The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

r0nin ** MAJOR SECURITY ISSUE ***

Discussion in 'Security' started by SEAL31, Dec 30, 2004.

  1. SEAL31

    SEAL31 Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    I think my box has a virus. In /tmp I found shit like w00t.sh, r0nin.sh, and r0nin was running. Google found some stuff but nothing that helped much. Anyone know about this? I killed the proccess and removed everything in /tmp. I need help desperately.
     
  2. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Just an exploit through a script on your box.
    Set /tmp to noexec and you should be fine.
     
  3. minotauro

    minotauro Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Hello SEAL31,

    To turn your /tmp secure, run:

    /scripts/securetmp

    Good luck!
    Minotauro.
     
  4. cz1179

    cz1179 BANNED

    Joined:
    Dec 27, 2004
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    0
    I ran that and now it screwed up everything :(

    one example

    WARNING : [2] mysql_connect(): Can't connect to local MySQL server through socket '/var/tmp/mysql.sock' (2)
    /home/vns/public_html/inc/mysql.inc.php (line 61)


    How do I fix this?

    Screwed up vbulletin board too
     
  5. Blue|Fusion

    Blue|Fusion Well-Known Member

    Joined:
    Sep 12, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Cleveland, Ohio
    I was just hired as a sysadmin and found it on my employer's 2 boxes.

    For servers running so many accounts (free hosting) I'm surprised at the lack of security. I ran /scripts/securetmp and killed the process manually and so far no problems since (2 days now). Is there any other steps that should be taken to rid a box of r0nin?
     
  6. cz1179

    cz1179 BANNED

    Joined:
    Dec 27, 2004
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    0
    [edit mistake] sorry :)

    I did not chmod....it went down and back up not sure why
     
  7. SEAL31

    SEAL31 Well-Known Member

    Joined:
    Dec 4, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Well I looked into the issue, it was from phpBB, an exploit which I thought I had secured. I followed a guide a mounted /tmp and set it to noexec, and nosuid. Thanks for the help. r0nin is a DDoS script from what i've found. Luckily my firewall blocked it from doing anything.
     
  8. inda

    inda Member

    Joined:
    Dec 28, 2004
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
  9. ntwaddel

    ntwaddel Well-Known Member

    Joined:
    Nov 3, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Templeton, CA
    try restarting your mysql server, and it should recreate the sock file
     
  10. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    chmod 777 /tmp
    chmod +t /tmp
    service mysql stop
    ps aux |grep mysql (just make sure mysql isnt running, if it still is, manually kill them)
    service mysql start

    that should fix the mysql.sock.
     
  11. 1server4u

    1server4u Member

    Joined:
    Oct 17, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    What command do I use for "noexec, and nosuid"??

    Hi;

    What command do I use for "noexec, and nosuid"??

    Also how can I delete all of those txt files in /tmp/ created by the "anti-santy worm" All at once instead one at a time?

    Thanks
     
  12. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    edit your /etc/fstab and include it in the /tmp options.
    then remount your /tmp

    as for the removing rm -rf *.txt
     
  13. 1server4u

    1server4u Member

    Joined:
    Oct 17, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    rm -rf *.txt

    Thanks;

    Tried: rm -rf *.txt But The files are all still there?

    They are all numbered "asw.txt.147" And I have Thousands.

    Should I also delete "ZCUDr55EDa" "ZCUDlSNUrR" "ZCUDLlKlxt" "jGR8Cy
    " "ZCUDgDS1oR"

    What is the worm actually called so I can delete it and is it in tmp?

    Thanks for you advise.

    Mike
     
  14. Earendil

    Earendil Well-Known Member

    Joined:
    Jun 10, 2004
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    worm hasn't any specific name:

    rm -rf *txt* (make sure you're within the /tmp)
     
  15. 1server4u

    1server4u Member

    Joined:
    Oct 17, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    rm -rf *.txt

    Hello;

    I am in tmp but files still there?

    How much would you charge me to to secure all phpBB installations on my server, and sanitize the server of this worm.

    Thanks but I am a 50 Year Old Disabled Plonker And Learning Fast "the Hard Way"

    Mike :eek:
     
  16. ntwaddel

    ntwaddel Well-Known Member

    Joined:
    Nov 3, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Templeton, CA
    which files are still there?
     
  17. 1server4u

    1server4u Member

    Joined:
    Oct 17, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    which files are still there?

    All of the "anti-santy worm" Files.

    I was in as root and entered the rm -rf *.txt and tried rm -rf txt but they will only delete one t a time?

    Mike
     
  18. ntwaddel

    ntwaddel Well-Known Member

    Joined:
    Nov 3, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Templeton, CA
    are you sure they are .txt? do an ls and tell me whats in there
     
  19. 1server4u

    1server4u Member

    Joined:
    Oct 17, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    are you sure they are .txt? do an ls and tell me whats in there

