Track Perl Hacking Script
May 19, 2008
I have FreeBsd with Cpanel.someone is running attacking perl script from my server.Below is information about that script but it shows / path in command lsof -p 30251 | grep cwd.
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
29018 root 96 0 35968K 30528K select 0:03 2.71% 2.69% perl
newinst# lsof -p 30251 | grep cwd
lsof: WARNING: compiled for FreeBSD release 5.5-STABLE; this is 5.3-RELEASE.
perl 29018 root cwd VDIR 4,12 1024 2 /
newinst# ls -la / | more
total 22413
drwxr-xr-x 25 root wheel 1024 May 16 03:23 .
drwxr-xr-x 25 root wheel 1024 May 16 03:23 ..
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .black
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .black.bak
-rw-r--r-- 2 root wheel 801 Nov 5 2004 .cshrc
-rw-r--r-- 1 root wheel 355 Feb 21 2007 .new
-rw-r--r-- 2 root wheel 251 Nov 5 2004 .profile
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db.bak
drwxrwxr-x 2 root operator 512 Jul 19 2005 .snap
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db.bak
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .white
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .white.bak
-r--r--r-- 1 root wheel 6184 Nov 5 2004 COPYRIGHT
drwx--x--x 3 root wheel 512 Aug 20 2005 backup
drwxr-xr-x 2 root wheel 1024 Dec 28 2006 bin
drwxr-xr-x 5 root wheel 512 Jul 19 2005 boot
drwxr-xr-x 2 root wheel 512 Jul 19 2005 cdrom
lrwxr-xr-x 1 root wheel 10 Jul 19 2005 compat -> usr/compat
-rw-r--r-- 1 root wheel 177 Dec 5 12:15 cpgd.c
dr-xr-xr-x 4 root wheel 512 May 16 16:23 dev
drwxr-xr-x 2 root wheel 512 Jul 19 2005 dist
-rw------- 1 root wheel 4096 May 13 15:58 entropy
drwxr-xr-x 28 root wheel 4608 May 19 11:57 etc
drwx--x--x 501 root wheel 9216 May 19 01:33 home
drwxr-xr-x 3 root wheel 1024 Jul 19 2005 lib
drwxr-xr-x 2 root wheel 512 Jul 19 2005 libexec
drwxr-xr-x 2 root wheel 512 Nov 5 2004 mnt
drwxr-xr-x 3 root wheel 512 Jul 21 2005 nonexistent
drwxr-xr-x 8 root wheel 512 Oct 30 2007 opt
-rw------- 1 root wheel 22786048 May 16 04:51 perl.core
dr-xr-xr-x 1 root wheel 0 May 19 11:57 proc
drwxr-xr-x 2 root wheel 2560 Jul 19 2005 rescue
drwxr-xr-x 13 root wheel 1024 May 19 01:33 root
drwxr-xr-x 2 root wheel 2560 Jul 19 2005 sbin
drwxr-xr-x 5 root wheel 13824 May 19 01:22 scripts
drwxr-xr-x 4 root wheel 1024 Jul 19 2005 stand
lrwxrwxrwx 1 root wheel 11 Jul 19 2005 sys -> usr/src/sys
drwxrwxrwt 9 root wheel 31744 May 19 11:57 tmp
drwxr-xr-x 21 root wheel 512 Dec 5 12:12 usr
drwxrwxrwx 24 root wheel 512 May 16 16:24 var
where it is localted at/path.
View 10 Replies
ADVERTISEMENT
Apr 7, 2007
My server currently has some problems with DNS/mail, which i can't seem to fix myself. My colocation host offered to help me by giving him root access, but i don't know him very well yet. Is there some kind of script/logtool so i can track everything he did on the server? I don't want him snooping around through my webfiles and databases...
View 13 Replies
View Related
May 25, 2009
Can anyone please tell me how dangerous in fact Apache's TRACE and TRACK functions?
I have read common explanation but would disabling TRACK and TRACE improve my server's ability to fight cross site scripting and similar attacks and make it more secure?
View 1 Replies
View Related
Mar 23, 2009
I'm small hosting provider. On one dedicated server I have around 100 cPanel accounts.
That server is under constant, although not powerful DoS attack.
Since my company domain is not targeted on another server I believe that it is not me but one of my customers that attack is against.
Is there a way, tool, service provider than can help me pin down which account is being hit?
All accounts are on server main shared IP.
