The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

talking about a hack attempt on my server

Discussion in 'Security' started by LAZer, Aug 12, 2013.

  1. LAZer

    LAZer Well-Known Member

    Joined:
    Jan 18, 2010
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    at net :D
    hi , today one of my customers called me regarding a problem that he can't receive emails via his cpanel email account.
    i checked the server ip with mxtoolbox , for black lists and other smtp diagnostics and all were fine.
    then i restarted exim and cpanel services in that linux . and still i couldn't recieve emails to the address on server .

    for example i didnt recieve emails that i send to info@userdomain.com . and checked it from horde or other cpanel webmail programs.

    then i checked the quotes and reseted the fix quote and it didnt work too.
    at last i checked the exim queue and saw that there are lots of emails from a host that uses wordpress , and the title was strange.

    2013-08-11 <= user@server2 U=user P=local S=11029 T="Cron <user@server2> cat /etc/passwd" for a_hacker@gmail.com"


    i opened one of them and saw that they somehow accessed the /etc/passwd file.
    in the case that , for that wordpress host , there was php safemod and safemod gid active , and so many other php functions were disabled on that host , no cgi enabled , and no shell access is on that account .
    clamav and other shell checking scripts didnt find anything in their daily scans.

    i checked the recently uploaded files to that user -mtime -90 and didnt find anything special , i checked his tmp directory and server tmp directory but found nothing suspicious.

    php mod suphp and disabling some htaccess functions and blocking the usage of customized php.ini files are active on the server and also queries are checked with mod security , and csf is active .
    there is so much security active on that cpanel linux that a new installation of wordpress needs some php functions to let wp work for new customers ! so i really dont know how they gained access to bash execution.

    i have suspended that account and deleted the mail queue for that gmail account . but i cant block gmail IPs. so how can i find and block that hacker and prevent his further actions ?

    this must be a hacking way like this : - Link Removed -

    the emails were send every one minute , but i checked the cpanel cron manager , and No Cron Jobs were defined there. it must use the wordpress cron jobs.
     
    #1 LAZer, Aug 12, 2013
    Last edited by a moderator: Aug 12, 2013
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    To be sure, check crontab as root:

    crontab -l -u username

    also, check around inside of /var/spool/cron to be sure too.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,696
    Likes Received:
    656
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Try searching for the cron job in the following directory:

    Code:
    /var/spool/cron/
    This directory includes files for the users on your system. Note that simply running the command does not indicate it was able to obtain the actual contents of the /etc/passwd file.

    Thank you.
     
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Also check the cron of that user which you are getting in mail logs:

    user@server2 = cPaneluser@Serverhostname

     
  5. LAZer

    LAZer Well-Known Member

    Joined:
    Jan 18, 2010
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    at net :D
    there was no cronjobs for that user , not in his cpanel , not in crontab -l -u username , and not in that directory of /var/spool/cron/

    also i dont see any cron -c commands.

    maybe it was a symlink attack ,
    i already had these rules :
    and i changed it to :
    maybe it prevents his further access.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Check in /var/log/cron, perhaps the cron was added and removed before you looked.

    grep EDIT /var/log/cron

    or

    grep username /var/log/cron
     
  7. LAZer

    LAZer Well-Known Member

    Joined:
    Jan 18, 2010
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    at net :D
    yes there are lots of them , ran every 1 minute ! and this is why i saw lots of those emails in exim queue manager ,
    if he set the cron for once per day or hourly i couldnt identify his attempt.

    Aug 11 04:03:01 server2 crond[18278]: (username) CMD (cat /etc/passwd)
    Aug 11 04:04:01 server2 crond[18597]: (username) CMD (cat /etc/passwd)
    Aug 11 04:05:01 server2 crond[19074]: (username) CMD (cat /etc/passwd)
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    /etc/passwd is usually world readable, but functionally it's only going to get them a list of usernames anyway. IMO, just ensure a good CP PW is set (update it) and check the webapp for any recently modified files (I see you already did this); if they have a CMS, change the administrative password(s) and install all updates.
     
  9. LAZer

    LAZer Well-Known Member

    Joined:
    Jan 18, 2010
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    at net :D
    yes i just saw some newly created directories , and i dont know if they are created by wordpress or the attacker .

    /home2/username/public_html/wp-content/uploads/2013/01 02 03 04.... 08
    and all were empty , the dates were for some month ago , except the 08 which is for 08.05 ( last week )
    i think these were created by wp .

    anyways thank you ,
    i have upgraded php to 5.4 now , and it removed safe_mode , suhossin , magic_quotes , sqlite .
    and changed apache allow over ride and options rules .
    disabled that host , and deleted the created folders
    and changed the passwords .

    lets see what happens.
     
Loading...

Share This Page