The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security problem?

Discussion in 'Security' started by nzpli, Jan 8, 2007.

  1. nzpli

    nzpli Member

    Joined:
    Nov 2, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nelson NZ
    cPanel Access Level:
    Root Administrator
    I have a client with a shared server. I think it has been compromised in some way. Bandwidth is currently running about 600% above normal and there are thousands of entries in the log such as

    74.129.2.100 - - [07/Jan/2007:09:05:37 -0500] "GET http://e14.member.ukl.yahoo.com/con...s/index.php&.src=sbs&login=lock-up&passwd=sex HTTP/1.0" 404 10322 "-" "-"
    66.67.160.145 - - [07/Jan/2007:09:05:39 -0500] "GET http://n31.login.scd.yahoo.com/conf...u&new=1&passwd=123456&.done=&login=fire__1999 HTTP/1.0" 404 10322 "-" "-"

    aw stats report Pages-URL - the top site is http://www.yahoo.com/

    Links from an external page reports the list for the top few as:

    - http://www.nsosoft.com/gossip/ 1731 1731
    - http://members.princessblueyez.com 806 806
    - http://www.cashsoldier.com/VerifyerLevel.php 394 394
    - http://iask.biz 231 231
    - http://sedoparking.com/showparking.php4 77 77
    - http://amateur-sexygirls.com 57 57
    - http://members09.fm-teens.com 26 26
    - http://realhomeporn.org 20 20
    - http://www.iask.biz 16 16

    Their server is not running any firewall that I am aware of (I don't actually look after their hosting and they have asked me for my thoughts)

    I think there is a compromise maybe of their server.

    I have in the meantime used the .htaccess file to ban the domains above as follows, I dont think that is having any effect.

    RewriteEngine on
    # Options +FollowSymlinks
    RewriteCond %{HTTP_REFERER} nsosoft\.com [NC,OR]
    etc
    RewriteRule .* - [F]

    I would appreciate knowledgeable comments/solutions please



    thanks
    Peter
     
  2. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
    Rewrite won't help, since it's your server requesting pages from the outside world rather than a user requesting pages on the server.
    • grep the affected users public_html files for the pages listed in the external URLs file to find the pages infected (or ask the user to upload a known good copy of the site)
    • Check for any unauthorised crons that may be running
    • Check SQL database for referrals to the external websites listed (quite often "guestbook" type modules.)

    I'm guessing that its a very old exploit by looking at the pages it's requesting (no, not amateur-**xygirls.com!:p), so find out what software the user has installed (eg. php-nuke, phpbb, etc) and then patch it with the latest updates.
     
    #2 adept2003, Jan 8, 2007
    Last edited: Jan 8, 2007
  3. nzpli

    nzpli Member

    Joined:
    Nov 2, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nelson NZ
    cPanel Access Level:
    Root Administrator
    Thanks Chad. They only have an sql server running, no other programmes, guestbooks etc - no odd cron jobs

    appreciate you time with your response

    cheers
    P

    Appreciate you comments,
     
Loading...

Share This Page