The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security help

Discussion in 'Security' started by WilliamE, May 11, 2005.

  1. WilliamE

    WilliamE Well-Known Member

    Joined:
    May 14, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    I've got a cpanel box that appears to be exploited fairly often (/tmp nobody exploits). We're evaluating some possible security changes to help track this stuff but right now I need some ideas on how to put an end to this and track down what's going on. We've run the /scripts/securetmp on the server but still gets exploited. Right now it appears to be php spaming scripts.

    Are there any good guides on tracking where this comming from or locking it down so people can't do this (that won't affect regular scripts from running on the server of course) ?
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    /tmp directory is not the only gate to access your server by hackers and spammers. They use many different ways to use your server to access and hack other servers, send out their spam and viruses. I suggest you hire a sys admin to secure your server.
     
  3. WilliamE

    WilliamE Well-Known Member

    Joined:
    May 14, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Oh I'm aware there are other possible ways, right now we're mostly seeing /tmp exploits where it appears their exploiting some script somewhere to manage to write to the /tmp folder and run their scripts. However right now I'm looking for suggestions and not looking to hire sorry.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Search this forum. I have seen many postings dealing with security issues, especially scripts exploit. Good luck!
     
  5. jroes

    jroes Member

    Joined:
    Feb 9, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I'm a young beginning sysadmin and I have found a lot of good information here. Just keeping surfing around these forums and you'll get the hang of it. Hopefully you have the time :).

    I've been trying to solve a similar problem for a long time.

    phpsuexec is a very nice solution which can prevent tons of problems. Use the "search" feature of the forums and you'll find a bunch of information about it. Some of it can be out of date though, so be careful!
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  7. WilliamE

    WilliamE Well-Known Member

    Joined:
    May 14, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Ok, related this. Does anybody know how to find which file is being used to listen on a port? There appears to have been a file, uploaded and being manipulated through apache (haven't found anything in logs yet), that is causing a perl script to listen on port 2004 it appears. An lsof on the pid only brings up some files that were already deleted.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    lsof is what you would use. Since it is showing you that the file has been deleted, then I'm not aware of a way to recover it since the inode has been removed from the directory. However it should show you what the script was called and you may be able to track back that way.
     
Loading...

Share This Page