Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Nonexistent domains on server?

Discussion in 'Security' started by 000, May 18, 2019.

  1. 000

    000 Well-Known Member

    Joined:
    Jun 3, 2008
    Messages:
    189
    Likes Received:
    1
    Trophy Points:
    68
    Becouse in "MyHostName.domain.com" I have ONLY ONE DOMAIN,
    I put this code PHP (from file PHP) in /home :

    PHP:
       $dir preg_replace('/www\.|www/i'''$_SERVER['SERVER_NAME']);
    then I save INTO $dir some info as REFERER, IP, memory_get_usage(1), etc...

    Sorry, allowme I repeat: I have ONLY ONE DOMAIN in this server.

    My sorpraise is FOREVER, after of 2 or 3 days /home look as this:


    LOG.PNG


    Logically that is activity hacker, but how is possible the var
    PHP:
    $_SERVER['SERVER_NAME']
    return domains non-exist in server?

    or...

    I have a trojan into my server?

    Thanks by your help
     
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,478
    Likes Received:
    185
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Yes I would say the odds are that you were hacked I would back up your site since it's only one and wipe the server and restore the backup. Then check your site for vulnerabilities.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. 000

    000 Well-Known Member

    Joined:
    Jun 3, 2008
    Messages:
    189
    Likes Received:
    1
    Trophy Points:
    68
    Thanks,

    by months I do this in others servers.

    I have this in mode "TEST", then my "web site" is only 3 files, no data base, etc...

    However ever appear foraneus domains after of 2, 3 days...


    but how is possible the var {$_SERVER['SERVER_NAME'} return domains non-exist in server?...
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,331
    Likes Received:
    2,161
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Can you open a support ticket so we can take a closer look at your system? You can post the ticket number here and we'll link this thread to it.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. 000

    000 Well-Known Member

    Joined:
    Jun 3, 2008
    Messages:
    189
    Likes Received:
    1
    Trophy Points:
    68
    thanks very much.

    ticketid=12353753 is URL to ticket.


    Regards
     
  6. 000

    000 Well-Known Member

    Joined:
    Jun 3, 2008
    Messages:
    189
    Likes Received:
    1
    Trophy Points:
    68
    Gotcha!!,

    finally we fixed the bug.

    We find the problem with the help of


    Sean Bailey
    Technical Analyst II
    cPanel, L.L.C.


    the problem is:

    HTTP_HOST and SERVER_NAME Security Issues | Blog

    Thanks to all team of cPanel by your time.

    Regards
     
    cPanelMichael likes this.
  7. 000

    000 Well-Known Member

    Joined:
    Jun 3, 2008
    Messages:
    189
    Likes Received:
    1
    Trophy Points:
    68
    Hello again.

    Becouse this is very strange for me,
    I add this line in my code (pseudocode):

    PHP:
    if( is NEW DIR - new DIMAIN.TLD) {
        
    mail()...
        ...
        ...
        }
    and just today I get this email:
    PHP:
    ---------------------------------------------------------------------------------------------------
    _SERVER: Array
    (
        [
    SERVER_SOFTWARE] => Apache
        
    [REQUEST_URI] => /
        [
    CONTEXT_DOCUMENT_ROOT] => /home/FOLDER_USER/public_html
        
    [CONTEXT_PREFIX] =>
        [
    DOCUMENT_ROOT] => /home/FOLDER_USER/public_html
        
    [GATEWAY_INTERFACE] => CGI/1.1
        
    [HTTP_ACCEPT_ENCODING] => gzip
        
    [HTTP_CONNECTION] => close
        
    [HTTP_HOST] => jg4rli4xoagvvmw47gxvbt3bhyd.onion
        
    [HTTP_USER_AGENT] => Mozilla/5.0 (compatibleMSIE 8.0Windows NT 6.0Trident/4.0)
        [
    PATH] => /bin:/usr/bin
        
    [PHP_INI_SCAN_DIR] => /opt/cpanel/ea-php56/root/etc:/opt/cpanel/ea-php56/root/etc/php.d:.
        [
    QUERY_STRING] =>
        [
    REDIRECT_STATUS] => 200
        
    [REMOTE_ADDR] => 5.8.10.202
        
    [REMOTE_PORT] => 18840
        
    [REQUEST_METHOD] => GET
        
    [REQUEST_SCHEME] => http
        
    [SCRIPT_FILENAME] => /home/FOLDER_USER/public_html/index.php
        
    [SCRIPT_NAME] => /index.php
        
    [SCRIPT_URI] => http://jg4rli4xoagvvmw47gxvbt3bhyd.onion/
        
    [SCRIPT_URL] => /
        [
    SERVER_ADDR] => SERVER_IP
        
    [SERVER_ADMIN] => webmaster@TLD_USER.com
        
    [SERVER_NAME] => jg4rli4xoagvvmw47gxvbt3bhyd.onion
        
    [SERVER_PORT] => 80
        
    [SERVER_PROTOCOL] => HTTP/1.1
        
    [SERVER_SIGNATURE] =>
        [
    TZ] => Continent/City
        
    [UNIQUE_ID] => XOZmmLevTCUZEI0hNjM62gAAAJE
        
    [PHP_SELF] => /index.php
        
    [REQUEST_TIME_FLOAT] => 1558603417.05
        
    [REQUEST_TIME] => 1558603417
        
    [argv] => Array
            (
            )

        [
    argc] => 0
        
    [HTTP_REFERER] =>
        [
    REDIRECT_QUERY_STRING] =>
        [
    REDIRECT_URL] =>
    )

    ---------------------------------------------------------------------------------------------------
    I seek in NET and I get:

    hacker_03.PNG

    then please helpme with some questions:

    1// is possible we do something about this hacker?
    2// how we protect of this and others attacks?
    3// what can do the hackers with this attack, code malicious?
    4// and finally, then ... is bad idea create/config URLs in portal web with <a href="https://'.$_SERVER['SERVER_NAME'].'">LINK</a>... then what is the solution?, what is the correct/professional method to create/config web design ?



    Thanks by all yours helps
     
    #7 000, May 23, 2019
    Last edited by a moderator: May 23, 2019
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,331
    Likes Received:
    2,161
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    To update, here's a response from one of the Technical Analysts on the ticket:

    Further advice about the security of the PHP script itself should be sought from a qualified system administrator or PHP security expert. We provide a list of companies offering system administration services on the link below:

    System Administration Services | cPanel Forums

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice