The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server compromised, tracking down original point of entry

Discussion in 'Security' started by GoWilkes, Aug 25, 2011.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    On 8/18/11, one of my servers was apparently compromised. Between 8/18 and 8/24, I had 3 files uploaded to my /tmp/ directory:

    backs
    bds (Backdoor shell)
    dp

    Then later, these files were uploaded to /home/myaccount/public_html/somedirectory/:

    .chase.com (a directory with a lot of files)
    chase.com.zip (264kb)
    g@Me0vEr.php (122kb)
    index.html (0 bytes)

    I've deleted these files, changed my root password, ran WHM's Trojan horse scanner, and manually looked through all of the recently-updated files. I don't see any more files that are suspicious.

    According to ConfigServer firewall, the last SSH login was several months ago, and all of the IPs that are listed as a login are recognized. The server only has one account (mine), and everything on this account was hand-rolled; no Joomla or Wordpress (or anything else) installed.

    I'm running WHM 11.30.2 (build 1), Apache 2.0.63, and PHP 5.2.11.

    Here's the question:

    With no programs on my account (to my knowledge) that have permission to access to the files outside of the account directory, the only way I can imagine that a hacker would have gained access to the /tmp/ directory would be if they already had root access. And if they didn't get in by brute force (or CSF would have shown the login), then is there a vulnerability in my cPanel or PHP versions?

    Any other advice on tracking down the original point of entry?
     
  2. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  3. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    Hi GoWilkes,

    Unfortunately no, as that pertains to a Denial of Service issue in Apache. That particular issue with Apache does not allow someone to obtain access to a server. Instead, it allows someone to cause the server to slow down.
     
  4. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Any other thoughts on where the original point of entry could have been, then? If it wasn't an SSH login, and all of the files in the /home/ directory were written by me, then the only thing left are OS programs, cPanel, email, etc.
     
  5. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    When you say that you had 3 files uploaded to the /tmp directory, are you referring to FTP uploads? Who owned those files (e.g., root, or your cPanel user, or the user "nobody")? If you're running php as dso, and if the files were user:group nobody:nobody, then I'd speculate that the attack likely occurred via a php application. Have you checked your website's domain logs for any activity that occurred around the time that the files were placed in /tmp? How much 3rd party software are you running that is exposed to the Internet? Have you checked to ensure that there are no fixes for currently known vulnerabilities in each that you might not have the updates for?
     
  6. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Unfortunately for me, in my haste to remove the files, I didn't stop to see their permissions. That would have been WAY too smart!

    I have absolutely no 3rd-party software running, though; the server only holds one account (mine), and I wrote everything in the script. The only programs that I didn't write are OS programs, cPanel, etc.
     
  7. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Server compromised, part 2 - Fx29Shell

    As I'd mentioned before, my server was compromised on 8/18/11.

    Today, an email came back to my Inbox from my server, apparently undeliverable. The subject included the word "Fx29Shell" and an AfriNIC IP address, and referred to one of the scripts that I had to delete that were apparently a virus.

    Does Fx29Shell refer to an innate Linux or cPanel program, or is it a shell used by hackers? If it's not supposed to be there, can you guys suggest how I might remove it?
     
  8. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    Hi GoWilkes,

    I've merged the 2 threads into 1.

    Based on the undeliverable message that you received, your server is/was likely being used to send spam.

    "Fx29Shell" is not something that comes with Linux or cPanel. That would be something that provides remote access to the attacker(s), and allows them to execute commands on your server.

    I would recommend hiring a sysadmin to review this incident, and show you how access was gained. I would back up your domain logs as soon as possible to preserve evidence that can possibly be used to determine the method of entry.
     
  9. Cwebz

    Cwebz Member

    Joined:
    Jan 19, 2006
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Minnesota
    cPanel Access Level:
    Root Administrator
    It's a shell there is most certainly away to disable it so it doesn't work at all perhaps you could contact me with further details
     
Loading...

Share This Page