Would spreading them on another IPs help? Or would I still see attacks only on main shared IP?
View 7 Replies
View Related
Jun 27, 2009
I'd like to know, is there any way to know about hosting provider, if we have only ip address of the server. i.e.
66.63.181.74 - this is the ip address of my website server, how can i trace the service provider who is giving this hosting service?
View 6 Replies
View Related
Oct 29, 2009
I have a few shred hosting servers I run. One of them keeps getting listed on CBL. It is very frustrating. Does anyone have an tools, tips, or tricks on finding the compromised?
So far I have confirmed that a script is using PHP to send mail out bypassing the MTA. It is faking the HELO and impersonating a well known ISP.
I used a combination of tshark and netstat. tshark can show me the HELO and EHLO. When I see the wrong entry I cross check that with netstat to see what. So Netstat only shows that it was PHP not the script path.
Here are the commands I'm running:
Code:
nohup netstat -c -p -n -e | grep -i ":25" > /var/log/monitor/netstat-smtp.log &
nohup tshark -f "port 25 and src host XX.XX.XX.XX" > /var/log/monitor/tshark-smtp.log &
Then I grep for what I'm looking for:
grep -i "HELO" /var/log/monitor/tshark-smtp.log
Is there a way to get Netstat to show the script path or complete command that is establishing the connection? Currently these scripts are eating up memory to a point that other process or getting killed off.
I also tried to force all mail through the MTA, but When I enable SMTP_BLOCK in my firewall config I get and error:
*WARNING* Cannot use SMTP_BLOCK on this VPS as the Monolithic kernel does not support the iptables module ipt_owner - SMTP_BLOCK disabled.
If there is a better way I'm game. Maybe some IDS that can tell me more of what is going on with the server?
View 14 Replies
View Related
Oct 2, 2008
I am currently developing a web application on a WAMP server. Once complete my client will have some in-house "programmers" make changes to the code as they are needed.
My client wants to track all changes made to the source files (ie- who made the change, when it was made, what files were modified, and what specific lines were added/removed/modified). Also, the program must run on the server and not the programmers computers.
I've searched high and low and only found a couple programs that scratch the surface of what they want.
View 4 Replies
View Related
Aug 10, 2008
how exactly email works. For example, I set my mx record to google apps in order to use google mail with my own domain. Thing is, I can sent from google mail now with my domain email address but cannot send. Furthermore, login to my website email bij www.domain.com/webmail is possible but receiving is impossible and even sending email from that place will not work.
Thinking about it it seems that email is lost
google can send but not receive
from my domain webmail i cannot receive nor send.
View 9 Replies
View Related
Aug 29, 2007
Is there a way I can track the HTTP traffic to which domain is running with high traffic. Due to traffic load I/O wait is increasing. I want to suspend the domain that have the large traffic to avoid down time.
View 4 Replies
View Related
Feb 8, 2007
I've done plenty of searching on DDoS attacks and from what I've found so far it seems that it's "very difficult" track down the person(s) responsible for the attack.
My question is this - could someone actually do it if they were qualified enough? Would a hacker who is well versed in the techniques used be able to find the person(s)? Or is it just simply impossible sometimes?
View 3 Replies
View Related
Jun 16, 2013
I just installed Apache 2.4.4 and it seems to run fine overall. But in my error.log I get about 3 of these every hour or so.error.log:[Sat Jun 15 20:57:44.095961 2013] [core:notice] [pid 31400:tid 16384] AH00052: child pid 1971 exit signal Segmentation fault (11)
track down what causes this? What module? vhost?Otherwise the server seems to run fine. It's on Linux with PHP 5.3.26 and MySQL 5.1.
View 2 Replies
View Related
Sep 28, 2006
I'm working on setting something up for monitoring my bandwidth/traffic on multiple interfaces. I have setup interface aliases so I have eth0, eth0:0, eth0:1 and the issue I'm running into is that it seems snmp cannot tell the diff between the aliased interfaces. I've found references in the cacti forums of using ipchains rules to track the bandwidth, but I've not found a good howto that explains what I need to get going on this.
Any clues/hints?
View 0 Replies
View Related
Oct 7, 2007
What script/application can I install on my linux box to track the bandwidth per each domain?
I currently have no CP, on lighttpd.
