The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

shell - cgi - hacked: need advice

Discussion in 'General Discussion' started by rpmws, Mar 2, 2005.

  1. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Hey guys. One of my boxes got bit a few days ago. Lazy client neglected to tell me when they noticed until they needed a restore from backup :(

    The hack came in on a vcart install. Looks like CatalogMgr.pl script in cgi-bin. The site was defaced basically. I found no other obvious problems. Normal trip / chkroot show normal. Here is what I found: I was wondering what you guys thought ..what this script does that you can tell and a general risk you think I might have. I found this reverse shell script in there also.

    The script is attached as well as the logs. Your input would be greatly apreachated!!
     

    Attached Files:

    #1 rpmws, Mar 2, 2005
    Last edited: Mar 2, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It opens a shell session on your server for them to connect to. It would run under the username of the cPanel account being a perl script (assuming that you have suexec enabled). The port used is configurable by the hacker through the script exploit when they run it up - in otherwords it is activated through the vulnerable script. It also reports back to the hacker things like your linux kernel version, and the output of any individual command that they send through the script. After that, it opens up a port for them to connect to the shell prompt.

    If the rootkit checking scripts run OK, it most probably limited to that users account. Obviously, the perl scripts in the account should be removed or fixed.

    A good set of mod_security filters would help and iptables firewall with both ingress and egress filters would mitigate the shell prompt access through an opened port, though the inidividual command execution would still work, but could be limited with mod_security filters.
     
  3. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Thanks Chirpy!!! . I been testing the thing a bit with another admin. The logs are what I want to see more of. Having trouble finding much on this. H ecam in on some Dr. Pepper server. 65.205.78.6 .

    mod_security ... straight forward using cPanel's installer? draw backs? load increase?
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    crap!!! latest version chkrootkit

    OooPS!
    chkproc: Warning: Possible LKM Trojan installed
    Checking `rexedcs'... not found
    Checking `sniffer'... /proc/19319/fd: No such file or directory
    eth0: not promisc and no PF_PACKET sockets
    eth0:1: not promisc and no PF_PACKET sockets
    eth0:2: not promisc and no PF_PACKET sockets
    eth0:3: not promisc and no PF_PACKET sockets
    eth0:4: not promisc and no PF_PACKET sockets
    eth0:5: not promisc and no PF_PACKET sockets
    eth0:6: not promisc and no PF_PACKET sockets
    eth0:7: not promisc and no PF_PACKET sockets
    Checking `w55808'... not infected
    Checking `wted'... chkwtmp: nothing deleted
    Checking `scalper'... not infected
    Checking `slapper'... not infected
    Checking `z2'... chklastlog: nothing deleted
    Checking `chkutmp'... chkutmp: nothing deleted
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Probably a false positive.

    I'd suggest running the following from within the chkrootkit directory:

    ./chkrootkit -x lkm

    Then check in /proc/<pid>/ for any suspect pids shown and see what they are.
     
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v -p 1
    ###
    ps: error: Thread display not implemented.
    usage: ps -[Unix98 options]
    ps [BSD-style options]
    ps --[GNU-style long options]
    ps --help for a command summary
    OooPS!
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Hmmm, looks like a chkrootkit issue here, but to address that, edit chkproc.c and look for the line:

    "ps mauxw",

    and remove the m:

    "ps auxw",

    Then recompile chkrootkit:

    make clean
    make sense


    Then run it again :)
     
  8. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    you were right man. Thanks for the leg work .. it's a 7.3 box. Now my output looks ok. :)
     
Loading...

Share This Page