The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server attacked by phishers

Discussion in 'General Discussion' started by neonix, Jun 25, 2007.

  1. neonix

    neonix Well-Known Member

    Joined:
    Oct 21, 2004
    Messages:
    124
    Likes Received:
    2
    Trophy Points:
    0
    Hi,

    Some of my domains were affected by a phisher who uploaded multiple phishing sites like nationwide, ebay, bank of montreal... I have spent better part of the day undoing the damage.

    d--------- 3 domain1 domain1 4096 Jun 25 01:21 bom/


    d--------- 4 domain2 domain2 4096 Jun 22 08:02 nationwide.co.uk.olb2.nationet.comdefault2.3c0bb2e15f32dd074f90eb6239b866ae3eb/


    d--------- 3 domain3 domain3 4096 Jun 25 04:52 ebay.fr.update.account/
    d--------- 3 domain3 domain3 4096 Jun 25 04:52 fr.update.account/
    d--------- 3 domain3 domain3 4096 Jun 25 04:58 signin.ebay.fr.update.account/
    d--------- 3 domain3 domain3 4096 Jun 25 04:51 update.account/
    d--------- 3 domain3 domain3 4096 Jun 25 04:51 account/


    d--------- 4 domain4 domain4 4096 Jun 22 09:46 nationwide.co.uk.olb2.nationet.comdefault2.3c0bb2e15f32dd074f90eb6239b866ae3eb/



    root@cat3 [/usr/local/apache/domlogs]# grep "nationwide.co.uk" ./* | more

    ./ftp.mydomain.com-ftp_log:Mon Jun 25 02:57:53 2007 0 196.203.154.253 773 /home/username/public_html/nationwide.co.uk.olb2.n
    ationet.comdefault2.3c0bb2e15f32dd074f90eb6239b866ae3eb/nationwide.confirm.secure.co.uk/aspFINISH=3c0bb2e15f32dd074f90eb6239b
    866ae3eb.php a _ o r username ftp 1 * c

    root@cat3 [/usr/local/apache/domlogs]# grep "onlinebanking" ./* | more

    ./ftp.domain1.com-ftp_log:Mon Jun 25 01:17:56 2007 0 196.218.47.230 187 /home/username1/public_html/bom/BMO_Bank_of_Montrea
    l_Online_Banking_files/onlinebanking_faqs_off.gif b _ i r process1 ftp 1 * c


    ...Looks like they ftpd the files on all the sites.


    They also addedd these lines of code for the affected sites within httpd.conf.

    <VirtualHost xx.xx.xxx.xxx>
    ServerAlias www.signin.ebay.fr.update.account.mydomain.com
    ServerAdmin webmaster@signin.ebay.fr.update.account.mydomain.com
    DocumentRoot /home/username/public_html/signin.ebay.fr.update.account
    ServerName signin.ebay.fr.update.account.mydomain.com

    <IfModule mod_suphp.c>
    suPHP_UserGroup username username
    </IfModule>
    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/username:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    <IfModule mod_php5.c>
    php_admin_value open_basedir "/home/username:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>

    User username
    Group username
    BytesLog /usr/local/apache/domlogs/signin.ebay.fr.update.account.mydomain.com-bytes_log
    CustomLog /usr/local/apache/domlogs/signin.ebay.fr.update.account.mydomain.com combined
    ScriptAlias /cgi-bin/ /home/username/public_html/signin.ebay.fr.update.account/cgi-bin/
    </VirtualHost>


    I want to find and plug the leak - Is this a known exploit? - has someone countered this attack - would sure appreciate some EXPERT advice on how this attack could have been launched and to prevent a repeat of this phishing attack.

    I have secured tmp, mod-sec.,etc... I am on RHEL.

    Thanks,
     
  2. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    Have you checked for root kits and the like? It's obvious that they had to have root access to your server to make some of those changes (specifically the httpd.conf modifications).

    I would also check things like CGI/PHP guestbooks, discussion forums, photo galleries, blogs, etc. to see if there are any vulnerable versions on your server.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If this hacker was able to modify your Apache conf file -- http.conf -- that means your server has been compromised. Run chkrootkit and rkhunter and see what the results are. Overall, I suggest you backup your client's and personal data, ask your host to format your HD, OS reload and start over. Secure and harden your server is a must in your case, as hackers tend to come back to do further damage.
     
  4. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    http.conf can be configured by Cpanel users. Sure, not directly by using Cpanel. So, questions is follows:

    1) Are all domains was added under one user/reseller account?
    2) Do you have reseller with root features?
    3) Did you check your Windows computer for exploits, trojans etc.

    Depend from answers, some decision can be made. For 3) case, here is already posted right way.
     
Loading...

Share This Page