The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suphp / change all 777 / hacked

Discussion in 'Security' started by monitor2000com, Jan 23, 2011.

  1. monitor2000com

    Joined:
    Jan 23, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hello , everyone ,

    i have changed the PHP handler from DSO to Suphp , and also using the following command to change all 777 permissions : chmod go-w /home/* -R

    After this change All E107-cms websites hacked , even if we restore the backup hacker redo the hacking , i`ll be obliged if you could let me know

    A ) is there anything wrong with this command which i used to change 777 permissions ? chmod go-w /home/* -R

    B ) what can be caused of this problem ? exactly after change to suphp all E107 websites confronted with a security issue ,

    Thank u
     
  2. JawadArshad

    JawadArshad Well-Known Member
    PartnerNOC

    Joined:
    Apr 8, 2008
    Messages:
    447
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    PK
    cPanel Access Level:
    DataCenter Provider
    This is not the best way to go about it. You should not run such commands recursively on home and indiscriminately without detailed knowledge of the commands you are running. Several known vulnerabilities for e107 became public last year that effected almost all releases and its updates removed the vulnerabilities. It might be related to your issue if you are running older versions of this CMS.
    You can read more about it at this link. Best way would be to approach it systematically, change passwords for effected accounts, go about upgrading all installs and securing accounts further.

     
  3. monitor2000com

    Joined:
    Jan 23, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hello and thanks for the reply ,
    i have run the command on a test machine few hours back ,
    the command just change 007 to 005 anyway

    A ) i run the command on 18th jan , incase if it can harmful we have to restore 16th jan backup

    B ) we migrate all E107 site to else somewhere / other company where is secure but got the same issue there .

    Note : we sent old backups to the new company ( Old means before run the chmod command )


    C ) we can`t check the E107 version , is there any way to check the version without login to the site ?

    D ) since we sent E107 sites to other location , another websites are working properly with out any issue , shall i re-install the OS ? i`m afraid because of the following report from /rkhunter ( started since 24th-DEC )

    You have 2 process hidden for readdir command
    You have 2 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed
    The tty of the following user process(es) were not found
    in /var/run/utmp !
    ! RUID PID TTY CMD
    ! root 1621 tty8 /bin/bash
    ! root 10961 pts/1 bash -rcfile .bashrc
     
  4. JawadArshad

    JawadArshad Well-Known Member
    PartnerNOC

    Joined:
    Apr 8, 2008
    Messages:
    447
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    PK
    cPanel Access Level:
    DataCenter Provider
    LKM can be a false alert. You need to get a system admin to check your server for any infections. For E107, you are likely to get more help on their official forums at this link.
     
Loading...

Share This Page