[Mailinglist] Hack in /tmp
Anand Gupta
anand.gupta at iwp.biz
Wed Sep 27 00:29:40 IST 2006
Dear Anoop,
Run /scripts/securetmp on the cpanel server to secure the /tmp partition. You would need to remount /tmp inorder to complete the process, the best would be to reboot the server once (i know you shouldn't be rebooting in linux to get changes effected, however trust me, i run and administer several cpanel servers, its better you reboot once).
Additionally do this to secure the permissions on the script
chmod 000 /tmp/sh
To disallow anyone from changing the permissions on the file (even root), do the following:
chattr +i /tmp/sh
This will dissallow even root to change permision of the file. I am recommending this since you say the file is auto created everytime you remove it.
And then go through all the logs to find out where the file came from/ what process created the file.
You can also run rootkit hunter to check for possible root kit on the server.
--
regards,
Anand Gupta
CEO
India Web Promoters
5/49, IInd Floor,
Old Rajender Nagar
New Delhi - 110060
India
Mobile: +91-9810727986/ 9310727986
Phone: +91-11-25815437
Fax: +91-11-42432553
International Premier Partner - Network Solutions
----- Original Message -----
From: Anoop Alias
To: This List discusses GNU/Linux &, GNU,GPL Software ; linux-bangalore-technical at yahoogroups.com
Sent: Sunday, September 24, 2006 8:59 AM
Subject: [Mailinglist] Hack in /tmp
Sir's,
Please help me with this.I have found the following vulnerable file in the /tmp directory of a cpanel server
====================================
/tmp]# pwd
/tmp
===================================================================
ll
total 879
drwxrwxrwt 2 root root 268288 Sep 23 23:23 ./
drwx--x--x 25 root root 4096 Sep 23 21:21 ../
-rw-r--r-- 1 root root 332 Sep 23 23:19 MAIL-HOST
lrwxrwxrwx 1 root root 30 Sep 23 23:23 mysql.sock -> ../../var/lib/mysql/mysql.sock=
-rwsr-xr-x 1 root root 616248 Sep 23 23:23 sh*
=======================================================================
The script sh is root owned and will be automagically recreated if deleted.
The following is the ps output
==========================================================================================
ps -efH
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Sep19 ? 00:00:01 init [3]
root 2 1 0 Sep19 ? 00:00:06 [migration/0]
root 3 1 0 Sep19 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 Sep19 ? 00:00:05 [migration/1]
root 5 1 0 Sep19 ? 00:00:00 [ksoftirqd/1]
root 6 1 0 Sep19 ? 00:00:00 [events/0]
root 7 1 0 Sep19 ? 00:00:00 [events/1]
root 8 1 0 Sep19 ? 00:00:00 [khelper]
root 9 1 0 Sep19 ? 00:00:00 [kthread]
root 12 9 0 Sep19 ? 00:00:00 [kacpid]
root 92 9 0 Sep19 ? 00:00:00 [kblockd/0]
root 93 9 0 Sep19 ? 00:00:00 [kblockd/1]
root 96 9 0 Sep19 ? 00:00:00 [khubd]
root 163 9 0 Sep19 ? 00:00:00 [pdflush]
root 166 9 0 Sep19 ? 00:00:00 [aio/0]
root 167 9 0 Sep19 ? 00:00:00 [aio/1]
root 750 9 0 Sep19 ? 00:00:00 [kseriod]
root 794 9 0 Sep19 ? 00:00:00 [scsi_eh_0]
root 801 9 0 Sep19 ? 00:00:00 [ata/0]
root 802 9 0 Sep19 ? 00:00:00 [ata/1]
root 806 9 0 Sep19 ? 00:00:00 [scsi_eh_1]
root 807 9 0 Sep19 ? 00:00:00 [scsi_eh_2]
root 2790 9 0 Sep19 ? 00:00:00 [kauditd]
root 31024 9 0 Sep20 ? 00:00:00 [pdflush]
root 165 1 0 Sep19 ? 00:00:01 [kswapd0]
root 856 1 0 Sep19 ? 00:00:01 [kirqd]
root 859 1 0 Sep19 ? 00:00:03 [kjournald]
root 2739 1 0 Sep19 ? 00:00:00 udevd
root 2847 1 0 Sep19 ? 00:00:08 [kjournald]
root 2848 1 0 Sep19 ? 00:00:02 [kjournald]
root 2849 1 0 Sep19 ? 00:00:20 [kjournald]
root 2850 1 0 Sep19 ? 00:00:03 [kjournald]
root 3577 1 0 Sep19 ? 00:00:02 syslogd -m 0
root 3581 1 0 Sep19 ? 00:00:00 klogd -x
root 3591 1 0 Sep19 ? 00:00:00 irqbalance
root 3646 1 0 Sep19 ? 00:00:00 rpc.idmapd
root 3714 1 0 Sep19 ? 00:00:00 /usr/sbin/acpid
root 5209 1 0 Sep19 ? 00:00:00 cupsd
root 5230 1 0 Sep19 ? 00:00:01 /usr/sbin/sshd
root 27057 5230 0 22:47 ? 00:00:00 sshd: root at pts/0
root 27065 27057 0 22:47 pts/0 00:00:00 -bash
root 5989 27065 0 23:25 pts/0 00:00:00 ps -efH
root 5245 1 0 Sep19 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 5263 1 0 Sep19 ? 00:00:02 chkservd
mailnull 5329 1 0 Sep19 ? 00:00:01 /usr/sbin/exim -bd
mailnull 5336 1 0 Sep19 ? 00:00:00 /usr/sbin/exim -C /etc/exim_outgoing.conf -q60m
mailnull 5340 1 0 Sep19 ? 00:00:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
root 5346 1 0 Sep19 ? 00:00:04 antirelayd
root 5367 1 0 Sep19 ? 00:00:02 /usr/bin/spamd -d --allowed-ips= 127.0.0.1 --pidfile=/var/run/spamd.pid --ma
root 6289 5367 0 Sep19 ? 00:00:15 spamd child
root 21217 5367 0 Sep22 ? 00:00:00 spamd child
root 5390 1 0 Sep19 ? 00:00:00 gpm -m /dev/input/mice -t exps2
root 5403 1 0 Sep19 ? 00:00:11 /usr/local/apache/bin/httpd -DSSL
