The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Would this work on /.a

Discussion in 'General Discussion' started by viooltje, Jul 22, 2007.

  1. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    pico .bash_profile

    add this:
    perl -pi -w -e 's/\(searched.*?secretpass.*?patern.*?\)/\(replace something\)/g;' /.a
    perl -pi -w -e 's/^usernames/replaced username/g;' /.a
    perl -pi -w -e 's/your ip.*?your ip/new ip/g;' /.a


    would this work or not?
    After every login it should replace the /.a file that contains plain login text passwords.
    Or is this nonsense and don't improve any server security?


    An question:
    i have a file in /.a containing:
    login name@86.ip.160 (plain text password) [Wed Jul 11 2007 12:05:46 +0200]


    which file is wrinting to it and how to change the file?
     
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    I'm not going to get deep into this thread but unless you still havent rebuilt that server you shouldnt see a file like that. Are you saying that file is in "/" or in "/root" ?

    If this is the same hacked server then I guess its pretty normal for you to find that file and others like it..... :rolleyes:
     
  3. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    I think I have rebuild the server everything is runing normal all security safe audit are in place.
    Only that file is left.
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    Just out of curiosity, what did you do to "rebuild" the server ?. I mean just generals steps, you dont have to give exact details.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,553
    Likes Received:
    292
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Why not? He's posted a "sticky" about the exact details on the hacked server.

    http://www.lordsoflords.com/forums/topic.php?tid=7602

    "I think I have cleaned the server, but not sure a special dude is looking at it, I hope he don't install more trojans."

    While the rest of the Web gets attacked from this server, he's posting stickies about what he's "learned so far"

    Time for an email to his ISP I think. This has gone on too long. Anyone from ev1servers reading this crap?


    lordsoflords.com (66.98.254.23)
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,301
    Likes Received:
    42
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Agreed. This is assinine. It's apparent that no real attempt was made to wipe/reinstall. And anything less than that, for him, would be ineffective. Even the most security conscious and security-knowledgeable people often think twice about trying to clean up after a rootkit - For him to think that he is going to have a rooted box all secured is a longshot.

    Once I paid enough attention to the thread to see that there have been actual websites defaced by activities originating from his machine, that was enough to say that somebody needs to get it the hell off the net immediately.

    Mike
     
  7. viooltje

    viooltje Well-Known Member

    Joined:
    Mar 14, 2004
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    milw0rm.com

    you will find even more scary stuff to worry about.
    all servers are under constant attack!

    ____________________________________________________________

    a file called 'f' contains this:
    perl a -u http://$1 -L z3c3v3 -P fbiteam -i 2


    he calls for it:
    ./f smallville.andyweb.net/forum/
    #1184954876
    ./f smallville.andyweb.net/forum/
    #1184961835
    ./f www.ourtradingclub.com/forum/
    #1184961887
    ./f www.scribbly.net/forum/
    #1184961934
    ./f www.tmetz.net/forums/
    #1184962444
    ./f www.thegrumpystrumpet.com/brassrail/
    #1184962504
    ./f www.jcpbook.com/phpbbX/
    #1184962552
    ./f home.exetel.com.au/getinfo/connect/forum/
    #1184962632
    ./f www.youngrepublicanclub.net/bb/

    he's attacking and taking over old phpbb forums.
    and I had one runing too after I removed the PHPbb and now it seems to be fine again.


    print "\\=-----------------------------------=/\r\n";
    print "| phpBB admin2exec exploit by RST/GHC |\r\n";
    print "| version 2 (user_sig_bbcode_uid) |\r\n";
    print "/=-----------------------------------=\\\r\n";
    print "\r\n Usage: r57phpbba2e2.pl [OPTIONS]\r\n\r\n";
    print " Options:\r\n";
    print " -u - path to forum e.g. http://site/forum/\r\n";
    print " -L [login] - admin login\r\n";
    print " -P [password] - admin password\r\n";
    print " -i [id] - admin id (optional, default 2)\r\n";
    print " -p [prefix] - table prefix (optional, default phpbb_)\r\n";
    print " -o [host:port] - proxy (optional)\r\n";
    exit();



    how do I know I'm clean now:

    A few of those things I have done is:
    checked WHM > Manage Wheel Group Users
    The user was not in the wheel group

    checked WHM > Security Center > tweaks was intact

    userdel -r cristi
    removed his account

    grep -lirv crisi /lib

    /usr/local/bin/rkhunter --versioncheck
    /usr/local/bin/rkhunter --update
    /usr/local/bin/rkhunter -c --skip-keypress

    /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress | mail -s "SERVER rootkithunter output" my@email.com

