The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Servers Hacked - Preventing SQL Inject?

Discussion in 'Security' started by jrianto, Sep 26, 2009.

  1. jrianto

    jrianto Active Member

    Joined:
    Jun 9, 2008
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Hi,
    Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

    I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

    I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

    Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

    Thank you.
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Only broad speculations could be made here without actually examining and deeply analyzing the server along with your logs and current configuration settings to be able to say anything specific.

    However, based on what you did just say above, I very strongly recommend a complete review of your servers by an expert as it is clear that your security is not quite as good as you thought it was and there is also a very likely potential and possiblity that your servers may be backdoored or trojaned or have some other currently unknown vulnerability and you need to find that out as well before you go any further.

    The software you mentioned as already start is definitely a start in the right direction but those items in and of themselves cannot totally protect you, well nothing can other than unplugging the machine, but there is a whole lot you can do above and beyond those things you listed! ;)

    It is also critically important that you make sure your server is updated with the latest software revisions, security patches, and most importantly your system kernel especially since you mentioned "Sarbot511".

    EDIT: Probably wouldn't hurt to go ahead and update Cpanel while you're at it too! ;)
     
    #2 Spiral, Sep 27, 2009
    Last edited: Sep 29, 2009
  3. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If you are using Linux, is your kernel fully up-to-date?
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'd spend the money and hire an hour of a server expert's time to find out why it happened. It's not enough to have CSF, SuPHP etc, you've also got to know how to set them up.

    Once someone is in a server as a user, there are a number of local root exploits and unless your kernel was current that'd be how they got in.

    Since Spiral responded here, he's well known and trusted, why don't you use him?
     
  5. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil


    All index of your users was modified?

    Konrath
     
  6. bou3lam

    bou3lam Active Member

    Joined:
    Sep 29, 2009
    Messages:
    36
    Likes Received:
    1
    Trophy Points:
    8
    what kind of open source are you using ?
     
  7. marksentence

    marksentence Registered

    Joined:
    Oct 2, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    injecting into sites are like hacking they get all the data's inside right?
     
  8. kbuser

    kbuser Well-Known Member

    Joined:
    Aug 25, 2008
    Messages:
    66
    Likes Received:
    1
    Trophy Points:
    8
    Not really. If a clever person found somewhere on your site they could inject sql, especially if they get a response based on this, they could do some damage to your database assuming you didn't follow the "least privileges" mantra. If you're running SQL on your site as root/admin SQL user then you're asking for trouble with unsanitized querying.

    This, however, doesn't give them access to your server/file system.
     
  9. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    why not ask cPanel staff to have a look into it, if your license is eligible for support.

    This could not only let you know the details but can also help them identify it there's any security holes which can be patched and this activity would certainly help other users too.

    just my 2 cents.
     
  10. oshs

    oshs Well-Known Member
    PartnerNOC

    Joined:
    Sep 5, 2004
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    Did you get to the bottom of how your server's were hacked by Sarbot511?

    We're seeing this on a few client servers.

    Regards,
    Suhail.
     
  11. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    If anyone can post some URLs of the hack attempts, we could come up with some mod_security code to filter them...
     
  12. anushkumar

    anushkumar Well-Known Member

    Joined:
    May 14, 2005
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Spiral is absolutely right. Nobody here could help unless they get to see the damage. You might want to consult an expert. 99% of SQL injections dont result in root compromise. How did you know it was a root compromise in the first place?
     
  13. ModServ

    ModServ Well-Known Member

    Joined:
    Oct 17, 2006
    Messages:
    332
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Hello,

    You can gain root access from SQL Injection, by finiding the infected table then execute commands like viewing /etc/mysql. You can also execute an upload center code that's encrypted inside /tmp/ then open it in explorer and upload a shell script, After that you can make commands, Like compiling, The hacker can get a local root exploit, compile it then execute then can make a back connection to your server and get a root access, Done :)

    I think that this can be solved by
    in php.ini turn on magic_quotes_gpc.
    execute this
    and
    Also you can restrict the modification of php.ini by using suphp then edit its config file located in /opt/suphp/etc/suphp.conf and from it:

    Uncomment all of them. Then you should tight your security from php.ini and my.cnf also httpd.conf, After that you will have a secure system.

    Hope that help you.
     
  14. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    i have complete details, scripts used and methods of this. PM me for details.

    and it's NOT a cPanel exploit.
     
  15. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    I was helping Paul look at this, at least in his specific case it was completely *un*related to both cPanel and linux.
     
    #15 eth00, Mar 6, 2010
    Last edited: Mar 6, 2010
  16. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    want to make it clear, thsi isn't a cPanel exploit or flaw in cpanel or cpanel boxes. in fact, you could remove php and mysql wouldn't stop this. for those that think you have cleaned up from backups. check for SSH keys you didn't install :)
     
Loading...

Share This Page