talking about a hack attempt on my server

[LAZer]

hi , today one of my customers called me regarding a problem that he can't receive emails via his cpanel email account.
i checked the server ip with mxtoolbox , for black lists and other smtp diagnostics and all were fine.
then i restarted exim and cpanel services in that linux . and still i couldn't recieve emails to the address on server .

for example i didnt recieve emails that i send to [email protected] . and checked it from horde or other cpanel webmail programs.

then i checked the quotes and reseted the fix quote and it didnt work too.
at last i checked the exim queue and saw that there are lots of emails from a host that uses wordpress , and the title was strange.

2013-08-11 <= user@server2 U=user P=local S=11029 T="Cron <user@server2> cat /etc/passwd" for [email protected]"


i opened one of them and saw that they somehow accessed the /etc/passwd file.
in the case that , for that wordpress host , there was php safemod and safemod gid active , and so many other php functions were disabled on that host , no cgi enabled , and no shell access is on that account .
clamav and other shell checking scripts didnt find anything in their daily scans.

i checked the recently uploaded files to that user -mtime -90 and didnt find anything special , i checked his tmp directory and server tmp directory but found nothing suspicious.

php mod suphp and disabling some htaccess functions and blocking the usage of customized php.ini files are active on the server and also queries are checked with mod security , and csf is active .
there is so much security active on that cpanel linux that a new installation of wordpress needs some php functions to let wp work for new customers ! so i really dont know how they gained access to bash execution.

i have suspended that account and deleted the mail queue for that gmail account . but i cant block gmail IPs. so how can i find and block that hacker and prevent his further actions ?

this must be a hacking way like this : - Link Removed -

the emails were send every one minute , but i checked the cpanel cron manager , and No Cron Jobs were defined there. it must use the wordpress cron jobs.

 

[quizknows]

To be sure, check crontab as root:

crontab -l -u username

also, check around inside of /var/spool/cron to be sure too.

 

[cPanelMichael]

Hello

Try searching for the cron job in the following directory:

/var/spool/cron/

This directory includes files for the users on your system. Note that simply running the command does not indicate it was able to obtain the actual contents of the /etc/passwd file.

Thank you.

 

[24x7server]

Also check the cron of that user which you are getting in mail logs:

user@server2 = cPaneluser@Serverhostname

2013-08-11 <= user@server2 U=user P=local S=11029 T="Cron <user@server2> cat /etc/passwd" for [email protected]"

 

[LAZer]

there was no cronjobs for that user , not in his cpanel , not in crontab -l -u username , and not in that directory of /var/spool/cron/

also i dont see any cron -c commands.

maybe it was a symlink attack ,
i already had these rules :

<Directory /home2/>
AddHandler cgi-script .php1 .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .php10 .php11 .php12 .php13 .php14 .phtml .c .txt .pl .py .jsp .htm .asp .shtml .sh .cgi
Options -ExecCGI -Indexes
AllowOverride None
</Directory>

and i changed it to :

<Directory />
AddHandler cgi-script .php1 .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .php10 .php11 .php12 .php13 .php14 .phtml .c .txt .pl .py .jsp .htm .asp .shtml .sh .cgi
Options -ExecCGI -Indexes -Includes -IncludesNOEXEC +SymLinksIfOwnerMatch
AllowOverride None
</Directory>

maybe it prevents his further access.

 

[quizknows]

Check in /var/log/cron, perhaps the cron was added and removed before you looked.

grep EDIT /var/log/cron

or

grep username /var/log/cron

 

[LAZer]

yes there are lots of them , ran every 1 minute ! and this is why i saw lots of those emails in exim queue manager ,
if he set the cron for once per day or hourly i couldnt identify his attempt.

Aug 11 04:03:01 server2 crond[18278]: (username) CMD (cat /etc/passwd)
Aug 11 04:04:01 server2 crond[18597]: (username) CMD (cat /etc/passwd)
Aug 11 04:05:01 server2 crond[19074]: (username) CMD (cat /etc/passwd)

 

[quizknows]

/etc/passwd is usually world readable, but functionally it's only going to get them a list of usernames anyway. IMO, just ensure a good CP PW is set (update it) and check the webapp for any recently modified files (I see you already did this); if they have a CMS, change the administrative password(s) and install all updates.

 

[LAZer]

yes i just saw some newly created directories , and i dont know if they are created by wordpress or the attacker .

/home2/username/public_html/wp-content/uploads/2013/01 02 03 04.... 08
and all were empty , the dates were for some month ago , except the 08 which is for 08.05 ( last week )
i think these were created by wp .

anyways thank you ,
i have upgraded php to 5.4 now , and it removed safe_mode , suhossin , magic_quotes , sqlite .
and changed apache allow over ride and options rules .
disabled that host , and deleted the created folders
and changed the passwords .

lets see what happens.