    asw.txt.1737 asw.txt.979
    asw.txt.1738 asw.txt.98
    asw.txt.1739 asw.txt.980
    asw.txt.174 asw.txt.981
    asw.txt.1740 asw.txt.982
    asw.txt.1741 asw.txt.983
    asw.txt.1742 asw.txt.984
    asw.txt.1743 asw.txt.985
    asw.txt.1744 asw.txt.986
    asw.txt.1745 asw.txt.987
    asw.txt.1746 asw.txt.988
    asw.txt.1747 asw.txt.989
    asw.txt.1748 asw.txt.99
    asw.txt.1749 asw.txt.990
    asw.txt.175 asw.txt.991
    asw.txt.1750 asw.txt.992
    asw.txt.1751 asw.txt.993
    asw.txt.1752 asw.txt.994
    asw.txt.1753 asw.txt.995
    asw.txt.1754 asw.txt.996
    asw.txt.1755 asw.txt.997
    asw.txt.1756 asw.txt.998
    asw.txt.1757 asw.txt.999
    asw.txt.1758 coia-session-0.421314680340828
    asw.txt.1759 cpanel.TMP.tcRm3OMmPeDkyODJ
    asw.txt.176 error.php
    asw.txt.1760 error.php.1
    asw.txt.1761 error.php.10
    asw.txt.1762 error.php.11
    asw.txt.177 error.php.12
    asw.txt.178 error.php.13
    asw.txt.179 error.php.14
    asw.txt.18 error.php.15
    asw.txt.180 error.php.2
    asw.txt.181 error.php.3
    asw.txt.182 error.php.4
    asw.txt.183 error.php.5
    asw.txt.184 error.php.6
    asw.txt.185 error.php.7
    asw.txt.186 error.php.8
    asw.txt.187 error.php.9
    asw.txt.188 .font-unix/
    asw.txt.189 horde.log
    asw.txt.19 .ICE-unix/
    asw.txt.190 indtel-session-0.143813176171051
    asw.txt.191 morphos-session-0.0529289153377874
    asw.txt.192 morphos-session-0.483234523886011
    asw.txt.193 mysql.sock@
    asw.txt.194 phoenixx-session-0.419429218952672
    asw.txt.195 phoenixx-session-0.733979379615874
    asw.txt.196 sess_0e2da4d4d5a80ae36fc39cdb6459fd10
    asw.txt.197 sess_1873362e9470f0f860141d2aef1c0863
    asw.txt.198 sess_1b3da2f11fdf9959e44923bb87cdb4c8
    asw.txt.199 sess_2178d639bd9c026b090cb8bdf15cc7b3
    asw.txt.2 sess_2bd9aa22738740c48579af6d7dce35f0
    asw.txt.20 sess_325cf007e711a191fe78bce1eb3057f8
    asw.txt.200 sess_397b5866489522a133726585981a6d6c
    asw.txt.201 sess_47fb8f8fa4fa150989a793d278919119
    asw.txt.202 sess_4894ceaf683f22d2c2acaad3ebbf843a
    asw.txt.203 sess_48a7cef91b08fdc90dc2b708167e2511
    asw.txt.204 sess_49a98bf41519d47477549845070f9b25
    asw.txt.205 sess_5769512e26c7bf9e3c412017c8670842
    asw.txt.206 sess_8c0ebc9c32be866cb2921b28598dd3ba
    asw.txt.207 sess_906a78127846b8407a13383ab3733af5
    asw.txt.208 sess_91a236f36da4b72db4a338ba178443aa
    asw.txt.209 sess_9b19b6efb0507de249e458c0fe43a11b
    asw.txt.21 sess_a180122343995e99942f7640617914ca
    asw.txt.210 sess_b477a997d350dd8f7db2f4729b7b9f12
    asw.txt.211 sess_b514223db8a150a5ba920179f0173e3a
    asw.txt.212 sess_c515568a12b00d21e3ab586043fd5bee
    asw.txt.213 sess_c6c3acafba19610c0986cf411e99aa7f
    asw.txt.214 sess_cc1096d0567386bac7823b31cefd567c
    asw.txt.215 sess_cf352398dd56a77b2479e5c5f3f0dde2
    asw.txt.216 sess_e171805ce1499238dece073a6267d6c5
    asw.txt.217 sess_e992c0d88030f579f1871e44ec43c7dc
    asw.txt.218 sess_eaa7faea09af0241578f27e67203d155
    asw.txt.219 sess_edd05ee55e83de4abd0b110e206fe400
    asw.txt.22 sess_f363cd37512ef39043ddb46df4b1926d
    asw.txt.220 simplyau-session-0.243537498030008
    asw.txt.221 simplyau-session-0.499822254150303
    asw.txt.222 simplyau-session-0.580733749407472
    asw.txt.223 viewtopic.php?p\=453%2Fasw.txt.1
    asw.txt.224 viewtopic.php?p\=453%2Fasw.txt.10
    asw.txt.225 viewtopic.php?p\=453%2Fasw.txt.11
    asw.txt.226 viewtopic.php?p\=453%2Fasw.txt.12
    asw.txt.227 viewtopic.php?p\=453%2Fasw.txt.13
    asw.txt.228 viewtopic.php?p\=453%2Fasw.txt.14
    asw.txt.229 viewtopic.php?p\=453%2Fasw.txt.15
    asw.txt.23 viewtopic.php?p\=453%2Fasw.txt.2
    asw.txt.230 viewtopic.php?p\=453%2Fasw.txt.3
    asw.txt.231 viewtopic.php?p\=453%2Fasw.txt.4
    asw.txt.232 viewtopic.php?p\=453%2Fasw.txt.5
    asw.txt.233 viewtopic.php?p\=453%2Fasw.txt.6
    asw.txt.234 viewtopic.php?p\=453%2Fasw.txt.7
    asw.txt.235 viewtopic.php?p\=453%2Fasw.txt.8
    asw.txt.236 viewtopic.php?p\=453%2Fasw.txt.9
    asw.txt.237 ZCUDgDS1oR
    asw.txt.238 ZCUDjGR8Cy
    asw.txt.239 ZCUDLlKlxt
    asw.txt.24 ZCUDlSNUrR
    asw.txt.240 ZCUDr55EDa
    asw.txt.241
     
  20. ntwaddel

    ntwaddel Well-Known Member

    Joined:
    Nov 3, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Templeton, CA
    rm -rf *.txt.* should get them
     
Loading...
Similar Threads - r0nin MAJOR SECURITY
  1. tecwithquestion
    Replies:
    2
    Views:
    391

Share This Page