The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Hacked

Discussion in 'Security' started by SimonrFrance, Jun 19, 2013.

  1. SimonrFrance

    SimonrFrance Member

    Joined:
    Feb 23, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Sir,

    Our server is hacked and hacker uploaded following 3 files in website main folder.

    1- index.html
    2- index.php
    3- x.html

    For example:
    www.abc.com/index.html
    www.abc.com/index.php
    www.abc.com/x.html

    Query 1:
    He uploaded only in main website folder. Almost 300 websites are hosted on this server. How i can delete these 3 files from 300 folders by command?

    Query 2:
    How i can check how hacker got access to do this?

    Regards,
    FHS
     
    #1 SimonrFrance, Jun 19, 2013
    Last edited: Jun 19, 2013
  2. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
  3. SimonrFrance

    SimonrFrance Member

    Joined:
    Feb 23, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    Thank you for your reply. Normally hacker upload index file to deface site. So therefore i want to keep backup of ALL index files of customers websites.

    Do you know some bash script to keep index files backup? index.html , index.htm and index.php ?

    Regards,
    FHS
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I suggest consulting with a qualified system administrator or security specialist because it's possible your server was rooted if files were uploaded to all of your accounts. It's generally recommended to reinstall the Operating System and restore the accounts if your server has been hacked at the root level.

    Thank you.
     
  5. Schottkey

    Schottkey Member

    Joined:
    Oct 24, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    You must verify the access log of the server. It should be in /usr/local/apache/domlogs/ folder and the name of the file should be the name of the domain name (for exemple: abc.com)

    For removing the files:

    find . -name index.htm -exec echo {} \;

    Where echo command (print to screen) can be replace with copy, move or remove command.

    Best regards,
    Schottkey
     
    #5 Schottkey, Jun 20, 2013
    Last edited: Jun 20, 2013
  6. SimonrFrance

    SimonrFrance Member

    Joined:
    Feb 23, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    Thank you for your reply. Server administrator is saying that hacker used 0day CentOS kernal exploit to hack it.
    Now administrator updated the kernal and rebooted the server. But he is unable to cath the hacker, or how he initiated the process.

    So therefore i need your help in following matters,
    1) Hacker upload index.html or index.php files to deface website. To restore these pages we should keep backup of these index pages. So i want to use some bash script to make only index files backup on server somewhere on weekly basis (like backup). I tried to find the some script but didn't understand them,
    a) A Shell Script to fix index injuction - restore from Cpanel backups - Web Hosting Talk
    b) Script to Backup files - The UNIX and Linux Forums

    2) How to catch hacker? how he got access? which account he used to exploit?

    I will be very thankful to you.

    regards,
    FHS
     
  7. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    In these kind of hacking hacker's replace pages using FTP service, I think you will get index pages as well as .htaccess upload logs in messages. I will not be able to help you with specific bash script that you needed, but would suggest you to keep your directory listing disabled on server.

    As well as I would suggest you to check if there are PHPShell files available on your server, sometime you will see root symlinks in multiple accounts which is the most dangerous part.

    For securing your server I will strongly suggest you to use CXS app on your server which will help you to find our most of the exploits.
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    likely the semtex.c root exploit was used, I've seen that a lot lately. This means one website was hacked, and that access (paired with an outdated kernel) was used to get root. Once they have root they run a local script usually called mass.pl or mass.txt to replace all index files.

    An updated kernel is a good step, however, you should re-image your host. By this I mean install a clean new operating system, and migrate your accounts to that host. Without doing this you have no guarantee that a backdoor was not left while the hacker had root

    As far as finding the site they got into in the first place, search for files like mass.pl or mass.txt, and also run a maldet scan for cmdshells.
     
    #8 quizknows, Jun 20, 2013
    Last edited: Jun 20, 2013
  9. Schottkey

    Schottkey Member

    Joined:
    Oct 24, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    If your server was hacked you must know what door was open and closed because will be a next time. Do you have joomla installed in your server ? or other CMS ?

    Is the apache server configured as DSO or suPHP, please see the post 1257931
     
Loading...

Share This Page