Results 1 to 10 of 10
  1. #1

    hacking attempt plz help

    Hello dear

    Today one of my client told me that his public_html was deleted

    I see the log file for this clients and I don't found delete function

    But I see some one upload these files


    cpaneldownacct.cgi* cpanelkill.cgi* cpanelwrap.cgi* .htaccess.1083763824
    cpaneldownload.cgi* cpanelwrap.c .htaccess


    in the cgi - bin

    and this is the content of cpanelkill.cgi

    #!/usr/bin/perl


    $ENV{'QUERY_STRING'} =~ s/\n//g;
    $ENV{'QUERY_STRING'} =~ s/\s//g;

    my($quser,$qpass) = split(/\&/, $ENV{'QUERY_STRING'}, 2);



    chomp($pwd = `pwd`);
    open(PASSWD,"/etc/passwd");
    while(<PASSWD>){
    ($name,$x,$uid,$gid,undef,$homedir,$shell) =
    split(/:/,$_);
    next if (length($homedir) < 3);

    if ($pwd =~ /^${homedir}\// || $pwd =~ /^${homedir}$/) {
    $founduid = 1;
    last;
    }
    }
    close(PASSWD);

    print "Content-type: text/html\r\n\r\n";
    my $homedir = (getpwuid($uid))[7];
    my $user = (getpwuid($uid))[0];
    print "UNLINKED\n";
    unlink("/tmp/cpmove-${user}.tar.gz");
    exit if ($homedir eq "/" || $homedir eq "");
    system("/bin/rm","-rf","$homedir/public_html/cgi-bin/cpdownload");


    any one can Help me and know more about this

  2. #2
    Join Date
    Feb 2004
    Posts
    1,226
    this script shouldn't delete the whole public_html of the user

    all it tries to do is to find - searching for the user ID on /etc/passwd and then using user ID to get from command getpwuid - the homedir of the user, based on the current path ('pwd')

    after the homedir is found (and stored on $homedir variable), the following command is executed:

    /bin/rm -rf $homedir/public_html/cgi-bin/cpdownload

    doesn't seens dangerous

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    how you checked your temporay directorys any thing there?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    Those scripts are used by Cpanel to move accounts. Nothing malicious about them.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  5. #5
    Join Date
    Feb 2004
    Posts
    1,226
    Originally posted by sprintserve
    Those scripts are used by Cpanel to move accounts. Nothing malicious about them.
    if that's the case I recommend removing the source from the board to avoid license problems

  6. #6
    Join Date
    Feb 2004
    Location
    Denton, Texas -
    Posts
    215
    Originally posted by sprintserve
    Those scripts are used by Cpanel to move accounts. Nothing malicious about them.
    SprintServe is correct.
    Nothing to worry about.
    ------

    On another note... We do people comment on such topics when they are not up to speed? People just slap on a name tag and viola admin for hire. That's scary.

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    still does not justify why his public_html directory is gone
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    Join Date
    Feb 2004
    Location
    Denton, Texas -
    Posts
    215
    Originally posted by thelinuxguy
    still does not justify why his public_html directory is gone
    system("/bin/rm","-rf","$homedir/public_html/cgi-bin/cpdownload")

    Only removed the cpdownload

    This is not directly releated to the problem. Looks like the guy (account is question) is moving to me. He may have deleted it or someone acting for him may have done so. Maybe they failed to check the transfer that did not go as expected before they deleted the dir.

    Who knows.
    -----------------------------

    Darn ergonomic keyboard!

  9. #9

    more about

    I asked cpanel team support this script not by cpanel
    the hacker is login to account using pure_ftp
    from IP 69.57.134.84

    and this IP not from my server

    dnsstuff tell me this IP from ev1servers.net
    My server is in managed.com

    so this is hack Job Thanks

  10. #10
    Join Date
    Feb 2004
    Location
    Denton, Texas -
    Posts
    215

    Re: more about

    Originally posted by linuxlover
    I asked cpanel team support this script not by cpanel
    the hacker is login to account using pure_ftp
    from IP 69.57.134.84

    and this IP not from my server

    dnsstuff tell me this IP from ev1servers.net
    My server is in managed.com

    so this is hack Job Thanks
    No, it is not a "hack job". I doubt if anyone from cpanel told you this. Someone on a cpanel forum may have given you some bad information.

    This will show as an ftp login because thats basically how the process works. I't was done using the cpanel transfer tool. It is not a hack by any stretch.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •