The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with dark.cgi scripts !!!

Discussion in 'Security' started by p-root, Jun 28, 2009.

  1. p-root

    p-root Active Member

    Joined:
    Nov 1, 2008
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    HI,

    I Have a linux shared hosting server,and a couple of days i am facing the serious issue regarding dark mailer or some .cgi script like (dark.cgi,dm.cgi,coms.cgi,mrm.cgi) ,i have also using mod_security2.0 +WHM to prevent such type of problem,So can any one tell me the best solution to block these type of attacks through mod_security,how to create a rule specific for the attacker "(dark.cgi,dm.cgi,coms.cgi,mrm.cgi)" scripts..please do need ful and let me know the best solution...

    *******************************************************************************************
    Time: Sun Jun 28 10:13:48 2009 +0530
    PID: 30951
    Account: hebbali
    Uptime: 25705 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    /usr/bin/perl dark.cgi


    Network connections by the process (if any):

    tcp: 144.38.110.14:58427 -> 210.8.231.6:25


    Files open by the process (if any):

    /dev/null
    /home/hebbali/public_html/truck/sys/.pureftpd-rename.23258.7342c161 (deleted)
    /home/hebbali/public_html/truck/sys/.pureftpd-rename.23258.7342c161 (deleted)
    /tmp/ZCUD4Fyc93 (deleted)


    Memory maps by the process (if any):

