Results 1 to 25 of 28
-
10-07-2009, 08:58 PM #1Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
Hacked by c99 shell on cPanel server --- HELP!
Somebody was somehow able to upload c99.php to these 2 folders:
/usr/local/cpanel/lang/
/var/cpanel/lang.cache/
I have these functions disabled:
ini_set,symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd
I tried the c99.php myself and wasn't able to browse to any other folders including /usr/local/cpanel/lang/
So how was this possible?
-
10-07-2009, 09:26 PM #2Junior Guru Wannabe
- Join Date
- Aug 2009
- Posts
- 50
what version of cpanel and what is your OS ?
-
10-07-2009, 09:28 PM #3Junior Guru Wannabe
- Join Date
- Aug 2009
- Posts
- 50
oh forgot and your kernel to get this info run this commands as root :
/usr/local/cpanel/cpanel -V
cat /etc/redhat-release
uname -r
-
10-07-2009, 09:42 PM #4Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
11.24.5-STABLE_38506
CentOS release 5.3 (Final)
2.6.18-128.e15PAE
-
10-07-2009, 09:45 PM #5Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-07-2009, 11:21 PM #6Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
OK but what else do I need to do in the meantime to prevent them from uploading to that folder?
What am I missing security wise besides the outdated kernel?
-
10-07-2009, 11:25 PM #7Web Hosting Master
- Join Date
- Oct 2007
- Posts
- 2,349
Mod_security -- Do you have it installed ?
www.24x7servermanagement.com
Server Management, Server Security, Server Monitoring.
India's Leading Managed Service Provider !! Skype: techs24x7
-
10-07-2009, 11:35 PM #8Junior Guru
- Join Date
- Jun 2008
- Posts
- 205
-
10-08-2009, 02:25 AM #9Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
How do I check if mod_security is installed or not?
-
10-08-2009, 02:34 AM #10Temporarily Suspended
- Join Date
- May 2005
- Location
- Alabama
- Posts
- 152
in WHM go down to plugins and You should see Mod_security
-
10-08-2009, 02:43 AM #11Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
If c99 shell is in those directories, then it's likely apache is not the culprit, but cpanel is. Which uid owns the files?
-
10-08-2009, 02:58 AM #12Junior Guru Wannabe
- Join Date
- Oct 2009
- Location
- UK - London
- Posts
- 73
Find out which user has put it there (if you still have it on your server):
ls -l /usr/local/cpanel/lang/c99.php
-
10-08-2009, 03:03 AM #13Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
Indeed.. upgrade cpanel and your kernel, establish who owns the files and then log an emergency ticket with cpanel to check it out.. if you don't currently have a sysadmin capable of doing some investigations..
-
10-08-2009, 03:25 AM #14Newbie
- Join Date
- Oct 2009
- Posts
- 5
check phpinfo page to see if mod security is enabled
-
10-08-2009, 03:27 AM #15Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
Posts like the last one .. should be discounted
Welcome to WHT.. but please post relevant details if you're replying in the technical section.
-
10-11-2009, 06:11 AM #16Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
I have mod_security installed but there's nothing logged when I click on it in WHM.
The hacker made several reseller accounts owned by root, also was able to change my hostname, dns, admin email, created new packages, etc. Basically had full access to root in WHM I believe.
-
10-11-2009, 07:11 AM #17Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
Did you read any suggestions in this thread other than the ones for mod_security?
Anyway, so how did you get this cleaned up, I assume you had someone fix it or you got a restore done?
-
10-11-2009, 12:08 PM #18Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Because your kernel is root vulnerable..!! You obviously didn't listen the first time and brushed it off.
The server is now compromised. It probably has some root backdoors installed.
Once mod_security is installed you have to manually configure it.
Mod_security works for apache only, does not work for whm.
