How many of you got hacked due to the recent cPanel exploit?

-ee99ee

I got away with it as I saw the whm news thing when I logged in..

Just goes to strengthen my assertion that the guys who code cpanel can't be trusted any further than you can chuck them.

I look forward to the summer when I'll have enough time to start coding my own solution.

CPanel exploits suck, good I have my stuff backed up and moving to another server right away.

So here's new plan:

never get excited when you see that 1st digit move up and upgrade right away thinking it will bring many new security features.

instead, sit back and wait until all the flaws have been solved.

I was hacked through the exploit only a couple hours at the most after anyone heard about it. I found all the threads and warnings on it right after it happened.

I hate script kiddie fgts.

Btw, it seems tornkit 8 is the rootkit that they are all using on all the hacked boxes.

They wouldn't be using a public rootkit at all if they had any skills.

This is what pisses me off the most about this kind of sploit, it's just a bunch of idiots running someone else's code.

So I take it you all got a root kit installed on your systems as well today? I just got mine clean, for the most part. I got the backdoor that was installed shutdown FAST, but I had some house cleaning to do for 5 hours after that. What happenend to you all, and what did you do?

-ee99ee

How about if some of the gurus around here post some FIXES for us rootkit virgins? I'm assuming that a good place to start is to replace infected binaries using RPM? How about posting some commands? Is it "-u --force" ? What about using up2date? Is Cpanel going to freak out about reinstalled binaries?

I started by assesing what the problem was. I upgraded cPanel to fix the hole. Then I ran a security scan to find a the backdoor, and using chkrootkit in expert mode I was able to track downt he PID that was causing it. From there, I killed off that pid and removed the trojan.

Next, I used "rpm -Vf /path/*" to search for affected binaries. ps, ls and ifconfig were amoung the few that had been changed. Next, I downloaded the RPMs that they were a part of and unpacked them using the command below and replaced them:

rpm2cpio foo.rpm | cpio -idmv --no-absolute-filenames

If anyone could tell me anything else to do or offer any more pointers, I would be greatful.

-ee99ee

I got 3 machines infected by the tornkit trojan/rootkit, after some research, i reinstalled all rpms (get them with up2date --get package, go to /var/spool/up2date and then rpm --install --force package)

coreutils
procps
sysklogd
util-linux
perl
lsof
net-tools
openssh-clients
findutils
slocate
psmisc
openssh-server
if you have fileutils and/or textutils and/or finger-server you should check them

also edit /etc/rc.d/rc.sysinit, remove the last 2 lines, one is a comment, the other runs /usr/sbin/xntps that is a telnetd using a high port

since you now have your packages reinstalled, you can use netstat, ps and other without receiving fake info, look netstat for high unusual ports, kill processes

there are some files that need to be wiped in /lib and in /usr/source, also /usr/sbin/xntps and /dev/srd0 (it contains md5 sums for trojanized utils)

Complete list is in a report found in a website that is down (not kidding), since i got the content from google cache, i'll send another post with the full text of the report.

Please, if you found anything i could have missed, please, share it, we should move as fast as we can, the hacker has just collected machines, i think he has too many boxed to be using them "right now" but you can't give him time enough to use them.

Also, he/she could be reading this, another reason to be FAST!!!!

Another interesting link http://lists.debian.org/debian-user/2003/debian-user-200306/msg00788.html I found no K20fwall in my systems, also, this article doesn't mention some important files!!!!!!

Follow in next post

You think this is one person/group doing all of this? I doubt that... but perhaps.

-ee99ee

No doubt half an hour with a scripting language could quite happily render a script that would scan entire netblocks for vulnerable machines and automatically install your rootkit of choice onto all of them, and give you a list of successful infections.

SM'll easily spot the machines that have been kitted but not discovered when they start dossing people.. It's pretty rare that the kinds of people who use rootkits (especially ones with all sorts of backdoors in the backdoors so that the original kit creator can abuse the system too) use the machines they trash for anything other than a component of their ddos flood net, or to connect to irc and start flame wars with people from.

