Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Web resources for reporting or checking on already reported exploits?

Discussion in 'Security' started by Mysticeti, Jun 10, 2014.

  1. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    55
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Southern NH
    My cPanel server started sending me alerts today. It would appear that a wordpress exploit was used to start a script that attempts to join a botnet. However, I think the firewall blocked the attempts to contact/join the botnet and after updating WordPress and killing a couple processes the system appears to be working fine (no more alerts and bandwidth/CPU usage are nominal).

    However, after looking at the script that was executing and using a couple choice words from it in Google I'm only getting a single hit (pastebin)!

    So I'm wondering the script has just been released in the wild or if something else is going on here.

    Are their security sites that might help me here?

    Any other advice?

    Thanks!
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    834
    Likes Received:
    29
    Trophy Points:
    178
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    I'm not sure that anyone can recommend a single security site that would have the information you're looking for. Perhaps pasting a larger chunk of the code in Google search will return some results. Keep in mind that scripts are often subtly altered so the exact script may not come up
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    88
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Agreed.

    Usually when I find web shells or botnet scripts, I check them with maldet to see if it's one that it would have found. If it's not flagged I use "maldet -c $file " to upload it to them.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,809
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've not heard of any recent widespread attacks on the WordPress script, but it's fairly common for attackers to target scripts like WordPress due to the number of people who use it. It looks like your firewall handled the attack well.

    Thanks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    55
    Likes Received:
    4
    Trophy Points:
    158
    Location:
    Southern NH
    Thanks all. Used maldet -c as advised.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice