The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What's this? ./tembak xxx.xxx.xx.xx 53

Discussion in 'General Discussion' started by DWHS.net, Jul 31, 2003.

  1. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    This up to 150 cpu on my server?

    thanks for the help.

    -Charles

    cPanel.net Support Ticket Number:
     
  2. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    The verb tembak is Indonesian for 'to shoot' :)

    If you don't have any Indonesian customers then it's likely there is an Indonesian person trying to abuse your server.

    cPanel.net Support Ticket Number:
     
  3. paralard

    paralard Well-Known Member

    Joined:
    Mar 2, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Austin Texas
    Security Hole

    WHM 7.2.0 cPanel 7.2.1-R108
    RedHat 7.3

    Yes, me too....

    ./tembak 202.162.199.251 53

    it is definitly someone trying to abuse the server. I found that this person or script was eating all of my resources this morning......... IP range 202.162.192.0 - 202.162.207.255

    Here is what my techs have come up with.

    libc.so.6
    printf
    connect
    socket
    bzero
    send
    __deregister_frame_info
    bcopy
    gethostbyname
    htons
    exit
    atoi
    _IO_stdin_used
    __libc_start_main
    __register_frame_info
    __gmon_start__
    GLIBC_2.0
    PTRh
    Pasukan..!!!! Tembaaaak %s ke port %d
    Di %s gak ada sasaran, Boss!!
    Kirim Paket ke IP orang
    Cara Pake : $ tembak hostname.orang port
    0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ


    It appears to be coming from Malasya...It appears to be associated with some sort of cpanel hole (which seems to have been plugged by the latest upgrade you did...but I am not completely sure about that yet) This info comes from web searching for tembak and bindtty (which was another file in the tmp directory)


    BOTH files are owned by "nobody" which implies that it was put there by apache and/or php...



    cPanel.net Support Ticket Number:
     
    #3 paralard, Jul 31, 2003
    Last edited: Jul 31, 2003
  4. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    We have the exact same problem and the i.p. is the same.

    We aslo got the same results from the search.

    Please let me know what you come up with.

    -Charles

    cPanel.net Support Ticket Number:
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Re: Security Hole

    This is the main reason why you should mount the /tmp directory with the 'noexec' option.

    cPanel.net Support Ticket Number:
     
  6. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Sorry for ignorance but can this be done after the server is formated or does it need to be done with the initial set up.

    I have never heard of using noexec as something to do as a norm in all my web hosting for dummies books. (Someoen should right this) Just kidding.. :confused:

    It sounds like the files just need to be deleted, any thoughts on this?

    Thanks

    cPanel.net Support Ticket Number:
     
  7. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Well do you have /tmp on a seperate partition?

    If you do, then you only need to change a line in /etc/fstab and reboot the server.

    This what I have for /tmp in /etc fstab

    LABEL=/tmp /tmp ext2 nosuid,nodev,noexec,noatime 1 2

    The noexec option will make it impossible/difficult for people to execute uploaded files.

    cPanel.net Support Ticket Number:
     
  8. paralard

    paralard Well-Known Member

    Joined:
    Mar 2, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Austin Texas
    I have blocked the ip range from within my ip tables.

    cPanel.net Support Ticket Number:
     
  9. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Great Bond, I will do this..

    Also it was nice of you to help me... may good carma be with you :D

    Forgot about blocking the i.p. network I just did the i.p.,

    Just curious do you use port sentry too?

    cPanel.net Support Ticket Number:
     
    #9 DWHS.net, Jul 31, 2003
    Last edited: Jul 31, 2003
  10. paralard

    paralard Well-Known Member

    Joined:
    Mar 2, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Austin Texas
  11. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Cool...

    cPanel.net Support Ticket Number:
     
  12. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Is it as simple as changing the fstab? I thought it might be more involved than that. :confused:
     
  13. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Yes as long as /tmp has its own partition.

    Detailed description can be found here :

    http://admin0.info/security/3partition.html

    cPanel.net Support Ticket Number:
     
  14. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Where am I?

    cPanel.net Support Ticket Number:
     
  15. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    A few things here,

    one does not have to reboot the Server
    after saving changes to fstab type: mount -a and changes will kick in

    using 'noexec' is a must
    stops most sciptkiddies but not knowledgable people
    still better than nothing though

    using anything besides 'noexec' will cause Cpanel update problems -- possibly other type updates as well -- will it not

    cPanel.net Support Ticket Number:
     
  16. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    This is a rather dumb question but I myself am not a pro so my question is, how would I know if /tmp is on a separate partition?

    This is from whm:
    Current Disk Usage
    Filesystem Size Used Avail Use% Mounted on
    /dev/hda6 1011M 392M 568M 41% /
    /dev/hda1 30M 14M 14M 48% /boot
    /dev/hda8 45G 709M 41G 2% /home
    none 247M 0 247M 0% /dev/shm
    /dev/hda7 494M 8.1M 460M 2% /tmp
    /dev/hda3 3.9G 1.8G 1.9G 48% /usr
    /dev/hda2 3.9G 127M 3.6G 4% /var

    and this is from root:
    root@server1 [~]# more /etc/fstab
    LABEL=/ / ext3 defaults 1 1
    LABEL=/boot /boot ext3 defaults 1 2
    none /dev/pts devpts gid=5,mode=620 0 0
    LABEL=/home /home ext3 defaults,usrquota 1 2
    none /proc proc defaults 0 0
    none /dev/shm tmpfs defaults 0 0
    LABEL=/tmp /tmp ext3 defaults 1 2
    LABEL=/usr /usr ext3 defaults,usrquota 1 2
    LABEL=/var /var ext3 defaults,usrquota 1 2
    /dev/hda5 swap swap defaults 0 0

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  17. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    /dev/hda7 494M 8.1M 460M 2% /tmp

    This means it is

    cPanel.net Support Ticket Number:
     
  18. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    So all I would have to do is LABEL=/tmp /tmp ext2 nosuid,nodev,noexec,noatime 1 2

    cPanel.net Support Ticket Number:
     
  19. paralard

    paralard Well-Known Member

    Joined:
    Mar 2, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Austin Texas
    JESUS............... here we go again.....
    Top Process %CPU 99.9 ./tembak 202.155.5.174 53
    Top Process %CPU 99.8 ./tembak 202.162.199.251 53

    cPanel.net Support Ticket Number:
     
  20. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    @#$% me too,

    Thanks for the heads up...

    Hopefully this is it,

    cPanel.net Support Ticket Number:
     
Loading...
Similar Threads - What's tembak xxx
  1. Drumrocker365
    Replies:
    6
    Views:
    445
  2. GoWilkes
    Replies:
    8
    Views:
    2,498

Share This Page