Results 1 to 10 of 10
Thread: hacking attempt plz help
-
05-08-2004, 03:07 PM #1WHT Addict
- Join Date
- Apr 2004
- Posts
- 149
hacking attempt plz help
Hello dear
Today one of my client told me that his public_html was deleted
I see the log file for this clients and I don't found delete function
But I see some one upload these files
cpaneldownacct.cgi* cpanelkill.cgi* cpanelwrap.cgi* .htaccess.1083763824
cpaneldownload.cgi* cpanelwrap.c .htaccess
in the cgi - bin
and this is the content of cpanelkill.cgi
#!/usr/bin/perl
$ENV{'QUERY_STRING'} =~ s/\n//g;
$ENV{'QUERY_STRING'} =~ s/\s//g;
my($quser,$qpass) = split(/\&/, $ENV{'QUERY_STRING'}, 2);
chomp($pwd = `pwd`);
open(PASSWD,"/etc/passwd");
while(<PASSWD>){
($name,$x,$uid,$gid,undef,$homedir,$shell) =
split(/:/,$_);
next if (length($homedir) < 3);
if ($pwd =~ /^${homedir}\// || $pwd =~ /^${homedir}$/) {
$founduid = 1;
last;
}
}
close(PASSWD);
print "Content-type: text/html\r\n\r\n";
my $homedir = (getpwuid($uid))[7];
my $user = (getpwuid($uid))[0];
print "UNLINKED\n";
unlink("/tmp/cpmove-${user}.tar.gz");
exit if ($homedir eq "/" || $homedir eq "");
system("/bin/rm","-rf","$homedir/public_html/cgi-bin/cpdownload");
any one can Help me and know more about this
-
05-08-2004, 08:17 PM #2Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
this script shouldn't delete the whole public_html of the user
all it tries to do is to find - searching for the user ID on /etc/passwd and then using user ID to get from command getpwuid - the homedir of the user, based on the current path ('pwd')
after the homedir is found (and stored on $homedir variable), the following command is executed:
/bin/rm -rf $homedir/public_html/cgi-bin/cpdownload
doesn't seens dangerous
-
05-08-2004, 08:28 PM #3Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
how you checked your temporay directorys any thing there?
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-08-2004, 10:18 PM #4Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Those scripts are used by Cpanel to move accounts. Nothing malicious about them.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
05-08-2004, 10:24 PM #5Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by sprintserve
Those scripts are used by Cpanel to move accounts. Nothing malicious about them.
-
05-08-2004, 10:31 PM #6Disabled
- Join Date
- Feb 2004
- Location
- Denton, Texas -
- Posts
- 215
Originally posted by sprintserve
Those scripts are used by Cpanel to move accounts. Nothing malicious about them.
Nothing to worry about.
------
On another note... We do people comment on such topics when they are not up to speed? People just slap on a name tag and viola admin for hire. That's scary.
-
05-08-2004, 10:45 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
still does not justify why his public_html directory is gone
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-08-2004, 11:15 PM #8Disabled
- Join Date
- Feb 2004
- Location
- Denton, Texas -
- Posts
- 215
Originally posted by thelinuxguy
still does not justify why his public_html directory is gone
Only removed the cpdownload
This is not directly releated to the problem. Looks like the guy (account is question) is moving to me. He may have deleted it or someone acting for him may have done so. Maybe they failed to check the transfer that did not go as expected before they deleted the dir.
Who knows.
-----------------------------
Darn ergonomic keyboard!
-
05-09-2004, 11:04 AM #9WHT Addict
- Join Date
- Apr 2004
- Posts
- 149
more about
I asked cpanel team support this script not by cpanel
the hacker is login to account using pure_ftp
from IP 69.57.134.84
and this IP not from my server
dnsstuff tell me this IP from ev1servers.net
My server is in managed.com
so this is hack Job Thanks
-
05-09-2004, 11:08 AM #10Disabled
- Join Date
- Feb 2004
- Location
- Denton, Texas -
- Posts
- 215
Re: more about
Originally posted by linuxlover
I asked cpanel team support this script not by cpanel
the hacker is login to account using pure_ftp
from IP 69.57.134.84
and this IP not from my server
dnsstuff tell me this IP from ev1servers.net
My server is in managed.com
so this is hack Job Thanks
This will show as an ftp login because thats basically how the process works. I't was done using the cpanel transfer tool. It is not a hack by any stretch.