talking about a hack attempt on my server

LAZer

Well-Known Member
Jan 18, 2010
78
2
58
at net :D
hi , today one of my customers called me regarding a problem that he can't receive emails via his cpanel email account.
i checked the server ip with mxtoolbox , for black lists and other smtp diagnostics and all were fine.
then i restarted exim and cpanel services in that linux . and still i couldn't recieve emails to the address on server .

for example i didnt recieve emails that i send to [email protected] . and checked it from horde or other cpanel webmail programs.

then i checked the quotes and reseted the fix quote and it didnt work too.
at last i checked the exim queue and saw that there are lots of emails from a host that uses wordpress , and the title was strange.

2013-08-11 <= [email protected] U=user P=local S=11029 T="Cron <[email protected]> cat /etc/passwd" for [email protected]"


i opened one of them and saw that they somehow accessed the /etc/passwd file.
in the case that , for that wordpress host , there was php safemod and safemod gid active , and so many other php functions were disabled on that host , no cgi enabled , and no shell access is on that account .
clamav and other shell checking scripts didnt find anything in their daily scans.

i checked the recently uploaded files to that user -mtime -90 and didnt find anything special , i checked his tmp directory and server tmp directory but found nothing suspicious.

php mod suphp and disabling some htaccess functions and blocking the usage of customized php.ini files are active on the server and also queries are checked with mod security , and csf is active .
there is so much security active on that cpanel linux that a new installation of wordpress needs some php functions to let wp work for new customers ! so i really dont know how they gained access to bash execution.

i have suspended that account and deleted the mail queue for that gmail account . but i cant block gmail IPs. so how can i find and block that hacker and prevent his further actions ?

this must be a hacking way like this : - Link Removed -

the emails were send every one minute , but i checked the cpanel cron manager , and No Cron Jobs were defined there. it must use the wordpress cron jobs.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

Try searching for the cron job in the following directory:

Code:
/var/spool/cron/
This directory includes files for the users on your system. Note that simply running the command does not indicate it was able to obtain the actual contents of the /etc/passwd file.

Thank you.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter

LAZer

Well-Known Member
Jan 18, 2010
78
2
58
at net :D
there was no cronjobs for that user , not in his cpanel , not in crontab -l -u username , and not in that directory of /var/spool/cron/

also i dont see any cron -c commands.

maybe it was a symlink attack ,
i already had these rules :
<Directory /home2/>
AddHandler cgi-script .php1 .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .php10 .php11 .php12 .php13 .php14 .phtml .c .txt .pl .py .jsp .htm .asp .shtml .sh .cgi
Options -ExecCGI -Indexes
AllowOverride None
</Directory>
and i changed it to :
<Directory />
AddHandler cgi-script .php1 .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .php10 .php11 .php12 .php13 .php14 .phtml .c .txt .pl .py .jsp .htm .asp .shtml .sh .cgi
Options -ExecCGI -Indexes -Includes -IncludesNOEXEC +SymLinksIfOwnerMatch
AllowOverride None
</Directory>
maybe it prevents his further access.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Check in /var/log/cron, perhaps the cron was added and removed before you looked.

grep EDIT /var/log/cron

or

grep username /var/log/cron
 

LAZer

Well-Known Member
Jan 18, 2010
78
2
58
at net :D
yes there are lots of them , ran every 1 minute ! and this is why i saw lots of those emails in exim queue manager ,
if he set the cron for once per day or hourly i couldnt identify his attempt.

Aug 11 04:03:01 server2 crond[18278]: (username) CMD (cat /etc/passwd)
Aug 11 04:04:01 server2 crond[18597]: (username) CMD (cat /etc/passwd)
Aug 11 04:05:01 server2 crond[19074]: (username) CMD (cat /etc/passwd)
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
/etc/passwd is usually world readable, but functionally it's only going to get them a list of usernames anyway. IMO, just ensure a good CP PW is set (update it) and check the webapp for any recently modified files (I see you already did this); if they have a CMS, change the administrative password(s) and install all updates.
 

LAZer

Well-Known Member
Jan 18, 2010
78
2
58
at net :D
yes i just saw some newly created directories , and i dont know if they are created by wordpress or the attacker .

/home2/username/public_html/wp-content/uploads/2013/01 02 03 04.... 08
and all were empty , the dates were for some month ago , except the 08 which is for 08.05 ( last week )
i think these were created by wp .

anyways thank you ,
i have upgraded php to 5.4 now , and it removed safe_mode , suhossin , magic_quotes , sqlite .
and changed apache allow over ride and options rules .
disabled that host , and deleted the created folders
and changed the passwords .

lets see what happens.