Page 1 of 2 12 LastLast
Results 1 to 25 of 28
  1. #1
    Join Date
    Apr 2009
    Posts
    1,321

    Angry Hacked by c99 shell on cPanel server --- HELP!

    Somebody was somehow able to upload c99.php to these 2 folders:
    /usr/local/cpanel/lang/
    /var/cpanel/lang.cache/

    I have these functions disabled:
    ini_set,symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd

    I tried the c99.php myself and wasn't able to browse to any other folders including /usr/local/cpanel/lang/

    So how was this possible?

  2. #2
    Join Date
    Aug 2009
    Posts
    50
    what version of cpanel and what is your OS ?

  3. #3
    Join Date
    Aug 2009
    Posts
    50
    oh forgot and your kernel to get this info run this commands as root :

    /usr/local/cpanel/cpanel -V
    cat /etc/redhat-release
    uname -r

  4. #4
    Join Date
    Apr 2009
    Posts
    1,321
    11.24.5-STABLE_38506
    CentOS release 5.3 (Final)
    2.6.18-128.e15PAE

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by chasebug View Post
    11.24.5-STABLE_38506
    CentOS release 5.3 (Final)
    2.6.18-128.e15PAE
    First off... that kernel is vulnerable to root exploits.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Join Date
    Apr 2009
    Posts
    1,321
    OK but what else do I need to do in the meantime to prevent them from uploading to that folder?

    What am I missing security wise besides the outdated kernel?

  7. #7
    Mod_security -- Do you have it installed ?
    www.24x7servermanagement.com
    Server Management, Server Security, Server Monitoring.
    India's Leading Managed Service Provider !! Skype: techs24x7

  8. #8
    Join Date
    Jun 2008
    Posts
    205

  9. #9
    Join Date
    Apr 2009
    Posts
    1,321
    How do I check if mod_security is installed or not?

  10. #10
    Join Date
    May 2005
    Location
    Alabama
    Posts
    152
    in WHM go down to plugins and You should see Mod_security

  11. #11
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,575
    If c99 shell is in those directories, then it's likely apache is not the culprit, but cpanel is. Which uid owns the files?

  12. #12
    Join Date
    Oct 2009
    Location
    UK - London
    Posts
    73
    Find out which user has put it there (if you still have it on your server):

    ls -l /usr/local/cpanel/lang/c99.php

  13. #13
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,575
    Indeed.. upgrade cpanel and your kernel, establish who owns the files and then log an emergency ticket with cpanel to check it out.. if you don't currently have a sysadmin capable of doing some investigations..

  14. #14
    check phpinfo page to see if mod security is enabled

  15. #15
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,575
    Posts like the last one .. should be discounted

    Welcome to WHT.. but please post relevant details if you're replying in the technical section.

  16. #16
    Join Date
    Apr 2009
    Posts
    1,321
    I have mod_security installed but there's nothing logged when I click on it in WHM.

    The hacker made several reseller accounts owned by root, also was able to change my hostname, dns, admin email, created new packages, etc. Basically had full access to root in WHM I believe.

  17. #17
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,575
    Did you read any suggestions in this thread other than the ones for mod_security?

    Anyway, so how did you get this cleaned up, I assume you had someone fix it or you got a restore done?

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by chasebug View Post
    I have mod_security installed but there's nothing logged when I click on it in WHM.

    The hacker made several reseller accounts owned by root, also was able to change my hostname, dns, admin email, created new packages, etc. Basically had full access to root in WHM I believe.
    Because your kernel is root vulnerable..!! You obviously didn't listen the first time and brushed it off.

    The server is now compromised. It probably has some root backdoors installed.

    Once mod_security is installed you have to manually configure it.

    Mod_security works for apache only, does not work for whm.

    If you have something like rvskin installed, its also possible that it was exploited. Theres been exploits in the past.
    Last edited by Steven; 10-11-2009 at 12:12 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    Join Date
    Mar 2009
    Location
    London, UK
    Posts
    134
    Code:
    find /  -name "*".php  -type f -print0  | xargs -0 grep c99 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq
    That should find all the c99's on your server
    ►► Magmahost ►► Professional & Affordable Shared, Reseller Services.
    »» Performance, Reliability, Stability. Your data is safe with us.
    »» 99.9 Uptime | Extremely Secure | 24/7 Support | LiteSpeed
    ★ Hosting anyone can afford. ★ UK AND USA SERVERS

  20. #20
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by MH-Andy View Post
    Code:
    find /  -name "*".php  -type f -print0  | xargs -0 grep c99 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq
    That should find all the c99's on your server
    Bad Idea. Encrypted files such as kayako will show up.

