The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server deface

Discussion in 'General Discussion' started by Crooner, Nov 10, 2004.

  1. Crooner

    Crooner Member

    Joined:
    Oct 22, 2002
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Last night someone was able to do a mass deface on one of our servers. We run chkrootkit and rkhunter regularly and I don't see any odd processes running so I don't think I have a root kit problem.

    Is there any way to track down a script vulnerability that could have done this?

    All files matching *index* had 4 <iframe> lines added and chown to root.root

    Any help would be appreciated (If there's a better forum for this please let me know).

    Thanks,
    Dean
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If the index files are chowned to root:root where they weren't previously, then you've had a root compromise somewhere. No-one other than root (or a daemon, process or suid binary) can change file ownerships like that. Are you running the latest STABLE/RELEASE/CURRENT/EDGE of cPanel as there were some exploits found not long ago.
     
  3. Crooner

    Crooner Member

    Joined:
    Oct 22, 2002
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I'm running the RELEASE tree and it says it's up to date
    WHM 9.9.7 cPanel 9.9.8-R5

    If I've had a root compromise it's probably beyond my realm to find it. I've noticed a couple of places that do security work on linux/Cpanel systems. How do you know who you can trust?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  5. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You can certainly trust Chirpy.
     
  6. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I'll second that... he knows what he's doing too :)
     
  7. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    Check your /tmp folder for scripts. It could be as simple as having exec privilages on the /tmp folder that allowed someone to run it. I know there was an old my_egallery exploit that caused issues like this in the past. Might want to scan your server and see if anyone is running my_egallery.
     
  8. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Look through your httpd logs (if they haven't been wiped) for suspicious activity near the time of the timestamps on the modified files. If the files are indeed owned by root, then you need an OS reload. If not, you should be able to clean up, plug the hole, and make sure that nothing else was touched.
     
  9. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    If it is a root compromise i strongly recommend an os reinstall, rather then trying to clean the box up.
     
Loading...

Share This Page