    00110000-0024e000 r-xp 00000000 08:05 9176295 /lib/libc-2.5.so
    0024e000-00250000 r--p 0013e000 08:05 9176295 /lib/libc-2.5.so
    00250000-00251000 rw-p 00140000 08:05 9176295 /lib/libc-2.5.so
    00251000-00254000 rw-p 00251000 00:00 0
    00254000-00258000 r-xp 00000000 08:05 9175078 /lib/libnss_dns-2.5.so
    00258000-00259000 r--p 00003000 08:05 9175078 /lib/libnss_dns-2.5.so
    00259000-0025a000 rw-p 00004000 08:05 9175078 /lib/libnss_dns-2.5.so
    00500000-0062b000 r-xp 00000000 08:03 10270297 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
    0062b000-00630000 rw-p 0012a000 08:03 10270297 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
    00630000-00632000 rw-p 00630000 00:00 0
    006ca000-006e6000 r-xp 00000000 08:03 10269980 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
    006e6000-006e7000 rw-p 0001b000 08:03 10269980 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
    006eb000-006f0000 r-xp 00000000 08:03 10270142 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
    006f0000-006f1000 rw-p 00004000 08:03 10270142 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
    00771000-0078b000 r-xp 00000000 08:05 9176294 /lib/ld-2.5.so
    0078b000-0078c000 r--p 00019000 08:05 9176294 /lib/ld-2.5.so
    0078c000-0078d000 rw-p 0001a000 08:05 9176294 /lib/ld-2.5.so
    007bd000-007be000 r-xp 007bd000 00:00 0 [vdso]
    00801000-00805000 r-xp 00000000 08:03 10269967 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
    00805000-00806000 rw-p 00003000 08:03 10269967 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
    008d5000-008d7000 r-xp 00000000 08:05 9176298 /lib/libdl-2.5.so
    008d7000-008d8000 r--p 00001000 08:05 9176298 /lib/libdl-2.5.so
    008d8000-008d9000 rw-p 00002000 08:05 9176298 /lib/libdl-2.5.so
    008db000-00900000 r-xp 00000000 08:05 9176297 /lib/libm-2.5.so
    00900000-00901000 r--p 00024000 08:05 9176297 /lib/libm-2.5.so
    00901000-00902000 rw-p 00025000 08:05 9176297 /lib/libm-2.5.so
    00904000-00917000 r-xp 00000000 08:05 9176308 /lib/libpthread-2.5.so
    00917000-00918000 r--p 00012000 08:05 9176308 /lib/libpthread-2.5.so
    00918000-00919000 rw-p 00013000 08:05 9176308 /lib/libpthread-2.5.so
    00919000-0091b000 rw-p 00919000 00:00 0
    0099f000-009b2000 r-xp 00000000 08:05 9176300 /lib/libnsl-2.5.so
    009b2000-009b3000 r--p 00012000 08:05 9176300 /lib/libnsl-2.5.so
    009b3000-009b4000 rw-p 00013000 08:05 9176300 /lib/libnsl-2.5.so
    009b4000-009b6000 rw-p 009b4000 00:00 0
    009b8000-009c1000 r-xp 00000000 08:05 9176317 /lib/libcrypt-2.5.so
    009c1000-009c2000 r--p 00008000 08:05 9176317 /lib/libcrypt-2.5.so
    009c2000-009c3000 rw-p 00009000 08:05 9176317 /lib/libcrypt-2.5.so
    009c3000-009ea000 rw-p 009c3000 00:00 0
    00a3a000-00a43000 r-xp 00000000 08:05 9175080 /lib/libnss_files-2.5.so
    00a43000-00a44000 r--p 00008000 08:05 9175080 /lib/libnss_files-2.5.so
    00a44000-00a45000 rw-p 00009000 08:05 9175080 /lib/libnss_files-2.5.so
    00be0000-00bef000 r-xp 00000000 08:05 9176302 /lib/libresolv-2.5.so
    00bef000-00bf0000 r--p 0000e000 08:05 9176302 /lib/libresolv-2.5.so
    00bf0000-00bf1000 rw-p 0000f000 08:05 9176302 /lib/libresolv-2.5.so
    00bf1000-00bf3000 rw-p 00bf1000 00:00 0
    00e4d000-00e4f000 r-xp 00000000 08:03 10270168 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    00e4f000-00e50000 rw-p 00001000 08:03 10270168 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    05ad4000-05ad6000 r-xp 00000000 08:05 9176299 /lib/libutil-2.5.so
    05ad6000-05ad7000 r--p 00001000 08:05 9176299 /lib/libutil-2.5.so
    05ad7000-05ad8000 rw-p 00002000 08:05 9176299 /lib/libutil-2.5.so
    08048000-0804b000 r-xp 00000000 08:03 1733841 /usr/bin/perl
    0804b000-0804c000 rw-p 00002000 08:03 1733841 /usr/bin/perl
    084e5000-087bb000 rw-p 084e5000 00:00 0 [heap]
    b7f3a000-b7f5e000 rw-p b7f3a000 00:00 0
    b7f67000-b7f68000 rw-p b7f67000 00:00 0
    bfdb3000-bfdc8000 rw-p bffea000 00:00 0 [stack]
    ****************************************************************************************
     
  2. PlatinumServerM

    PlatinumServerM Well-Known Member
    PartnerNOC

    Joined:
    Jul 10, 2005
    Messages:
    397
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    New Jersey, USA
    cPanel Access Level:
    Root Administrator
  3. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Konrath,

    Unfortunately that issue really has little to nothing to do with FTP and limiting
    the IPs allowed to connect by FTP really won't do much good in this case as
    the methods the hackers use to get the client login information also allow for
    them to proxy off the client's own home ISP connections as well so short of
    banning your own client's from logging in entirely; won't do much good.

    (I posted a few times already. However, a few basic details below ...)

    The current "iframe" added to index files and scripts uploaded attack is done
    via a client compromise and not from the server so there is very little you
    can do from a server perspective as the attack isn't at your server.

    We've been 1st hand tracking the group behind this attack for a while now
    at my network security consulting firm. The group behind the attack is
    based out of China and basically in a nutshell using a set of trojans
    and custom designed keyloggers to capture client passwords from their
    own infected computers at home and then using that same information
    to direclty login to the client's web hosting and bank accounts and wreak
    more havoc by updating index files to call uploaded spam scripts with the
    user's permissions and making transfers from the victim's bank accounts.