    [root@barricade support]# find -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1
    1 ./includes/functions_html.php
    1 ./includes/functions_language.php
    1 ./includes/functions.php
    1 ./includes/functions_users.php
    1 ./includes/IMC/Parse.php
    1 ./includes/LoginShare/vipercart.login.php
    1 ./modules/core/client_changepassword.php
    1 ./modules/core/staff_privatemessages.php
    1 ./modules/core/staff_users.php
    1 ./modules/knowledgebase/functions_knowledgebase.php
    1 ./modules/knowledgebase/staff_categories.php
    1 ./modules/news/functions_news.php
    1 ./modules/parser/admin_parser.php
    1 ./modules/parser/cron_parser.php
    1 ./modules/teamwork/functions_calendar.php
    1 ./modules/tickets/functions_attachments.php
    1 ./modules/tickets/functions_ticketmain.php
    1 ./modules/tickets/functions_wap.php
    1 ./modules/tickets/mobile_initexit.php
    1 ./modules/tickets/staff_manage.php
    1 ./modules/tickets/staff_search.php
    1 ./modules/tickets/staff_ticketactions.php
    [root@barricade support]#
    Example:

    modules/tickets/staff_manage.php+2Ao7otW7QNad+r/hIej9GF96pgusEgc99rAfEpjC0jMpZqvL7E4rUzBvwqQFO3Lj0cpj+XVCMM

    The best solution is to install clamav and run a clamscan. c99 among other php shells is picked up by clamav.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  21. #21
    Join Date
    Apr 2009
    Posts
    1,321
    Quote Originally Posted by Steven View Post
    Because your kernel is root vulnerable..!! You obviously didn't listen the first time and brushed it off.

    The server is now compromised. It probably has some root backdoors installed.

    Once mod_security is installed you have to manually configure it.

    Mod_security works for apache only, does not work for whm.

    If you have something like rvskin installed, its also possible that it was exploited. Theres been exploits in the past.


    All of the damage were already done before I even posted this thread. This is done by the same person who used the c99 shell, the c99.php was found in his account and he made hostname changes, DNS changes, packages, etc. using same account name.

    My server is fully managed and I did notify the DC about this issue.

    The server has not been cleaned up, I merely deleted/reversed the accounts/packages/dns/hostname/etc the hacker did. I ran chkrootkit and rkhunter and there doesn't seem to be any hits.

    Mod_security can help prevent or make it more difficult for c99 shells to run correct? So I have it installed but how do I set it up? I thought there was a rule set where I can download?

  22. #22
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by chasebug View Post
    All of the damage were already done before I even posted this thread. This is done by the same person who used the c99 shell, the c99.php was found in his account and he made hostname changes, DNS changes, packages, etc. using same account name.

    My server is fully managed and I did notify the DC about this issue.

    The server has not been cleaned up, I merely deleted/reversed the accounts/packages/dns/hostname/etc the hacker did. I ran chkrootkit and rkhunter and there doesn't seem to be any hits.

    Mod_security can help prevent or make it more difficult for c99 shells to run correct? So I have it installed but how do I set it up? I thought there was a rule set where I can download?
    Mod_security is only effective if c99 is being ran through apache. From your past posting, it was located in cpanel related directories. If it was executed through cpanel (its possible) mod_security wont block it.

    You need to find out how it was initially exploited and patch the whole rather then putting a hack fix in place to stop c99.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  23. #23
    Join Date
    Apr 2009
    Posts
    1,321
    My kernel is now updated to 2.6.18-164.e15PAE is this root vulnerable?

  24. #24
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by chasebug View Post
    My kernel is now updated to 2.6.18-164.e15PAE is this root vulnerable?
    No, but it doesn't mean there's not another root exploit on the server now.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  25. #25
    Join Date
    Apr 2009
    Posts
    1,321
    My fully managed tech support is saying that mod_security is a module and there's nothing to configure after it's installed?


    How do I install the mod_security rules?

    Install instructions:
    http://www.atomicorp.com/wiki/index....Security_Rules

    I can't find modsecurity.conf in the server.

Page 1 of 2 12 LastLast

Similar Threads

  1. Shell uploaded - Site hacked - How to trace ?
    By sakibin in forum Hosting Security and Technology
    Replies: 7
    Last Post: 11-07-2008, 06:35 AM
  2. php shell file , hacked the server
    By ramram in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-04-2005, 09:31 AM
  3. Server hacked through cPanel?
    By nocomments in forum Hosting Security and Technology
    Replies: 8
    Last Post: 11-09-2005, 06:03 PM
  4. Shell script to replace hacked index page.
    By kbritt in forum Employment / Job Offers
    Replies: 6
    Last Post: 06-08-2005, 06:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •