The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server hacker suexec and bandmin seems to have relation with

Discussion in 'Security' started by claudio, Dec 20, 2010.

  1. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    today one of my cpanel servers got hacked

    i thought it would have relation with Exim last vulnerability, but there was nothing at exim_mainlog and exim_paniclog that pointed to this

    all websites have /home/username/public_html/index* chmoded to 777 and were desfigurated

    the inner folders i mean all directories were fine except for the /www/index*

    this had an 14:29 to 14:30 date

    so i use grep in many ways to track this and i found at suexec_log some strange entries pointing to a especific user

    i found at this /home/suspectuser/public_html/aspx.net the strange file and inside of it i had a program that gave him root access

    i suspect with bandmin because first line from this file was adulterated to:

    #!/usr/bin/perl -I/usr/local/bandmain

    seems to be a mistype of /usr/local/bandmin

    this was simultaneos with the incident so it is very probably that has relation with

    there were other programs uploaded and removed by his root access that started with a perl cgi

    can bandmin lead to this ?

    any help will be appreciated

    thanks
    Claudio
     
  2. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    i found some scripts at /tmp and seems that they were used also

    i runned /scripts/./securetmp and seems to be safe now

    but i will use some rootkit scans to check everything

    i just cannot understand how he got a list of all cpanels usernames and so fast under 10 minutes prepared that script, there were more folders at /home and he scripted just the usernames so a ls-lh was not the way he got this usernames...

    can an unsafe /tmp partition lead to a root exploit ?

    thanks
    Claudio
     
  3. khorinis

    khorinis Well-Known Member

    Joined:
    Aug 15, 2010
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    The userlist is easy to get: You can read the file /etc/passwd with the help of php and there are all users in but no passwords. They are stored in /etc/shadow and not accessable with php.
     
  4. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    thanks for your reply

    sure, i know /etc/passwd have all users but there are more that just cpanel users, there are many other users and some of then that are not related with cpanel, were not target

    i think he used some more sofisticated like whm scripts to reveal all cpanel usernames, separating then from the other users...

    fact is that he runned many exploits very fast under 10 minutes and i tracked that he was there in the infect source web site for more than a month, and using strange scripts in php and perl

    many of then has a name such as googlea12121212.php with a signature under the code such as:

    <Goog1e_analist_certs>

    there were a 64base string reversed and i decoded and was a exploit tool very direct to cpanel systems including a mysql dump download and session spoofing... he also killed the /var/log/wtmp process and i needed to reboot in order to get it up again...

    regards
    Claudio
     
    #4 claudio, Dec 21, 2010
    Last edited: Dec 21, 2010
Loading...

Share This Page