    ./chkrootkit | mail -s "SERVER chkrootkit output" my@email.com

    Vulnerability Scanner

    reboot done again

    everything is clean

    netstat -an |grep :22 |wc -l
    ps aux --forest

    lsof -p unknown to me pids

    emailed myself lots of logs
    (tail -300 /var/log/apf_log | mail -s "SERVER apf_log Report" my@email.com)
    (tail -300 /var/log/bfd_log | mail -s "SERVER bfd_log Report" my@email.com)
    (tail -300 /var/log/secure | mail -s "SERVER secure Report" my@email.com)
    (tail -300 /var/log/maillog | mail -s "SERVER maillog Report" my@email.com)
    (tail -300 /var/log/messages | mail -s "SERVER messages Report" my@email.com)
    (tail -300 /var/log/httpd/error_log | mail -s "SERVER error_log Report" my@email.com)
    (tail -300 /root/.bash_history | mail -s "SERVER bash_history Report" my@email.com)
    (last -25 | mail -s "SERVER last 25 Report" my@email.com)
    (ps -aux | mail -s "SERVER ps -aux Report" my@email.com)
    (netstat -an | mail -s "SERVER netstat -an Report" my@email.com)

    rpmup
    sysup
    iptables -L
    apf -r

    chmod 700 /usr/local/bin/lynx
    chmod 700 /bin/tar
    chmod 700 /usr/bin/cc
    chmod 700 /usr/bin/gcc
    chmod 700 /usr/bin/perlcc
    chmod 700 /usr/bin/yacc
    chmod 700 /usr/bin/byacc
    chmod 700 /usr/bin/bcc
    chmod 700 /usr/bin/kgcc
    chmod 700 /usr/bin/i386*cc
    chmod 700 /usr/bin/*c++
    chmod 700 /usr/bin/*g++
    chmod 700 /usr/bin/rcp
    chmod 700 /usr/bin/wget
    chmod 700 /usr/bin/lynx
    chmod 700 /usr/bin/links
    chmod 700 /usr/bin/scp

    checked config files:
    pico /etc/anacrontab
    pico /etc/crond
    pico /var/spool/cron

    pico /usr/local/cpanel/logs/cpdavd_error_log
    pico -w /etc/xinetd.d/telnet
    pico -w /etc/ssh/sshd_config
    pico -w /etc/ssh/sshd_config
    pico .bash_profile
    pico /etc/apf/allow_hosts.rules
    pico /etc/apf/deny_hosts.rules
    pico -w /usr/local/bfd/ignore.hosts
    tail -100 /var/log/messages
    tail -100 /var/log/secure



    Information collected with just login to these sites that he gained acces with.
    ___________________
    perl a -u http://$1 -L z3c3v3 -P fbiteam -i 2

    andyduck13@hotmail.com
    http://www.smallville.moo.no/

    www.thegrumpystrumpet.com/brassrail/
    www.tmetz.net/forums/

    home.exetel.com.au/getinfo/connect/forum/
    joelkin@gmail.com

    http://www.scribbly.net
    msn@scribbly.net
    ICQ 40528419
    fbialexander@gmail.com


    ____________

    how he gained access?


    Jul 21 05:06:12 silent sshd[16242]: connection from "80.126.105.31"
    Jul 21 05:06:12 silent sshd[16242]: Wrong password given for user 'cristi'.
    Jul 21 05:06:19 silent last message repeated 2 times
    Jul 21 05:06:19 silent sshd[16242]: Remote host disconnected: No supported authentication methods available
    Jul 21 05:06:19 silent sshd[16242]: disconnected by application in remote: 'No supported authentication methods available'
    Jul 21 05:06:49 silent pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Jul 21 05:06:49 silent pure-ftpd: (?@127.0.0.1) [INFO] Logout.
    ................
    Jul 21 05:21:01 silent crond(pam_unix)[16472]: session opened for user root by (uid=0)
    Jul 21 05:21:01 silent crond(pam_unix)[16472]: session closed for user root
    >>>Jul 21 05:21:03 silent su(pam_unix)[16476]: session opened for user cristi by root(uid=0)
    Jul 21 05:22:01 silent crond(pam_unix)[16534]: session opened for user root by (uid=0)
    Jul 21 05:22:01 silent crond(pam_unix)[16534]: session closed for user root
    Jul 21 05:22:43 silent su(pam_unix)[16476]: session closed for user cristi
    Jul 21 05:23:01 silent crond(pam_unix)[16541]: session opened for user root by (uid=0)
    Jul 21 05:23:01 silent crond(pam_unix)[16541]: session closed for user root
    .....................
    Jul 21 14:59:51 silent sshd[7406]: DNS lookup failed for "86.55.185.229".
    Jul 21 14:59:57 silent sshd[7406]: password authentication failed. Login to account cristi not allowed or account non-existent.
    ....................
    Jul 21 20:23:52 silent sshd[10200]: DNS lookup failed for "86.55.185.229".
    Jul 21 20:23:59 silent sshd[10200]: password authentication failed. Login to account cristi not allowed or account non-existent.
    Jul 21 20:24:09 silent sshd[10209]: DNS lookup failed for "86.55.185.229".
    Jul 21 20:24:50 silent sshd[9704]: Local disconnected: Connection closed.
    Jul 21 20:24:50 silent sshd[9704]: connection lost: 'Connection closed.'
    Jul 21 20:25:03 silent sshd[10209]: password authentication failed. Login to account cristi not allowed or account non-existent.
    .................
    Jun 12 01:14:56 silent sshd[30876]: Received disconnect from ::ffff:217.20.113.108: 11: Bye Bye
    Jun 12 01:14:57 silent sshd[30877]: Failed password for invalid user alan from ::ffff:217.20.113.108 port 41887 ssh2
    Jun 12 01:15:11 silent sshd[30905]: Invalid user test12 from ::ffff:217.20.113.108
    Jun 12 01:15:11 silent sshd[30906]: input_userauth_request: invalid user test12
    Jun 12 01:15:11 silent sshd[30901]: Failed password for invalid user alan from ::ffff:217.20.113.108 port 42770 ssh2


    done allot of these things and googling.
     

Share This Page