The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Hacked ..!

Discussion in 'Security' started by Nelesh, Jul 10, 2009.

  1. Nelesh

    Nelesh Registered

    Joined:
    Jul 10, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Server hacked.
    ============

    HTML and PHP files

    Inserted code

    Is there any way to find out all the hacked files on server, I was trying to find the infected files with the following command.

    find * | xargs grep 'http://a5g.ru:8080'

    Please help ...
     
  2. JawadArshad

    JawadArshad Well-Known Member
    PartnerNOC

    Joined:
    Apr 8, 2008
    Messages:
    447
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    PK
    cPanel Access Level:
    DataCenter Provider
    If you need to find a list of files containing a specific string, you might try this as well.

    grep -r --color a5g.ru *
     
  3. logicsupport

    logicsupport Well-Known Member

    Joined:
    Jun 5, 2007
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    16
    How to remove iframe

    Hi ,

    Please use the following script
    ===============
    find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5g.ru" {} \; -exec sed -i "/"a5g.ru"/d" {} \;
    ===============
    The above command will remove the line which contains the word " a5g.ru " . The command will search all the files under /home

    We are advising you to take necessary backups before running the above script
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Nelesh:

    Be advised that this particular hack is NOT a server compromise
    but rather an infected client. You should contact whoever owns
    the account where the index files have been modified and let them
    know that their home computer is infected with a pretty dangerous
    trojan that records the keystrokes on their computer and captures
    their passwords so that hackers in China can access their hosting
    and (bad news) bank accounts.

    They have been compromised for sure if someone has already
    logged into their web hosting account and updated the index files
    and they need to update their virus scanner with the latest updates
    and perform a full system scan and also get a "good" spyware
    detection program such as Spyware Doctor from PCTools.

    A note to logicsupport:

    The cleanup script is a nice idea but I would search for the proxy port
    instead :)8080) of the URL as it is not likely to show up in regular home pages
    and thus far has stayed consistent in hacked files on various servers while the
    URL link frequently changes


    Script for cronjob for general detection for this:
    Code:
    #!/bin/bash
    IFS="$"
    
    # Change to your administrator email address
    ALERT="[b]root[/b]"
    
    # Location of Log file
    HLOG="/var/log/china-hack.log"
    
    # Location of temporary test report
    TLIST="/tmp/hack-test.$$"
    
    # --------------------------------------------------
    #  Begin main China Hack Detection Script
    # --------------------------------------------------
    
    if [ -f ~/.bashrc ]; then
            . ~/.bashrc
    fi
    
    # User specific environment for cron job
    
    typeset -i TCOUNT=0
    
    PATH=$PATH:$HOME/bin:.
    export PATH
    
    cd /home
    
    if [ -e ${TLIST} ]; then
      rm -f ${TLIST}
    fi
    
    ls /var/cpanel/users | while read MUSER; do
       find ./${MUSER}/public_html -type f -mtime -30 -name 'index.php' -o -name 'index.html' -o -name 'index.htm' >> ${TLIST}
    done
    
    cat ${TLIST} | while read HFILE; do
       TCOUNT=$(grep -c ':8080' ${HFILE})
       if [ ${TCOUNT} -gt 0 ]; then
         sed -i'.hack' "/"8080"/d" "${HFILE}"
         echo "$(date) ${HFILE}" >> ${HLOG}
         echo "${TCOUNT} ${HFILE}"
         echo "Potential China hack found in ${HFILE}" | mail -s "Alert: Potential China Hack Detected" '${ALERT}'
       fi
       TCOUNT=0
    done
    
    if [ -e ${TLIST} ]; then
      rm -f ${TLIST}
    fi
    
    #End of Script
    
     
    #4 Spiral, Jul 10, 2009
    Last edited: Jul 10, 2009
  5. kraken17

    kraken17 Member

    Joined:
    Jul 16, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Just for some clarification .....

    I have worked on this problem for the past 3 days, with only one account hacked on the server.

    The problem has expanded to [A5H.ru] as well. Search your servers for anything :8080 inside all files.

    Linux command :
    find /home/ \( -name "*.cgi" -o -name "*.php" -o -name "*.html" \) -print0 | xargs -0 egrep -l 'ru:8080' >> /root/a5g_report &

    will find anything placed into php,cgi and html files with this particular problem, looking for ru:8080. It will then place the filename of any infected files into /root/a5g_report.

    Now is the time to keep effective backups of your website guys. Also do change the ftp password, but do not do it on a machine that may be infected, I change my users password and the gave it to the hackers again.

    Typical.
     
  6. maquinadigital

    maquinadigital Well-Known Member

    Joined:
    Aug 10, 2006
    Messages:
    51
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    DataCenter Provider
    Detect and clean scripts

    Greetings,

    in last September, my server was hacked. At that time, it was not only one account but several.

    I made some php scripts to run in sh, to detect and clean the files.

    You can download them in www.maquinadigital.pt/scripts.tar.gz

    Hope they can help someone.

    Best regards
    daniel
     
  7. ddmd

    ddmd Registered

    Joined:
    Jul 11, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hey,

    I had a similar problem a while ago and used the ossec tool (open source) to find all offending packages. It has a nice rootkit/worm/exploits detection tool in there....

    After that, I kept that running with Snort and modsecurity (all open source) to monitor my systems. I lately also found sucuri to remotely check if my sites have been defaced, blacklisted, etc.

    links:
    Welcome to the Home of OSSEC
    ModSecurity: Open Source Web Application Firewall
    Snort :: Home Page
    Sucuri information security (BETA)
     
Loading...

Share This Page