The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Web resources for reporting or checking on already reported exploits?

Discussion in 'Security' started by Mysticeti, Jun 10, 2014.

  1. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    45
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southern NH
    My cPanel server started sending me alerts today. It would appear that a wordpress exploit was used to start a script that attempts to join a botnet. However, I think the firewall blocked the attempts to contact/join the botnet and after updating WordPress and killing a couple processes the system appears to be working fine (no more alerts and bandwidth/CPU usage are nominal).

    However, after looking at the script that was executing and using a couple choice words from it in Google I'm only getting a single hit (pastebin)!

    So I'm wondering the script has just been released in the wild or if something else is going on here.

    Are their security sites that might help me here?

    Any other advice?

    Thanks!
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    I'm not sure that anyone can recommend a single security site that would have the information you're looking for. Perhaps pasting a larger chunk of the code in Google search will return some results. Keep in mind that scripts are often subtly altered so the exact script may not come up
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Agreed.

    Usually when I find web shells or botnet scripts, I check them with maldet to see if it's one that it would have found. If it's not flagged I use "maldet -c $file " to upload it to them.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I've not heard of any recent widespread attacks on the WordPress script, but it's fairly common for attackers to target scripts like WordPress due to the number of people who use it. It looks like your firewall handled the attack well.

    Thanks.
     
  5. Mysticeti

    Mysticeti Well-Known Member

    Joined:
    Sep 16, 2002
    Messages:
    45
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southern NH
    Thanks all. Used maldet -c as advised.
     
Loading...

Share This Page