The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server hack

Discussion in 'General Discussion' started by hdotnet, Aug 21, 2007.

  1. hdotnet

    hdotnet Member

    Joined:
    Jan 31, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    hi there,

    an account on our cpanel install was hacked and all files deleted. we're still trying to work out how they got in, but they did manage to gain shelll access... we noticed this in the .bash_history file

    su
    ssh
    ssh root@localhost
    ssh root@NOTTELLING.org
    ssh -p 4444 localhost
    ssh -p 4444 NOTTELLING.org
    uname -a
    gcc
    cd /tmp
    mv ~/k-rad3 ./
    ./k-rad3
    chmod 777 k-rad3
    ./k-rad3
    mv k-rad3 ~
    cd ~~
    cd ~
    ./k-rad3
    ./k-rad3 -t 1 -p 2
    ./k-rad3 -t 1 -p 3
    ./k-rad3 -t 1 -p 4
    ./k-rad3 -t 1 -p 5
    ./k-rad3 -t 1 -p 6
    ./k-rad3 -t 1 -p 7
    ./k-rad3 -t 1 -p 20
    uname -a
    ./k-rad3 -p 2
    ./k-rad3 -p 3
    ./k-rad3 -a -p 7
    ./k-rad3 -t 1 -p 2
    ./k-rad3 -h
    ./k-rad3 -p 200
    ./k-rad3 -p 20000
    id
    ./k-rad3 -p 900
    ./k-rad3 -p 1100
    ./k-rad3 -p 1500
    ./k-rad3 -p 1900
    ./k-rad3 -p 1999
    ./k-rad3 -p 2000
    ./k-rad3 -p 5000
    ./k-rad3 -p 3000
    ./k-rad3 -p 2600
    ./k-rad3 -p 2100
    ./k-rad3 -p 2001
    ./k-rad3 -p 250
    ls
    rm k-rad3


    does anyone have any ideas what they could have done/been trying to do with this k-rad3 ?
     
  2. approx

    approx Well-Known Member

    Joined:
    Mar 6, 2007
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    open the file that's executed to see what he's doing

    seems that he's trying to open any port as a backdoor. But I think he can't open that port because they're trying many open ports lol
     
  3. hdotnet

    hdotnet Member

    Joined:
    Jan 31, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    I would.... but the last line of the bash_history reads:

    rm k-rad3

    so naturally it isn't there!

    Thanks for the advice re ports.
     
  4. koolcards

    koolcards Well-Known Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    tried doing a search?
    k-rad3 turns up a local kernel exploit
    http://www.xfocus.net/tools/200512/k-rad3.c

    basically, someone got into /tmp, probably via a php form , something allowing 'upload', and is attempting to set up an IRC relay using your server. Wasn't very successful or it would have affected more than one site and you wouldn't be seeing the bash history.

    check your /var/tmp also. If you can grab any of his configuration files, you might track the a^%#hole
     
  5. hdotnet

    hdotnet Member

    Joined:
    Jan 31, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    thanks koolkards

    Are you saying the upload form would have been one in this particular site/account?

    Naturally this would narrow it down a bit.

    H
     
  6. koolcards

    koolcards Well-Known Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    that's where I'd look, yes. Check for time stamps on files, even without funky names like "x.php", even "index.php" can be suspect, depending on it's time stamp. They also like to use "." files and directories in an attempt to hide themselves, ".c" as a directory for example.

    There are a good number of 3rd party php scripts out there with upload exploits, several can be installed by your users via cPanel's addon stuff (I think is was a 'Coppermine' install that got me last time).
     
  7. hdotnet

    hdotnet Member

    Joined:
    Jan 31, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel access

    They also managed to get access to cPanel for this site.
    The details:

    In the Apache log there were entries like:
    hacker.ip.address - - [17/Aug/2007:13:44:33 +0100] "GET /cpanel HTTP/1.1" 301 5 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; ADVPLUGIN|K113|3|S-535862116|dialno; snprtz|S22370200030001|2600#Service Pack 2#2#5#154321|isdn)"

    And in cPanel they had
    "Last Login from:http://hacker.ip.address "
     
  8. koolcards

    koolcards Well-Known Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    The GET is simply a request to apache to display a page and gives you more information about the hacker than anything else. a "POST" would be different.

    'The "Last Login from" in cPanel suggests they got in via cracking the user account rather than an exploit. Maybe weak password?
     
  9. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You're better off securing and hardening your server ASAP. There are many threads in these forums discussing HowTo secure a server.
     
Loading...

Share This Page