    Some good news is that these hackers are limited to the permissions of
    the client whose login details they had captured from the client's computer
    at home which limits what they can do if your server is properly secure
    as it should already be. In addition, since the upload process seems to
    be consistent and apparently fully automated, it's very easy to setup
    activity scanning and cron processes to watch and block this activity.
    Same goes for setting up Mod_Security rules and firewall traps too.

    For any client who has been compromised at home, their passwords
    should be changed immediately (or better their account suspended).
    Until their home computers are scanned and disinfected, the client
    probably should not be given the new password as the new password
    will just be captured by the hackers as well as soon as the client
    tries to login from their infected home computer.
     
    #4 Spiral, Jun 29, 2009
    Last edited: Jun 29, 2009
  5. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil

    Hello Spiral

    Not working for you.

    For me, it works perfectly.

    As I understand it, the invasion is robotised and happens only by FTP.

    In this case, the blocking of port 21 for certain countries it is sufficient to minimize this problem.

    I keep ftp only to IPs from my country.

    Thank you
    Konrath
     
  6. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello Spiral

    and all sites were invaded by IPs that are not of my country.

    LAST INVASION ( TODAY ).

    THIS IPS IS FROM OUTSIDE FROM MY COUNTRY. NOW, IS BLOCKED !!


    Jun 28 09:39:02 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//test.pl uploaded (2973 bytes, 11.18KB/sec)
    Jun 28 09:39:05 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] Deleted test.pl
    Jun 28 09:39:07 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/56viagra.txt uploaded (25502 bytes, 45.45KB/sec)
    Jun 28 09:39:09 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/dm.cgi uploaded (74366 bytes, 89.47KB/sec)
    Jun 28 09:39:09 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/from.txt uploaded (3169 bytes, 11.88KB/sec)
    Jun 28 09:39:10 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/mkrv.txt uploaded (33533 bytes, 47.78KB/sec)
    Jun 28 09:39:11 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/replyto.txt uploaded (3169 bytes, 11.89KB/sec)
    Jun 28 09:39:12 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/v2letter.txt uploaded (10 bytes, 0.08KB/sec)
    Jun 28 09:39:12 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/v2msg.html uploaded (131 bytes, 0.99KB/sec)
    Jun 28 09:39:13 server pure-ftpd: (amananci@62.141.36.134) [NOTICE] /home/amananci//tutonhem1213/v2subject.txt uploaded (22634 bytes, 40.70KB/sec)
    Jun 28 09:39:58 server pure-ftpd: (amananci@62.141.36.134) [INFO] Logout.
    Jun 28 09:48:12 server pure-ftpd: (?@75.144.194.185) [INFO] amananci is now logged in
    Jun 28 09:48:13 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//test.pl uploaded (2973 bytes, 17.72KB/sec)
    Jun 28 09:48:15 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] Deleted test.pl
    Jun 28 09:48:15 server pure-ftpd: (amananci@75.144.194.185) [INFO] Logout.
    Jun 28 10:04:51 server pure-ftpd: (?@75.144.194.185) [INFO] amananci is now logged in
    Jun 28 10:04:54 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//test.pl uploaded (2973 bytes, 4.99KB/sec)
    Jun 28 10:05:11 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] Deleted test.pl
    Jun 28 10:05:24 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/1.txt uploaded (14677 bytes, 3.16KB/sec)
    Jun 28 10:05:26 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/2.txt uploaded (3297 bytes, 4.32KB/sec)
    Jun 28 10:05:29 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/config.txt uploaded (295 bytes, 0.68KB/sec)
    Jun 28 10:05:41 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/dark.cgi uploaded (74627 bytes, 7.64KB/sec)
    Jun 28 10:05:46 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/from.txt uploaded (7264 bytes, 11.53KB/sec)
    Jun 28 10:05:48 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/letlet.txt uploaded (8 bytes, 0.02KB/sec)
