The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possibly Hacked?

Discussion in 'General Discussion' started by paulm, Aug 9, 2007.

  1. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Got a new account creation notification today and noticed it said account was owned by root (this is a reseller server so it should have been owned by one of them)

    Logged into WHM and sure enough there is a new reseller I have no clue where they came from, So I upgraded my kernel (I was 1 behind) and ran RKHUNTER which came up with the following errors.

    [19:13:37] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
    [19:13:37] /usr/bin/groups [ Warning ]
    [19:13:37] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    [19:13:38] /usr/bin/ldd [ Warning ]
    [19:13:38] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable

    I do have a Cpanel ticket opened and waiting for a response but figured I would post here.

    Basics on my server are running CSF/LFD with Mod_Security, SSH port changed.
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Have you manually viewed those scripts in question?. If you post a small chunk of one (not the whole thing) we might be able to see if its not a "false positive".
     
  3. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Hi Nyjimbo,

    Yes I did look at another servers /usr/bin/GET and it looks like it was a false positive. Just kind of freaked me out because I got this odd account out of the blue still and the first thing I did was run rkhunter.

    From the file, matches with my other server also

    Code:
    #!/usr/bin/perl -w
    
    eval 'exec /usr/bin/perl -w -S $0 ${1+"$@"}'
        if 0; # not running under some shell
    
    # $Id: lwp-request,v 2.6 2003/10/26 14:39:18 gisle Exp $
    #
    # Simple user agent using LWP library.
    
    =head1 NAME
    
    lwp-request - Simple command line user agent
    
    =head1 SYNOPSIS
    
     lwp-request [-aeEdvhx] [-m method] [-b <base URL>] [-t <timeout>]
                 [-i <if-modified-since>] [-c <content-type>] [-C <credentials>]
                 [-p <proxy-url>] [-o <format>] <url>...
    
    =head1 DESCRIPTION
    
    This program can be used to send requests to WWW servers and your
    local file system. The request content for POST and PUT
    methods is read from stdin.  The content of the response is printed on
    stdout.  Error messages are printed on stderr.  The program returns a
    status value indicating the number of URLs that failed.
    
    The options are:
    
    =over 4
    
    =item -m <method>
    
    Still waiting for cPanel to reply to my ticket, I did notice the account setup a package with shell access and a dedicated IP, I don't want to touch anything until they take a look and tell me exactly what might have happened as I have never seen anything like this before and cannot find any of the typical signs of intrusion (though that does not mean much)

    Thanks again for your help.
     
  4. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    The user (reseller) that was created does not seem to have root permissions at this point, he did have shell access which I have since removed. I am trying to touch as little as possible at this point.

    rhega:x:32571:32573::/home/rhega:/usr/local/cpanel/bin/noshell
     
  5. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Can you see what's in their home directory, especially any weird perl code. I'm not sure what O/S you are running but that UID/GID seems pretty high, do you have alot of customers on that box ?
     
  6. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    I have about 300 sites on the server, I did check the files and there is nothing in the site at all.

    The first site was created using a dedicated IP address then deleted a minute later. Then this account was setup using another IP address and sits as it is now.

    I did see a ton of 'doorknob turning' looking for outdated phpmyadmin and other scripts today in the logs but blocked the IP that was doing it.

    Looking at my other users the UID seems in linke (they are all high like that) and the server is running CentOS 4.

    I did a lookup of the email address that is on file under the cPanel account when they created it, seems to be a guy from indonesia and very odd he would use an email address when creating the account also I thought.

    I looked around for threads on possibly exploiting the wwwacctconf script but was unable to come up with anything really. It does not seem he had actual root access but again that is just my guess until I figure out what really happened.
     
  7. Interdit

    Interdit Well-Known Member

    Joined:
    May 27, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    This morning a 'cptestc' account (with reseller rights) was created on our server, investigating as well...
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    This server is more than likely been compromised. You shouldn't be bothering to try and figure it out, you should be hiring someone who KNOWS how to figure it out.




    Google rhega


    My guess, you're in real trouble.
     
  9. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    I will be interested to find out what you find, I had restarted cPanel so the cPanel log was deleted which I was told my cPanel may have helped.

    I can typically handle things pretty well myself but due to having so many issues pinpointing the issue at hand I do have someone else looking into it.

    Been there, done that. Even found a picture (supposedly) debated contacting him myself as his email seems to be available.
     
  10. Interdit

    Interdit Well-Known Member

    Joined:
    May 27, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Cpanel support did it, so no alert for us.

    If you need help with your issue, hire someone, or contact us so we can take a look... but Cpanel should be able to sort it out as you posted a ticket already.
     
Loading...

Share This Page