The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

static html site defaced

Discussion in 'General Discussion' started by 4u123, Aug 27, 2008.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Hi, I've been dealing with an issue today where the index.htm was changed by a third party on the main domain and addon domains on an account. There is no PHP its all standard html - some javascript.

    The original pages appear to have been written in frontpage and simply uploaded to the site - frontpage is not installed.

    The cgi-bin contains...

    randhtml.cgi
    entropybanner.cgi
    cgiemail
    cgiecho

    Have any of these scripts been found to be vulnerable ? Unfortunately the logs dont show anything unusual.
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I would check the password of the account, or the password of the account at the time that it was hacked.

    Do the FTP logs show someone logging into the account and uploading the new files?

    Was the password a strong and secure password? If not, then that might be your problem.

    If it was, then there is a chance that the end-user's computer may be infected with a virus or trojan that is sending the account's password to the hacker.
     
  3. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    Just got more info from the customer - he says a similar thing happend back in april and he just re-uploaded all the files without contacting us about it.
    Now, unsurprisingly its happened again.

    It has to be something in their web space because it looks like the index page of any folder under public_html has been edited (ive seen this happen with compromised php scripts before) to include nothing but a small amount of javascript that doesnt actually work. No scripts or other files have been uploaded. They definately didnt get in via FTP. Unfortunately the domlogs dont show anything useful. looks like the work of a bot visiting the site and trying out various exploits because theres plenty of attempts on /advancedguestbook/index.php which doesnt exist.

    I've just had a good look through and all I can see that might have been used to do this is a folder containing a DHTML menu system that has a couple of big javascript files. Thought id got lucky when I found a PHP form to mail script in one of the folders but its a reputable one which is not vulnerable. Other than that there are no other php files.

    I'll just have to keep an eye on it and if it happens again I'll jump on the domlogs a bit quicker. I was a bit late this time.
     
Loading...

Share This Page