Server compromised, tracking down original point of entry

[GoWilkes]

On 8/18/11, one of my servers was apparently compromised. Between 8/18 and 8/24, I had 3 files uploaded to my /tmp/ directory:

backs
bds (Backdoor shell)
dp

Then later, these files were uploaded to /home/myaccount/public_html/somedirectory/:

.chase.com (a directory with a lot of files)
chase.com.zip (264kb)
[email protected] (122kb)
index.html (0 bytes)

I've deleted these files, changed my root password, ran WHM's Trojan horse scanner, and manually looked through all of the recently-updated files. I don't see any more files that are suspicious.

According to ConfigServer firewall, the last SSH login was several months ago, and all of the IPs that are listed as a login are recognized. The server only has one account (mine), and everything on this account was hand-rolled; no Joomla or Wordpress (or anything else) installed.

I'm running WHM 11.30.2 (build 1), Apache 2.0.63, and PHP 5.2.11.

Here's the question:

With no programs on my account (to my knowledge) that have permission to access to the files outside of the account directory, the only way I can imagine that a hacker would have gained access to the /tmp/ directory would be if they already had root access. And if they didn't get in by brute force (or CSF would have shown the login), then is there a vulnerability in my cPanel or PHP versions?

Any other advice on tracking down the original point of entry?

 

[GoWilkes]

Could this be related to the "Apache vulnerable" thread?

http://forums.cpanel.net/f185/apache-vulnerable-229112.html

 

[JeffP.]

Hi GoWilkes,

Unfortunately no, as that pertains to a Denial of Service issue in Apache. That particular issue with Apache does not allow someone to obtain access to a server. Instead, it allows someone to cause the server to slow down.

 

[GoWilkes]

Any other thoughts on where the original point of entry could have been, then? If it wasn't an SSH login, and all of the files in the /home/ directory were written by me, then the only thing left are OS programs, cPanel, email, etc.

 

[JeffP.]

When you say that you had 3 files uploaded to the /tmp directory, are you referring to FTP uploads? Who owned those files (e.g., root, or your cPanel user, or the user "nobody")? If you're running php as dso, and if the files were user:group nobody:nobody, then I'd speculate that the attack likely occurred via a php application. Have you checked your website's domain logs for any activity that occurred around the time that the files were placed in /tmp? How much 3rd party software are you running that is exposed to the Internet? Have you checked to ensure that there are no fixes for currently known vulnerabilities in each that you might not have the updates for?

 

[GoWilkes]

Unfortunately for me, in my haste to remove the files, I didn't stop to see their permissions. That would have been WAY too smart!

I have absolutely no 3rd-party software running, though; the server only holds one account (mine), and I wrote everything in the script. The only programs that I didn't write are OS programs, cPanel, etc.

 

[GoWilkes]

Server compromised, part 2 - Fx29Shell

As I'd mentioned before, my server was compromised on 8/18/11.

Today, an email came back to my Inbox from my server, apparently undeliverable. The subject included the word "Fx29Shell" and an AfriNIC IP address, and referred to one of the scripts that I had to delete that were apparently a virus.

Does Fx29Shell refer to an innate Linux or cPanel program, or is it a shell used by hackers? If it's not supposed to be there, can you guys suggest how I might remove it?

 

[JeffP.]

Hi GoWilkes,

I've merged the 2 threads into 1.

Based on the undeliverable message that you received, your server is/was likely being used to send spam.

"Fx29Shell" is not something that comes with Linux or cPanel. That would be something that provides remote access to the attacker(s), and allows them to execute commands on your server.

I would recommend hiring a sysadmin to review this incident, and show you how access was gained. I would back up your domain logs as soon as possible to preserve evidence that can possibly be used to determine the method of entry.

 

[Cwebz]

On 8/18/11, one of my servers was apparently compromised. Between 8/18 and 8/24, I had 3 files uploaded to my /tmp/ directory:

backs
bds (Backdoor shell)
dp

Then later, these files were uploaded to /home/myaccount/public_html/somedirectory/:

.chase.com (a directory with a lot of files)
chase.com.zip (264kb)
[email protected] (122kb)
index.html (0 bytes)

I've deleted these files, changed my root password, ran WHM's Trojan horse scanner, and manually looked through all of the recently-updated files. I don't see any more files that are suspicious.

According to ConfigServer firewall, the last SSH login was several months ago, and all of the IPs that are listed as a login are recognized. The server only has one account (mine), and everything on this account was hand-rolled; no Joomla or Wordpress (or anything else) installed.

I'm running WHM 11.30.2 (build 1), Apache 2.0.63, and PHP 5.2.11.

Here's the question:

With no programs on my account (to my knowledge) that have permission to access to the files outside of the account directory, the only way I can imagine that a hacker would have gained access to the /tmp/ directory would be if they already had root access. And if they didn't get in by brute force (or CSF would have shown the login), then is there a vulnerability in my cPanel or PHP versions?

Any other advice on tracking down the original point of entry?

It's a shell there is most certainly away to disable it so it doesn't work at all perhaps you could contact me with further details