If you have something like rvskin installed, its also possible that it was exploited. Theres been exploits in the past.Last edited by Steven; 10-11-2009 at 12:12 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-11-2009, 12:16 PM #19WHT Addict
- Join Date
- Mar 2009
- Location
- London, UK
- Posts
- 134
Code:find / -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
►► Magmahost ►► Professional & Affordable Shared, Reseller Services.
»» Performance, Reliability, Stability. Your data is safe with us.
»» 99.9 Uptime | Extremely Secure | 24/7 Support | LiteSpeed
★★★ Hosting anyone can afford. ★★★ UK AND USA SERVERS
-
10-11-2009, 12:26 PM #20Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Bad Idea. Encrypted files such as kayako will show up.
[root@barricade support]# find -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1
1 ./includes/functions_html.php
1 ./includes/functions_language.php
1 ./includes/functions.php
1 ./includes/functions_users.php
1 ./includes/IMC/Parse.php
1 ./includes/LoginShare/vipercart.login.php
1 ./modules/core/client_changepassword.php
1 ./modules/core/staff_privatemessages.php
1 ./modules/core/staff_users.php
1 ./modules/knowledgebase/functions_knowledgebase.php
1 ./modules/knowledgebase/staff_categories.php
1 ./modules/news/functions_news.php
1 ./modules/parser/admin_parser.php
1 ./modules/parser/cron_parser.php
1 ./modules/teamwork/functions_calendar.php
1 ./modules/tickets/functions_attachments.php
1 ./modules/tickets/functions_ticketmain.php
1 ./modules/tickets/functions_wap.php
1 ./modules/tickets/mobile_initexit.php
1 ./modules/tickets/staff_manage.php
1 ./modules/tickets/staff_search.php
1 ./modules/tickets/staff_ticketactions.php
[root@barricade support]#
modules/tickets/staff_manage.php+2Ao7otW7QNad+r/hIej9GF96pgusEgc99rAfEpjC0jMpZqvL7E4rUzBvwqQFO3Lj0cpj+XVCMM
The best solution is to install clamav and run a clamscan. c99 among other php shells is picked up by clamav.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-11-2009, 01:55 PM #21Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
All of the damage were already done before I even posted this thread. This is done by the same person who used the c99 shell, the c99.php was found in his account and he made hostname changes, DNS changes, packages, etc. using same account name.
My server is fully managed and I did notify the DC about this issue.
The server has not been cleaned up, I merely deleted/reversed the accounts/packages/dns/hostname/etc the hacker did. I ran chkrootkit and rkhunter and there doesn't seem to be any hits.
Mod_security can help prevent or make it more difficult for c99 shells to run correct? So I have it installed but how do I set it up? I thought there was a rule set where I can download?
-
10-11-2009, 02:00 PM #22Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Mod_security is only effective if c99 is being ran through apache. From your past posting, it was located in cpanel related directories. If it was executed through cpanel (its possible) mod_security wont block it.
You need to find out how it was initially exploited and patch the whole rather then putting a hack fix in place to stop c99.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-11-2009, 02:34 PM #23Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
My kernel is now updated to 2.6.18-164.e15PAE is this root vulnerable?
-
10-11-2009, 02:36 PM #24Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-11-2009, 03:14 PM #25Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
My fully managed tech support is saying that mod_security is a module and there's nothing to configure after it's installed?
How do I install the mod_security rules?
Install instructions:
http://www.atomicorp.com/wiki/index....Security_Rules
I can't find modsecurity.conf in the server.
Similar Threads
-
Shell uploaded - Site hacked - How to trace ?
By sakibin in forum Hosting Security and TechnologyReplies: 7Last Post: 11-07-2008, 06:35 AM -
php shell file , hacked the server
By ramram in forum Hosting Security and TechnologyReplies: 2Last Post: 12-04-2005, 09:31 AM -
Server hacked through cPanel?
By nocomments in forum Hosting Security and TechnologyReplies: 8Last Post: 11-09-2005, 06:03 PM -
Shell script to replace hacked index page.
By kbritt in forum Employment / Job OffersReplies: 6Last Post: 06-08-2005, 06:15 PM