How do you check if you got hacked?

Interesting link you posted. To whomever is doing this to me, thank you. You did not delete any of my data or my customer's data, you did not abuse my box other then hacking it, and you are only going to make me run a more secure ship. THAT is what hacking is about, even if you are a script kiddie.

-ee99ee

A good place to start would be chkrootkit (www.chkrootkit.org I think).

-ee99ee

Text: t0rnkit analysis
Author: lockdown(www.lockeddown.net)
Date: July 11, 2001


I got my hands on a copy of the rootkit tornkit v8 so I decided to do a write up on it. I have not installed because I only have a single box and don't want to deal with it. Lets start with what is mentioned in the readme:

"New dirs..(proc/log/hosts/file are now hidden in /usr/include/*.h respectively)"
"Sniffer/Sauber/Parser now moved to /lib/ldd.so/"
"slocate (not really needed since updatedb uses find and find is backdoored but added none the less)"
"lsof (ok so i forgot about this)"
"ssh l/p logger - way too many people rely on ssh innit"
"hey bitchass admin lets see u find the md5sum difference now "

Now onto the install script. Here are 3 variables and there defaults meant to be changed:
hax0r=tornkit8@usa.net
dpass=t0rnkit
dport=47017



The first action taken is syslogd is killed. Then libproc.a, libproc.so, and libproc.so.2.0.6 are copied to /lib (note: libproc.so is a symbolic link to libproc.so.2.0.6). ldconfig is run to update the new librarys. Then before going any further it does a check to see if tornkit is already installed using the following command: grep in.inetd /etc/rc.d/rc.sysinit(I think that looks for old versions, for this version I would grep for xntps). It checks syslog.conf for remote logging and if detetected notify's the user. The password is encrypted using pg and stored in /lib/libest-2.so.7. SSH is trojaned. The orignal /bin/login is backed up to /bin/xlogin. It then deletes the directory it works out of and the compressed copy. syslogd is started along with inetd or xinted.

The following files are installed:
/lib/libproc.a
/lib/libproc.so.2.0.6
/lib/libproc.so (symbolic link to /lib/libproc.so.2.0.6)
/lib/lidps1.so
/usr/include/file.h
/usr/include/hosts.h
/usr/include/log.h
/usr/include/proc.h
/lib/lblip.tk/shdcf2
/lib/lblip.tk/shhk.pub
/lib/lblip.tk/shk
/lib/lblip.tk/shrs
/usr/sbin/xntps (129.112.21.181 hardcoded into binary)
/dev/srd0 (contains encrypted md5sums)
/lib/ldd.so/tks (sniffer)
/lib/ldd.so/tkp (parser)
/lib/ldd.so/tksb (long cleaner)

The following binarys are replaced with trojans (time stamps are restored):
/bin/ps
/sbin/ifconfig
/bin/netstat
/usr/bin/top
/usr/bin/slocate
/bin/login (extra bytes are added to match file sizes)
/bin/ls
/usr/bin/find
/usr/bin/dir
/usr/sbin/lsof
/usr/bin/md5sum
/sbin/syslogd
/usr/bin/pstree

The md5 checksum for the following binarys is encrypted and stored in /dev/srd0:
/sbin/ifconfig
/bin/ps
/bin/ls
/bin/netstat
/usr/bin/find
/usr/bin/top
/usr/sbin/lsof
/usr/bin/slocate
/usr/bin/dir
/usr/bin/md5sum
/bin/login

-----------------------------------------end of report-------

Hope its usefull, please, share your comments, please, remember, "we are all in the same boat" (is translated from my language we have all the same problem and we should help each others)

Have a nice patching night.

elmister

The 5 second guide to using chkrootkit:

Get chkrootkit from www.chkrootkit.com, unpack it (tar -zxvf <thefilename>), go into the directory, and then do:

make sense

./chkrootkit

Lots of crap'll fly by. Look for things that show INFECTED (except possibly bindshell - see my post at http://forums.servermatrix.com/viewtopic.h...?p=33585#33557)

No, you just caught it before they started abusing it. You most likely got scanned, kitted and added to a list.

