

Well-Known Member
Jun 3, 2008
427
18
68
New Yes I would say the odds are that you were hacked I would back up your site since it's only one and wipe the server and restore the backup. Then check your site for vulnerabilities.
Thanks,

by months I do this in others servers.

I have this in mode "TEST", then my "web site" is only 3 files, no data base, etc...

However ever appear foraneus domains after of 2, 3 days...


but how is possible the var {$_SERVER['SERVER_NAME'} return domains non-exist in server?...
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello,

Can you open a support ticket so we can take a closer look at your system? You can post the ticket number here and we'll link this thread to it.

Thank you.
 

000

Well-Known Member
Jun 3, 2008
427
18
68
Hello again.

Becouse this is very strange for me,
I add this line in my code (pseudocode):

PHP:
if( is NEW DIR - new DIMAIN.TLD) {
    mail()...
    ...
    ...
    }
and just today I get this email:
PHP:
---------------------------------------------------------------------------------------------------
_SERVER: Array
(
    [SERVER_SOFTWARE] => Apache
    [REQUEST_URI] => /
    [CONTEXT_DOCUMENT_ROOT] => /home/FOLDER_USER/public_html
    [CONTEXT_PREFIX] =>
    [DOCUMENT_ROOT] => /home/FOLDER_USER/public_html
    [GATEWAY_INTERFACE] => CGI/1.1
    [HTTP_ACCEPT_ENCODING] => gzip
    [HTTP_CONNECTION] => close
    [HTTP_HOST] => jg4rli4xoagvvmw47gxvbt3bhyd.onion
    [HTTP_USER_AGENT] => Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
    [PATH] => /bin:/usr/bin
    [PHP_INI_SCAN_DIR] => /opt/cpanel/ea-php56/root/etc:/opt/cpanel/ea-php56/root/etc/php.d:.
    [QUERY_STRING] =>
    [REDIRECT_STATUS] => 200
    [REMOTE_ADDR] => 5.8.10.202
    [REMOTE_PORT] => 18840
    [REQUEST_METHOD] => GET
    [REQUEST_SCHEME] => http
    [SCRIPT_FILENAME] => /home/FOLDER_USER/public_html/index.php
    [SCRIPT_NAME] => /index.php
    [SCRIPT_URI] => http://jg4rli4xoagvvmw47gxvbt3bhyd.onion/
    [SCRIPT_URL] => /
    [SERVER_ADDR] => SERVER_IP
    [SERVER_ADMIN] => [email protected]_USER.com
    [SERVER_NAME] => jg4rli4xoagvvmw47gxvbt3bhyd.onion
    [SERVER_PORT] => 80
    [SERVER_PROTOCOL] => HTTP/1.1
    [SERVER_SIGNATURE] =>
    [TZ] => Continent/City
    [UNIQUE_ID] => XOZmmLevTCUZEI0hNjM62gAAAJE
    [PHP_SELF] => /index.php
    [REQUEST_TIME_FLOAT] => 1558603417.05
    [REQUEST_TIME] => 1558603417
    [argv] => Array
        (
        )

    [argc] => 0
    [HTTP_REFERER] =>
    [REDIRECT_QUERY_STRING] =>
    [REDIRECT_URL] =>
)

---------------------------------------------------------------------------------------------------
I seek in NET and I get:

hacker_03.PNG

then please helpme with some questions:

1// is possible we do something about this hacker?
2// how we protect of this and others attacks?
3// what can do the hackers with this attack, code malicious?
4// and finally, then ... is bad idea create/config URLs in portal web with <a href="https://'.$_SERVER['SERVER_NAME'].'">LINK</a>... then what is the solution?, what is the correct/professional method to create/config web design ?



Thanks by all yours helps
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,227
463
Hello,

To update, here's a response from one of the Technical Analysts on the ticket:

In reading the Apache documentation: core - Apache HTTP Server Version 2.4

The setting is Off by default because Apache can be (and usually is) used with many VirtualHosts. You can set it to On, if and only if you have a single domain. But cPanel servers by default are used for multiple VirtualHosts so the default of "Off" is recommended.

UseCanonicalName must be off for VirtualHosts, otherwise, it won't work properly, and will break many PHP sites.
It has to do with the trailing "/" on the URL.

With this value set to On, any URL which is generated automatically by Apache will use the fully-qualified hostname from the ServerName directive.

If Off (default), Apache will generate the URL with the Host: header that the client passed to it.
If you use name-based virtual hosts (which cPanel does), you want this off.
Further advice about the security of the PHP script itself should be sought from a qualified system administrator or PHP security expert. We provide a list of companies offering system administration services on the link below:

System Administration Services | cPanel Forums

Thank you.