View 2 Replies
View Related
May 18, 2007
I'd like to track the email user agents that our clients use. Basically, I'd like to have something that looks like that:
[url]
View 3 Replies
View Related
May 29, 2007
Logwatch says I send out about 3k emails each day and that is a ridiculous amount. I use postfix and do not run any sort of relay, even for myself. I have IPB 2.2.2, Wordpress 2.0.4, and Gallery 2.x.
How can I track down where these messages are originating from? Or perhaps I am reading my LogWatch file incorrectly?
Quote:
--------------------- postfix Begin ------------------------
17999281 bytes transferred
2460 messages sent
26 messages expired and returned to sender
145 messages removed from queue
Top ten senders:
24 messages sent by:
apache (uid=48):
2 messages sent by:
root (uid=0):
View 4 Replies
View Related
Aug 9, 2007
I'm wondering if theres anything I can install on the server that will either filter or track outgoing spam. I don't want to limit the number of emails sent per hour or anything, I just want to be able to maybe search through some flagged emails or something. Or if they send the exact same email more than x times it can disable their account... I'm not sure
View 1 Replies
View Related
May 7, 2009
today i have a lot of hacking on my server .
i searched for shell scripts on the server , and i found alot of it :
[root@host svt]# ls -l
total 48
-rw-r--r-- 1 koky koky 6700 May 7 08:14 s.php
lrwxrwxrwx 1 koky koky 48 May 7 08:07 s1 -> /home/user1/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 47 May 7 08:12 s2 -> /home/user2/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 48 May 7 08:19 s3 -> /home/user3/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 47 May 7 08:37 s5 -> /home/user4/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 49 May 7 08:49 s6 -> /home/user5/public_html/vb/includes/config.php
-rw-r--r-- 1 koky koky 13199 May 7 07:59 ss.php
-rwxr-xr-x 1 koky koky 23005 May 7 07:58 svt.svt
as u can see he uploaded the files on this account "koky" and redirected this files to user1,user2,user3,user4 and user5 accounts .
and he could read the config.php and then hacked the site easly !!
i read befor that the reason of this is Perl on the server , and the way to solve it to edit httpd.conf by adding this in it :
<Directory "/home">
Options -ExecCGI -FollowSymLinks
AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
and then restart the http :
service httpd restart
i did all of that , and when i restarted http it said :
[root@host www]# service httpd restart
Syntax error on line 51 of /usr/local/apache/conf/httpd.conf:
Invalid command 'Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch', perhaps misspelled or defined by a module not included in the server configuration
and all the sites got down !
i deleted :
<Directory "/home">
Options -ExecCGI -FollowSymLinks
AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
from httpd.conf and then sites worked correctly .
so you all know my problem now ! and i think alot of you have the same problem , so i wish we all try to find any solution for this and knows the best way to protect pel on the server .
View 5 Replies
View Related
Jul 16, 2008
Often when it comes to choosing or recommending a host, I tend to favor the ones that are larger, and more established such as Hotgator or Downtown Host. But in some other threads, I have seen plenty of people swear by some smaller hosts. Are there some good examples of small hosts that have been around for 3 or more years and have a great reputation?
View 12 Replies
View Related
Feb 6, 2009
a site i manage for a client is being hacked every couple of days, its not the actual site but the hosts server thats getting attacked, all sites on that server, well actually all thier servers.
They have made no attempt to sort this problem, i report it they look at the site and say "site loads fine for us" which it does.
All index files are having a base64 encode line written after the <body> tag, this adds hundreds of spam links which are hidden with display:none; they also add .html to application types in htaccess for php to run in these files too.
Problem is, i am moving the site to another host but cannot change the nameservers to the new host's untill the client returns from a holiday, so i must keep the site up on the insecure host for now.
I am removing the spam code almost daily, is there anyway i can stop this attack happening for the time being, the host does nothing.
View 14 Replies
View Related
Jun 8, 2009
As well all know there has been a hypervm exploit which may have taken down fsckvps and other hosts have been having attacks. If possible install any program that will warn you of a connection to your server and or provide input on what it may or may not be.
I myself Just had a blank php format file uploaded to a clients vps and It tried accessing other vps servers. As far as I know the ip was rapidly changing and untraceable (this may or may not be from the exploit), If anyone else is having hypervm attacks or server attacks please post here so instead of working within our own company's we are working as a group of over 10 thousand+ wht members to solve this issue ourselves.