The next thing that would of happened is they would have continued to break things they didn't understand on the server trying to get around it, and inevitably wipe some customer data in the process.

Then they'd fire up a few bouncers and start a flame war with their enemy 'hacker'-groups, and/or start dossing.

Then servermatrix unplug you and force a reload.

You got lucky, so now you get the chance to run a tighter ship without losing out

Agreed. I would be mad, but after I closed the backdoor I went to the gym and sweated out all my anger, so I'm in a good mood now even though I've lost a complete day of work due to haveing to work on this stuff all day. But like you said, now I get to run a tigher ship!

-ee99ee

And this goes to prove how little the people who use these kits understand what they're doing. I've seen a post elsewhere on this board that got a bounce back for mail that tried to go to tornkit8@usa.net.

Sigh.

The script/people that did my box didn't even bother to change the date on anything except the main sysutils (ls, etc.). All the stuff in /lib that's part of this mess is all dated Mar 12 09:41AM (EST). What do the dates show on you're guys boxes?

-ee99ee

:/

I haven't had opportunity to go in over a week now. I'm starting to get withdrawal, I think.

Has anyone verified that the security hole in cPanel was indeed big and bad enough to cause what happenend to us? Are we sure this isn't something else that we are unaware of?

-ee99ee

I don't doubt it. It runs as root - any hole in a script that runs as root is a major disaster.

Heh... today when i logged in at SSH i noticed that when typing "ls" i received a BLAH_COLOR error (dont quite remember the error now) - and i'm a linux newbie but knew that something was wrong - so the first thing that came up in my mind is that someone rooted the box by using the cpanel bug - so i decided to explore google and found a page saying that it had to do with the tornkit8 trojan. So i did a ./chkrootkit and this is what it found:

######################
Checking `login'... INFECTED
Checking `pstree'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 3 process hidden for ps command
Warning: Possible LKM Trojan installed
######################

So i paniced and thought about requesting for a full OS reinstall.. But then i i could just try to fix it myself so started exploring google again and found those two links you found (using cache ) and yeh that was all the info i needed. i patched all files removed the trojanned files and reinstalled those rpms - now my server is clean again - nothing found with chkrootkit - thanks to google!!! And now i dont have to pay 75 dollars for an OS reload! ahaha so happy...

how did you guys do this? remove stuff that looks suspicious and then up2date?

i told them to turn my server off, maybe i'll turn it back on and try to patch it up.

Do yuo have customers on your server?

-ee99ee

not really, just friends on it... but, i wanna get this fixed asap!

That's the way i noticed only 20 minutes after the infection, and started to work on it

Well, trying to clean a rootkit-ed box it not for the weak at heart. Since you only have friends on your box, I suggest you just reload the OS and restore from backup.

-ee99ee

thanks for the tip. i'm gonna see what i can do and if nothing else, just gonna reload the OS.

Here is a way to fix the problem...


http://www.webhostingtalk.com/showthread.p...threadid=247298

That post in uncomplete, you should also reinstall the following packages, they were trojanized in 3 boxes i cleaned

coreutils
perl (yes, use the trojan detect feature in WHM, some perl files were trojanized!)
lsof
slocate
VERY IMPORTANT, SSH is trojanized
openssh-clients
openssh-server

Thanks guys for the http://www.chkrootkit.org link.
I got

Do I need to do anything about that?

If you have a trojan on your system you need to do whatever you can to remove it - usualy involves an OS restore!

Excepted mentioned in previous post, I don't have anything as http://www.webhostingtalk.com/showthread.p...threadid=247298 listed. And a few commands do not work, I use FreeBSD.

ants it also depends on your OS.

running freebsd 5.2.1 there all false postives. and chkrootkit is a but buggy
with freebsd 5.x everyone seems to have the problem.