Nonexistent domains on server?

[000]

Becouse in "MyHostName.domain.com" I have ONLY ONE DOMAIN,
I put this code PHP (from file PHP) in /home :

   $dir = preg_replace('/www\.|www/i', '', $_SERVER['SERVER_NAME']);

then I save INTO $dir some info as REFERER, IP, memory_get_usage(1), etc...

Sorry, allowme I repeat: I have ONLY ONE DOMAIN in this server.

My sorpraise is FOREVER, after of 2 or 3 days /home look as this:





Logically that is activity hacker, but how is possible the var

$_SERVER['SERVER_NAME']

return domains non-exist in server?

or...

I have a trojan into my server?

Thanks by your help

 

[GOT]

Yes I would say the odds are that you were hacked I would back up your site since it's only one and wipe the server and restore the backup. Then check your site for vulnerabilities.

 

[000]

New Yes I would say the odds are that you were hacked I would back up your site since it's only one and wipe the server and restore the backup. Then check your site for vulnerabilities.

Thanks,

by months I do this in others servers.

I have this in mode "TEST", then my "web site" is only 3 files, no data base, etc...

However ever appear foraneus domains after of 2, 3 days...


but how is possible the var {$_SERVER['SERVER_NAME'} return domains non-exist in server?...

 

[cPanelMichael]

Hello,

Can you open a support ticket so we can take a closer look at your system? You can post the ticket number here and we'll link this thread to it.

Thank you.

 

[000]

so we can take a closer look at your system

thanks very much.

ticketid=12353753 is URL to ticket.


Regards

 

[000]

Can you open a support ticket so we can take a closer look at your system?

Gotcha!!,

finally we fixed the bug.

We find the problem with the help of


Sean Bailey
Technical Analyst II
cPanel, L.L.C.


the problem is:

HTTP_HOST and SERVER_NAME Security Issues | Blog

Thanks to all team of cPanel by your time.

Regards

 

[000]

Hello again.

Becouse this is very strange for me,
I add this line in my code (pseudocode):

if( is NEW DIR - new DIMAIN.TLD) {
    mail()...
    ...
    ...
    }

and just today I get this email:

---------------------------------------------------------------------------------------------------
_SERVER: Array
(
    [SERVER_SOFTWARE] => Apache
    [REQUEST_URI] => /
    [CONTEXT_DOCUMENT_ROOT] => /home/FOLDER_USER/public_html
    [CONTEXT_PREFIX] =>
    [DOCUMENT_ROOT] => /home/FOLDER_USER/public_html
    [GATEWAY_INTERFACE] => CGI/1.1
    [HTTP_ACCEPT_ENCODING] => gzip
    [HTTP_CONNECTION] => close
    [HTTP_HOST] => jg4rli4xoagvvmw47gxvbt3bhyd.onion
    [HTTP_USER_AGENT] => Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
    [PATH] => /bin:/usr/bin
    [PHP_INI_SCAN_DIR] => /opt/cpanel/ea-php56/root/etc:/opt/cpanel/ea-php56/root/etc/php.d:.
    [QUERY_STRING] =>
    [REDIRECT_STATUS] => 200
    [REMOTE_ADDR] => 5.8.10.202
    [REMOTE_PORT] => 18840
    [REQUEST_METHOD] => GET
    [REQUEST_SCHEME] => http
    [SCRIPT_FILENAME] => /home/FOLDER_USER/public_html/index.php
    [SCRIPT_NAME] => /index.php
    [SCRIPT_URI] => http://jg4rli4xoagvvmw47gxvbt3bhyd.onion/
    [SCRIPT_URL] => /
    [SERVER_ADDR] => SERVER_IP
    [SERVER_ADMIN] => [email protected]_USER.com
    [SERVER_NAME] => jg4rli4xoagvvmw47gxvbt3bhyd.onion
    [SERVER_PORT] => 80
    [SERVER_PROTOCOL] => HTTP/1.1
    [SERVER_SIGNATURE] =>
    [TZ] => Continent/City
    [UNIQUE_ID] => XOZmmLevTCUZEI0hNjM62gAAAJE
    [PHP_SELF] => /index.php
    [REQUEST_TIME_FLOAT] => 1558603417.05
    [REQUEST_TIME] => 1558603417
    [argv] => Array
        (
        )

    [argc] => 0
    [HTTP_REFERER] =>
    [REDIRECT_QUERY_STRING] =>
    [REDIRECT_URL] =>
)

---------------------------------------------------------------------------------------------------

I seek in NET and I get:



then please helpme with some questions:

1// is possible we do something about this hacker?
2// how we protect of this and others attacks?
3// what can do the hackers with this attack, code malicious?
4// and finally, then ... is bad idea create/config URLs in portal web with <a href="https://'.$_SERVER['SERVER_NAME'].'">LINK</a>... then what is the solution?, what is the correct/professional method to create/config web design ?



Thanks by all yours helps

 

[cPanelMichael]

Hello,

To update, here's a response from one of the Technical Analysts on the ticket:

In reading the Apache documentation: core - Apache HTTP Server Version 2.4

The setting is Off by default because Apache can be (and usually is) used with many VirtualHosts. You can set it to On, if and only if you have a single domain. But cPanel servers by default are used for multiple VirtualHosts so the default of "Off" is recommended.

UseCanonicalName must be off for VirtualHosts, otherwise, it won't work properly, and will break many PHP sites.
It has to do with the trailing "/" on the URL.

With this value set to On, any URL which is generated automatically by Apache will use the fully-qualified hostname from the ServerName directive.

If Off (default), Apache will generate the URL with the Host: header that the client passed to it.
If you use name-based virtual hosts (which cPanel does), you want this off.

Further advice about the security of the PHP script itself should be sought from a qualified system administrator or PHP security expert. We provide a list of companies offering system administration services on the link below:

System Administration Services | cPanel Forums

Thank you.