aspen0

Member
Dec 6, 2004
18
0
151
This server has 5 sites on it. One site had public_html deleted, just up and deleted, a few days ago. Left was the www symlink (which was broken, the .mozilla folder, and the access-logs symlink, which worked. everything else in the /home/username directory was gone.

I recreated the public_html folder and uploaded the files (I didn't recreate all the other folders).

Then, in the middle of the night last night, it happened again.

I've checked the global server logs. No one logged into SSH to do this, no one logged into cpanel to do this. No one logged into FTP to do this. The only thing on this account is an up-to-date vbulletin install.

So, does anyone have any idea how this could be happening, or why? Does anyone have any idea how to prevent it from happening? Does anyone know if cpanel has a feature allowing me to reinitialize an account (Reset it up with all appropriate folders) when it gets half deleted, in case it happens again?

Thanks.

oh, also, the mysql databases for the account weren't touched.
 

aspen0

Member
Dec 6, 2004
18
0
151
yes, vb is up to date, only 1 mod installed, and it isn't a file manager (Glowhost Spam-o-matic anti-spam mod).

I have no idea what the .mozilla folder is, but it exists in every site on this server.

drwxr-xr-x 4 tff tff 4096 Jul 25 2009 .mozilla/

[email protected] [/home/tff]# cd .mozilla
[email protected] [/home/tff/.mozilla]# ls -al
total 16
drwxr-xr-x 4 tff tff 4096 Jul 25 2009 ./
drwx--x--x 6 tff tff 4096 Jun 28 07:54 ../
drwxr-xr-x 2 tff tff 4096 Jul 25 2009 extensions/
drwxr-xr-x 2 tff tff 4096 Jul 25 2009 plugins/
[email protected] [/home/tff/.mozilla]#


[email protected] [/home/tff/.mozilla]# cd extensions
[email protected] [/home/tff/.mozilla/extensions]# ls -al
total 8
drwxr-xr-x 2 tff tff 4096 Jul 25 2009 ./
drwxr-xr-x 4 tff tff 4096 Jul 25 2009 ../
[email protected] [/home/tff/.mozilla/extensions]# cd ..
[email protected] [/home/tff/.mozilla]# cd plugins
[email protected] [/home/tff/.mozilla/plugins]# ls -al
total 8
drwxr-xr-x 2 tff tff 4096 Jul 25 2009 ./
drwxr-xr-x 4 tff tff 4096 Jul 25 2009 ../
[email protected] [/home/tff/.mozilla/plugins]#
 

aspen0

Member
Dec 6, 2004
18
0
151
Found the problem. It was vbulletin, but not really a vulnerability.

They got into an admin account (weak password) and put a custom plugin in, which contained a php shell script. I removed the script, got their IPs from the admin log, reported to their ISP (comcast - Comcast.net Security - Contact Comcast Security) which is really nice of them to have people you can contact to report such digital vandals. Banned their IPs at the firewall.
 

aspen0

Member
Dec 6, 2004
18
0
151
they called it "vbulletin" and other variants to make it blend in.

What I did was search the control panel log for accesses to the script plugins.php, I looked for IP addresses that weren't mind (found them) and that told me which plugins they were editing. Which I deleted.