The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root Access?

Discussion in 'General Discussion' started by noimad1, Oct 9, 2006.

  1. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    Did that latest bulletin about upgrading becuase of a security risk mean that users could get ahold of the root user on a server?

    I just had a server hacked, and just realized that particular server wasn't upgraded when we did all of the upgrades.

    This user got full root access, and defaced all of our websites. This is the first time I've ever been hacked at the root level.

    I'm wondering if they did this using this security problem...
     
  2. designeru

    designeru Well-Known Member

    Joined:
    Nov 2, 2005
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Answers...

    Yes.

    Did he left any logs? Are you sure it was a root level hack?
     
  3. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    The files he was running were owned by root, and he defaced every site on the server.....
     
  4. lbccserv

    lbccserv Active Member

    Joined:
    Mar 23, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    damnit, i just got rooted too. changed every index on the site. definately root. SHIT.
     
  5. lbccserv

    lbccserv Active Member

    Joined:
    Mar 23, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    wait but i was fully patched.
     
  6. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16
    That is scary. What version of cpanel?
     
  7. lbccserv

    lbccserv Active Member

    Joined:
    Mar 23, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    10.9 c43... i was running 2.4.22-1.2115.nptl. Im not saying it was cpanel, but i dont know what else would have dropped him into root. I havent seen any really bad kernel exploits for 2.4
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Check if any users are using FlashChat for VB, there is a known security hole in unpatched FlashChat that will do exactly this.
     
  9. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    Excellent point, also several other common PHP scripts do this also (at times even just because its PHP - think XSS from a simple phpinfo script that was finally fixed just recently).

    Make sure /tmp is tight and your PHP is not too loose.

    I know of some comapanies offering hosting servers that do not have PHP on them (since its then faster and more secure) and they report *no* hackings on those vs their PHP ones with constant issues and monitoring for well intentioned but nevertheless destructive PHP scripts)

    The trick is educating people on alternative projects to replace their PHP based stuff and helping them do so. but thats a whole other thread :)
     
  10. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    The current Moodle exploit is the soup du jour this week, could be that... could be one of a hundred different php holes open at the moment. :D

    Fixed typo.. :/
     
    #10 mctDarren, Oct 10, 2006
    Last edited: Oct 10, 2006
  11. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    How is FlashChat for VB going to give someone root? A shell, sure, but root?
     
  12. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Take a look at the VB forum with regards to this. It does and did happen.

    From SecurityFocus
    FlashChat Multiple Remote File Include Vulnerabilities

    FlashChat is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.

    An attacker may leverage this issue to have an arbitrary remote file containing malicious script code execute in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.

    FlashChat 4.6.1 and previous versions are vulnerable.
     
    #12 dgbaker, Oct 10, 2006
    Last edited: Oct 10, 2006
  13. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    i don't get this.
    php security holes, xss and remote file inclusion is something we deal with everyday.

    but gaining root from one of these exploits?
    then how about a malicious user that is hosted on a server?
    he has nobody user, and his own user to do evil stuff.

    that would mean that NO server is secure, not only those running exploitable php scripts.
     
  14. jugo

    jugo Active Member

    Joined:
    Nov 23, 2005
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    That is not root access...

    That index page defacement is not a "root" based attack. It is XSS using vulnerabilities in shotty PHP scripts like vWar and PHP-Nuke.

    The best way to stop those is to implement restrictive MOD_SECURITY rules liek the ones from gotroot.
     
  15. Skyline_GTR

    Skyline_GTR Member

    Joined:
    Jul 31, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    how can I possibly fixed the problem? since I have a server that has been infected and most of the websites have a iframe which lead to a trojan website.. how can I fix the problem?


    Please help!
     
  16. mikeroq

    mikeroq Registered

    Joined:
    Jan 21, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    This guy got my site like 10 times, he would delete all my files, and after I had reuploaded them all, he would delete it again.

    His name is Vibutx, watch out.
     
  17. noimad1

    noimad1 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    627
    Likes Received:
    0
    Trophy Points:
    16

    The best thing to do would be to reload your OS and Cpanel, then restore all of your files from a backup if you have one before the attack. Then make sure your OS and Cpanle are both up to date and patched.

    That's what we did on our server. It has been a huge nightmare. I hope the patches take care of this issue and it doesn't happen again...
     
  18. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    The best way would be intallating rootkit which will repair all your ssh command if they are infected and will also take care of any torjan installed. And just replace the index pages.. as far as I know they replace only index pages.. AND also try and get some good mod_sec rules.

    And also UPCP --force.. that will over write complete cpanel which is as good as intalling new cpanel software. You might also need to reinstall customized skins as upcp will skip them.

    You can also write a bash script that will check and list the files that has iframes in them.
     
  19. Skyline_GTR

    Skyline_GTR Member

    Joined:
    Jul 31, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    My forum has been affected and everytime when I make a quick reply, it will have this iframe under the last post.. however when I disable javascript, this won't happen..

    As well, for my other websites, I looked at the index and the templates but I couldn't find any iframe codes at all..
     
  20. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    This is what you should follow:
    1. Backup forums.
    2. Backup Database
    3. Uninstall forums.
    4. Install new forums.
    5. Restore database.
    6. Moves images/upload folder in to new installation.

    If that does not help you will need to check your database as it might be affected then.
     
Loading...

Share This Page