The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM Broke into

Discussion in 'General Discussion' started by bashprompt18, Jul 2, 2004.

  1. bashprompt18

    bashprompt18 Active Member

    Joined:
    Jun 27, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Garden Valley, Ca
    I got am email today saying a new account had been created on my server from Web Host manager. I didn't create an account and me and my wife are the only ones with access. I also noticed that rosserver was the server name again. I don't have a clue how this was done WHM tells me
    it's up todate and no secureity problems, WRONG! I am
    running Fudora and I have only had this box a few days and have been setting it up and have not really done a lot but setup dns and our account in Cpanel. I had WHM do it's checks and found no trojans. Please HELP!

    -John
     
  2. liquidgoat.com

    liquidgoat.com Registered

    Joined:
    Jul 2, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Try deleting the account and see if it comes back. If it does track the IP.
     
  3. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    change your root password often! ;) always a good idea

    Mickalo
     
  4. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    Hi bashprompt18,

    I have experience accessing into other WHM too.
    But I didn't do any harm to it.
    I quickly send an email to warn the hostmaster abt it.

    There are PHP scripts that can SHELL into your server if you do not secure them properly.

    I suggest you add the following line in your php.ini should work:

    pico -w /usr/local/lib/php.ini

    Find these line "ddisable_functions =" and it should look exactly like this:

    disable_functions =
    dl,exec,passthru,proc_open,proc_close,shell_exec,system,popen


    then restart your httpd.
     
  5. bman

    bman Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Re: Re: WHM Broke into

    will this stop any normal php scripts from working ?
    like image gallerys ? phpadsnew?

    also would enableing PHP suEXEC be better ?

    thanks
     
  6. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    Re: Re: Re: WHM Broke into

    Hi bman,

    It'll not stop other scripts.
    I have clients whom also have image gallery and all are working fine.

    You would like to upload this script to your server and call it via http://www.yoursite.com/phpshell.php to see it for yourself.

    It's scary when you're able to see the config.php in and etc.
    They contain database password you know.

    After I apply the above mention method, the phpshell.php is not able to view anything.
     
  7. bman

    bman Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Re: Re: Re: Re: WHM Broke into

    yeah i get it but with php suexec the user is traped in his home dir and cant move around
     
  8. carluk

    carluk Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    162
    Likes Received:
    0
    Trophy Points:
    16
    no, with phpsuexec the php process is run as the user. it's not a chroot/jail envoirment.

    I would suggest implementing those php.ini settings. also note with phpsuexec you can add personal php.ini within EACH directory, where-by the php files within it will use that php.ini
    However, I have not fully tested any fixes for this "problem" or restrictions.
     
  9. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Is there anything of use in /usr/local/cpanel/logs/access_log ?
     
Loading...

Share This Page