server hacker suexec and bandmin seems to have relation with

Hi

today one of my cpanel servers got hacked

i thought it would have relation with Exim last vulnerability, but there was nothing at exim_mainlog and exim_paniclog that pointed to this

all websites have /home/username/public_html/index* chmoded to 777 and were desfigurated

the inner folders i mean all directories were fine except for the /www/index*

this had an 14:29 to 14:30 date

so i use grep in many ways to track this and i found at suexec_log some strange entries pointing to a especific user

i found at this /home/suspectuser/public_html/aspx.net the strange file and inside of it i had a program that gave him root access

i suspect with bandmin because first line from this file was adulterated to:

#!/usr/bin/perl -I/usr/local/bandmain

seems to be a mistype of /usr/local/bandmin

this was simultaneos with the incident so it is very probably that has relation with

there were other programs uploaded and removed by his root access that started with a perl cgi

can bandmin lead to this ?

any help will be appreciated

thanks
Claudio

 

Hi

i found some scripts at /tmp and seems that they were used also

i runned /scripts/./securetmp and seems to be safe now

but i will use some rootkit scans to check everything

i just cannot understand how he got a list of all cpanels usernames and so fast under 10 minutes prepared that script, there were more folders at /home and he scripted just the usernames so a ls-lh was not the way he got this usernames...

can an unsafe /tmp partition lead to a root exploit ?

thanks
Claudio

 

thanks for your reply

sure, i know /etc/passwd have all users but there are more that just cpanel users, there are many other users and some of then that are not related with cpanel, were not target

i think he used some more sofisticated like whm scripts to reveal all cpanel usernames, separating then from the other users...

fact is that he runned many exploits very fast under 10 minutes and i tracked that he was there in the infect source web site for more than a month, and using strange scripts in php and perl

many of then has a name such as googlea12121212.php with a signature under the code such as:

<Goog1e_analist_certs>

there were a 64base string reversed and i decoded and was a exploit tool very direct to cpanel systems including a mysql dump download and session spoofing... he also killed the /var/log/wtmp process and i needed to reboot in order to get it up again...

regards
Claudio