The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

urgent help wanted

Discussion in 'Security' started by ghaidaa, Jul 11, 2008.

  1. ghaidaa

    ghaidaa Member

    Joined:
    Oct 26, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    hello
    i keep finding this page all of my clients especially those who have vBulletin forums

    a picture attached to this thread please check and inform me how to prevent these files from being uploaded to my server
    the picture is in arabic but i think it is clear
    it has most on SSH commands
     

    Attached Files:

  2. sirotex

    sirotex Well-Known Member

    Joined:
    Jul 10, 2008
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Hello,

    You what?

    This is nothing to do with CPanel..
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,477
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This does not look good. Especially if you're finding it all over.

    Personally I'd lock down any account I found that on and then start worrying that my entire server was compromised. At the very least you have some sort of script that has been compromised, surely.

    Moving to apache2.x with suphp and mod_security would help some, making sure every single script (vbulletin, Joomla, *.nuke and so on) are up to date or locked down, would help as well.

    Don't ignore this.
     
  4. sirotex

    sirotex Well-Known Member

    Joined:
    Jul 10, 2008
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    It still isn't a CPanel issue, talk to Vbulletin about it..

    Also, it is _probably_ a vbulletin module, if you ask Vbulletin they will tell you.

    I don't see how this is a "security risk", seen as it is indeed in the Admin Panel..

    Are you out just to cause worry?
     
    #4 sirotex, Jul 11, 2008
    Last edited: Jul 11, 2008
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,477
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you don't recognize it, you'll just have to trust me that that image posted above is not a vbulletin module and is not safe to have on your server.
     
  6. proclan

    proclan Member

    Joined:
    Sep 15, 2006
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I've seen that hack in English and it's usually used on php sites like nuke. They normally use it to upload scripts to the hacked account. It's not a server hack. But I cant remember the name of it. I would also check all of the folders on that account for any unusual files and folders and remove them. Then tell the client to update any software they are using.
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    From the image attached to your posting, it looks like a phpshell script such as c99 or r57. Make sure your server is not compromised.

    HowTo secure vBulletin from being hacked: http://servertune.com/kbase/entry/339/
     
  8. ghaidaa

    ghaidaa Member

    Joined:
    Oct 26, 2007
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    thank you verymuch for your help
    i know its not a Cpanel issue or a VBulletin script but i thoghut i could find help in a trusted place and I did
    yes its true the picture shows a shell called C99 and it is the same as C75

    i found somthing today that can prevent uploading that kind of shell to the VB
    its called "CrackerTracker" you can download it from here
    www.traidnt.net/vb/attachment.php?attachmentid=108055&d=1171067073
    and more info at
    CrackerTracker - A Protection System from http://www.cback.de
    i sent an email to all my clients to update their forums and scripts and asked them to use the hack
    i will try it and inform you later
    i accept more assistance ;)
     
    #8 ghaidaa, Jul 12, 2008
    Last edited by a moderator: Jul 13, 2008
Loading...

Share This Page