(mods may move this wherever)
View 14 Replies
View Related
Jan 15, 2008
i have a server and these days my server is hacking by the hacker the problem is, chmod 777, there are many dir's with the chmod 777 and hacker is uploading files and creating folders under the folder which is created with chmod 777, now i just want to know how i can block the hacker, and is there any way to allow the scripts which in my server and not allow any other scripts to upload files in my server
i have linux server
View 14 Replies
View Related
Feb 22, 2007
my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.
[url]
[url]
[url]
[url]
[url]
I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.
Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.
View 1 Replies
View Related
Jun 27, 2007
alot of Databases in my server was hacked
Hacker can edit tables
Are there any any ports in MYSQL4?
View 14 Replies
View Related
Jun 20, 2007
Alot of VB forums have hacking every day
In fact All hackers couldn't hack databases or files
They only edit one template in style like header or forumhome
So Uploading style again resolve the problem
But How can I disallow them to to edit templates
Any functiond to disable or rule for mod_sec ?
View 4 Replies
View Related
Sep 13, 2007
see the log entries below:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i""
1.2.3.4 - -[12/Sep/2007:11:15:38 +0900] "GET /~kjm/security/ml-archive/bugtraq/2006.04/msg00283.html//footer.inc.php?settings[footer]=[url]HTTP/1.1" 404 268 "-" "libwww-perl/5.808" "-"
1.2.3.4 - - [12/Sep/2007:11:16:00 +0900] "GET //footer.inc.php?settings[footer]=[url] HTTP/1.1" 404 213 "-" "libwww-perl/5.808" "-"
What can you say from the above log entries?
View 1 Replies
View Related
Nov 29, 2007
I keep reading all these devastating posts about people's machines being compromised. Are most of these hacks due to weak passwords of administrators or clients which end up getting bruted, or are there known exploits for cpanel/plesk/apache etc? I am setting up an apache-only server with a really secure password, but I am wondering if it could still be breached using an exploit.
View 14 Replies
View Related
Apr 25, 2007
Purely by accident I logged in a few minutes ago onto my server and ran a 'ps -ax'
At the very end I had the following lines:
29803 ? S 0:00 /bin/sh /usr/local/sbin/bfd -s
29804 ? D 0:00 /bin/sh /usr/local/bfd/tlog /var/log/secure sshd.4
29805 ? S 0:00 grep sshd
29807 ? S 0:00 grep -viw error: Bind
29808 ? S 0:00 sed s/::ffff://
29814 ? S 0:00 grep -iw Illegal user
29816 ? S 0:00 grep -iwv Failed password for illegal user
29817 ? S 0:00 grep -iwf /usr/local/bfd/pattern.auth
29818 ? S 0:00 awk {print$10":"$8}
29819 ? S 0:00 grep -E [0-9]+
Is this someone hacking my password file or is this something diffrent?
View 2 Replies
View Related
Sep 7, 2007
I've been trying to use mod_forensics – [url]-- which has helped on one server track down some one causing the segmentation fault due to trying to abuse FrontPage shtml.dll, but on another server also suffering from regular segmentation faults, this tool has not helped.
What other tools are available to track down the cause(s) of Apache segmentation faults?
View 5 Replies
View Related
Sep 6, 2013
I know it's not specifically a plesk issue, but as I use plesk to resell webs and many users install (manually) wordpress, I thought I'll ask around.I would like to know if this can be done with a single sql select or if I would have to use a script to do this:
- track all mysql databases on my server
- find the proper table in each database (as the prefix can be customized, the start of the table name will probably never be the same in two WP installations)
- find the proper field in that table and check the WP version and administrator email
and then what I will do is send an email to those adresses advising them to update WP
View 4 Replies
View Related
May 28, 2008
I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine.
And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ?
------------------------------------------------------------------
function update_region($id,$regname,$regcom)
{
$query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."',
region_comments = '". $regcom."' WHERE region_id =" .$id;
mysql_query($query);
......
-------------------------------------------------------------------
View 3 Replies
View Related
Jul 20, 2008
I am having issue with my server. Someone is trying to execute some code and possibly trying mysql injection method.
I have pasted the code below.
Please suggest what can be done in this case.
Regards
Gagandeep
+++++++++++
The person tried to use different IPs and different websites to execute the code.
URL >> IP
[url]
[url]
[url]
ftp://212.11.127.86/tmp/trem/1? >> 87.118.118.156
There are many such queries under my logs.
The person is using different IPs, so, i can't even block that many IPs.
++++++++++++
The CODE
<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }
echo "Osirys<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "0sirys was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
?>
View 5 Replies
View Related
