Servers Hacked - Preventing SQL Inject?

jrianto

Active Member
Jun 9, 2008
44
0
56
Hi,
Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

Thank you.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
Only broad speculations could be made here without actually examining and deeply analyzing the server along with your logs and current configuration settings to be able to say anything specific.

However, based on what you did just say above, I very strongly recommend a complete review of your servers by an expert as it is clear that your security is not quite as good as you thought it was and there is also a very likely potential and possiblity that your servers may be backdoored or trojaned or have some other currently unknown vulnerability and you need to find that out as well before you go any further.

The software you mentioned as already start is definitely a start in the right direction but those items in and of themselves cannot totally protect you, well nothing can other than unplugging the machine, but there is a whole lot you can do above and beyond those things you listed! ;)

It is also critically important that you make sure your server is updated with the latest software revisions, security patches, and most importantly your system kernel especially since you mentioned "Sarbot511".

EDIT: Probably wouldn't hurt to go ahead and update Cpanel while you're at it too! ;)
 
Last edited:

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,577
51
308
cPanel Access Level
Root Administrator
Hi,
Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

Thank you.
If you are using Linux, is your kernel fully up-to-date?
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
6
168
Melbourne, Australia
cPanel Access Level
Root Administrator
I'd spend the money and hire an hour of a server expert's time to find out why it happened. It's not enough to have CSF, SuPHP etc, you've also got to know how to set them up.

Once someone is in a server as a user, there are a number of local root exploits and unless your kernel was current that'd be how they got in.

Since Spiral responded here, he's well known and trusted, why don't you use him?
 

konrath

Well-Known Member
May 3, 2005
366
0
166
Brasil
Hi,
Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

Thank you.


All index of your users was modified?

Konrath
 

kbuser

Well-Known Member
Aug 25, 2008
66
2
58
injecting into sites are like hacking they get all the data's inside right?
Not really. If a clever person found somewhere on your site they could inject sql, especially if they get a response based on this, they could do some damage to your database assuming you didn't follow the "least privileges" mantra. If you're running SQL on your site as root/admin SQL user then you're asking for trouble with unsanitized querying.

This, however, doesn't give them access to your server/file system.
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
why not ask cPanel staff to have a look into it, if your license is eligible for support.

This could not only let you know the details but can also help them identify it there's any security holes which can be patched and this activity would certainly help other users too.

just my 2 cents.
 

oshs

Well-Known Member
PartnerNOC
Sep 5, 2004
146
0
166
Hi,
Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

Thank you.
Hi,

Did you get to the bottom of how your server's were hacked by Sarbot511?

We're seeing this on a few client servers.

Regards,
Suhail.
 

anushkumar

Well-Known Member
May 14, 2005
57
1
158
cPanel Access Level
Root Administrator
Spiral is absolutely right. Nobody here could help unless they get to see the damage. You might want to consult an expert. 99% of SQL injections dont result in root compromise. How did you know it was a root compromise in the first place?
 

ModServ

Well-Known Member
Oct 17, 2006
332
5
168
Egypt
cPanel Access Level
Root Administrator
Hello,

You can gain root access from SQL Injection, by finiding the infected table then execute commands like viewing /etc/mysql. You can also execute an upload center code that's encrypted inside /tmp/ then open it in explorer and upload a shell script, After that you can make commands, Like compiling, The hacker can get a local root exploit, compile it then execute then can make a back connection to your server and get a root access, Done :)

I think that this can be solved by
in php.ini turn on magic_quotes_gpc.
execute this
/scripts/compilers off
and
chmod 700 /usr/bin/lsattr; chmod 700 /usr/bin/find; chmod 700 /usr/bin/lastlog; chmod 700 /usr/bin/w; chmod 700 /usr/bin/which; chmod 700 /usr/bin/locate; chmod 700 /usr/bin/gcc
Also you can restrict the modification of php.ini by using suphp then edit its config file located in /opt/suphp/etc/suphp.conf and from it:

;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/
Uncomment all of them. Then you should tight your security from php.ini and my.cnf also httpd.conf, After that you will have a secure system.

Hope that help you.
 

rpmws

Well-Known Member
Aug 14, 2001
1,822
8
318
back woods of NC, USA
i have complete details, scripts used and methods of this. PM me for details.

and it's NOT a cPanel exploit.
 

rpmws

Well-Known Member
Aug 14, 2001
1,822
8
318
back woods of NC, USA
I was helping Paul look at this, at least in his specific case it was completely related to both cPanel and linux.
want to make it clear, thsi isn't a cPanel exploit or flaw in cpanel or cpanel boxes. in fact, you could remove php and mysql wouldn't stop this. for those that think you have cleaned up from backups. check for SSH keys you didn't install :)