    Jun 28 10:05:49 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/mes.html uploaded (605 bytes, 1.90KB/sec)
    Jun 28 10:06:05 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/sites3.txt uploaded (88627 bytes, 5.78KB/sec)
    Jun 28 10:06:07 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/subjlist.txt uploaded (8310 bytes, 10.83KB/sec)
    Jun 28 10:09:51 server pure-ftpd: (?@213.182.197.226) [INFO] amananci is now logged in
    Jun 28 10:09:58 server pure-ftpd: (amananci@213.182.197.226) [INFO] Logout.
    Jun 28 10:09:59 server pure-ftpd: (?@213.182.197.226) [INFO] amananci is now logged in
    Jun 28 10:10:00 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/test.pl uploaded (2973 bytes, 8.80KB/sec)
    Jun 28 10:10:02 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] Deleted test.pl
    Jun 28 10:10:02 server pure-ftpd: (amananci@213.182.197.226) [INFO] Logout.
    Jun 28 10:10:40 server pure-ftpd: (?@213.182.197.226) [INFO] amananci is now logged in
    Jun 28 10:10:44 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/test.pl uploaded (2973 bytes, 8.82KB/sec)
    Jun 28 10:10:47 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] Deleted test.pl
    Jun 28 10:10:47 server pure-ftpd: (amananci@75.144.194.185) [NOTICE] /home/amananci//truck/mailbase.txt uploaded (1945588 bytes, 6.88KB/sec)
    Jun 28 10:10:48 server pure-ftpd: (amananci@75.144.194.185) [INFO] Logout.
    Jun 28 10:10:50 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/coms.cgi uploaded (74537 bytes, 65.36KB/sec)
    Jun 28 10:10:51 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/config.txt uploaded (1307 bytes, 7.48KB/sec)
    Jun 28 10:10:58 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/fmto.txt uploaded (357337 bytes, 55.04KB/sec)
    Jun 28 10:10:59 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/godi.cgi uploaded (74537 bytes, 64.96KB/sec)
    Jun 28 10:11:01 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/nsub.txt uploaded (45631 bytes, 48.17KB/sec)
    Jun 28 10:11:07 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/reto.txt uploaded (258599 bytes, 45.23KB/sec)
    Jun 28 10:11:08 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upal.txt uploaded (32 bytes, 0.19KB/sec)
    Jun 28 10:11:08 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upbr.txt uploaded (115 bytes, 0.68KB/sec)
    Jun 28 10:11:09 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upcl.txt uploaded (97 bytes, 0.57KB/sec)
    Jun 28 10:11:10 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upcli.txt uploaded (1230 bytes, 6.69KB/sec)
    Jun 28 10:11:10 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/upfn.txt uploaded (295 bytes, 1.67KB/sec)
    Jun 28 10:11:11 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/uplet.txt uploaded (11 bytes, 0.07KB/sec)
    Jun 28 10:11:12 server pure-ftpd: (amananci@213.182.197.226) [NOTICE] /home/amananci//public_html/cgi-bin/erri/uplet1.html uploaded (1063 bytes, 6.09KB/sec)
     
  7. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    I agree with you.

    It is not the ultimate solution but is better than no protection.


    "Educate their customers"? (HOSTIT) KKKKKKKKKKKK. This is very funny.

    "Unfortunately that issue really has little to nothing to do with FTP (Spiral) KKKKKKKKKKKK. No, the invasion is made using the drive 1.44 in my server. This is very funny.

    SAINT patience.

    I have a business and need answers and quick solutions. I can not believe I will resolve this problem educating my clients. This is not consistent.

    AND YES. The invasion is made via FTP.

    Konrath
     
    #7 konrath, Jun 29, 2009
    Last edited: Jun 29, 2009
  8. neo_user

    neo_user Member

    Joined:
    Jul 18, 2007
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    the problem has been solve after i have stopped FTP server at all and only SFTP is allowed now , as i have seen on my network some clients were infected and there was trojans installed and on few they were victim of large botnet which were sniffing out the FTP passwords and doing all the wrong stuff.Its been 8 months now and i have no problems.Stop using ftp altogether
     
Loading...

Share This Page