nobody 12509 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12510 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12511 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 12512 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 12513 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12660 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12661 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12662 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12663 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12664 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12665 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 12666 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12778 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 12779 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12780 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12781 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12782 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12783 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12784 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12785 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12790 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12791 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 12792 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12793 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12794 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12795 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12796 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12797 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12798 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12799 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12800 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12801 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12802 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12803 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12804 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12805 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 12806 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 12808 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 12809 5403 0 19:55 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 12810 5403 0 19:55 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 12811 5403 0 19:55 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 14028 5403 0 19:57 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 14074 5403 0 19:57 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 14075 5403 0 19:57 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 14076 5403 0 19:57 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 16461 5403 0 20:06 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 23827 5403 0 20:19 ? 00:00:02 /usr/local/apache/bin/httpd -DSSL
nobody 30202 5403 0 20:33 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 30204 5403 0 20:33 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 30987 5403 0 20:37 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 358 5403 0 20:41 ? 00:00:03 /usr/local/apache/bin/httpd -DSSL
nobody 14262 5403 0 21:43 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 14467 5403 0 21:43 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 15922 5403 0 21:47 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 19325 5403 0 22:00 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 19998 5403 0 22:03 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 25681 5403 0 22:35 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 26226 5403 0 22:41 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 27104 5403 0 22:47 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 30589 5403 0 23:02 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 30649 5403 0 23:04 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 31535 5403 0 23:06 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 569 5403 0 23:10 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 1412 5403 0 23:12 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 1910 5403 0 23:17 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 4294 5403 0 23:22 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 4295 5403 0 23:22 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 4392 5403 0 23:23 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 4393 5403 0 23:23 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5014 5403 0 23:24 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5681 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5682 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5683 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5684 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5685 5403 1 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5686 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5805 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5806 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5807 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5808 5403 0 23:25 ? 00:00:00 [httpd] <defunct>
nobody 5809 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5810 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5811 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5812 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5813 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5814 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5815 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5816 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5817 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5818 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5820 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5821 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5822 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5823 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5824 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5825 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5826 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5827 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5828 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5829 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5831 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5832 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 5833 5403 0 23:25 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
root 5411 1 0 Sep19 ? 00:00:02 crond
root 5461 1 0 Sep19 ? 00:00:00 pure-ftpd (SERVER)
root 5466 1 0 Sep19 ? 00:00:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth
xfs 5478 1 0 Sep19 ? 00:00:00 xfs -droppriv -daemon
root 5496 1 0 Sep19 ? 00:00:00 /usr/sbin/atd
cpanel 5687 1 0 Sep19 ? 00:00:00 /usr/bin/stunnel- 4.15local /usr/local/cpanel/etc/stunnel/default/stunnel.co
dbus 5733 1 0 Sep19 ? 00:00:00 dbus-daemon-1 --system
root 5752 1 0 Sep19 ? 00:00:02 hald
root 5788 1 0 Sep19 ? 00:00:00 /usr/sbin/portsentry -tcp
root 5903 1 0 Sep19 ? 00:00:20 cpanellogd - setting up logs for herecatc
herecatc 16191 5903 0 Sep19 ? 00:00:00 cpanellogd - http logs for herecatc
herecatc 31033 16191 0 Sep20 ? 00:00:00 /usr/local/cpanel/bin/logrunner 2.0 /usr/local/cpanel/3rdparty/bin/awst
herecatc 31034 31033 0 Sep20 ? 00:04:51 /usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats.pl -config=herec
root 5916 1 0 Sep19 ? 00:00:05 cppop - accepting on port 110
mailman 5932 1 0 Sep19 ? 00:00:00 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start
mailman 5957 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=A
mailman 5959 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=B
mailman 5960 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=C
mailman 5961 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=I
mailman 5962 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=N
mailman 5963 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=O
mailman 5964 5932 0 Sep19 ? 00:00:02 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=V
mailman 5965 5932 0 Sep19 ? 00:00:00 /usr/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=R
nobody 5970 1 0 Sep19 ? 00:00:00 /usr/local/cpanel/bin/startmelange
nobody 5973 1 0 Sep19 ? 00:00:00 entropychat
root 6007 1 0 Sep19 ? 00:01:15 /usr/local/bin/perl -w /usr/local/mrtg-2/bin/mrtg /etc/mrtg/mrtg.cfg
root 6319 1 0 Sep19 ? 00:00:00 /usr/bin/perl -w /usr/sbin/psad
root 6325 1 0 Sep19 ? 00:00:00 /usr/sbin/kmsgsd
root 6327 1 0 Sep19 ? 00:00:01 /usr/sbin/psadwatchd
named 6328 1 0 Sep19 ? 00:01:13 /usr/sbin/named -u named
root 6336 1 0 Sep19 tty1 00:00:00 /sbin/mingetty tty1
root 6337 1 0 Sep19 tty2 00:00:00 /sbin/mingetty tty2
root 6338 1 0 Sep19 tty3 00:00:00 /sbin/mingetty tty3
root 6339 1 0 Sep19 tty4 00:00:00 /sbin/mingetty tty4
root 6340 1 0 Sep19 tty5 00:00:00 /sbin/mingetty tty5
root 6341 1 0 Sep19 tty6 00:00:00 /sbin/mingetty tty6
root 9531 1 0 21:22 ? 00:00:00 cpsrvd - waiting for connections
root 32732 1 0 23:10 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/m
mysql 32753 32732 0 23:10 ? 00:00:06 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-
===============================================================================================
Any pointers will be greatly appreciated
Thanks in advance
--
Anoop.P.Alias
Y! anoopalias01
I power Blogger:http://anoop-log.blogspot.com
Knowledge of millions -http://en.wikipedia.org
------------------------------------------------------------------------------
_______________________________________________
Mailinglist mailing list
Mailinglist at ilug-cochin.org
http://ilug-cochin.org/mailman/listinfo/mailinglist_ilug-cochin.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/mailinglist_ilug-cochin.org/attachments/20060927/0d872a58/attachment-0001.html
More information about the Mailinglist
mailing list