Help!server be hacked

P

peterhou

Verified User
Joined
Dec 9, 2004
Messages
26
Hi
My server only setup 9 days.No direct root access(su -).No users but me.I've found someone installed a whole soft to my server in my domain's folder (FTP : /domains/top100cn.net/public_html/cache/movie/) which gid and uid is apache!

and I found very strange disk usages from my DA:
right block shows:
Disk Space (mb) 10676
Bandwidth (gb) 32.637
Domains 3
Users 2
Resellers 0

but Server Stats shows:
Filesystem Size Used Avail Use% Mounted on
/dev/hdc1 99M 6.2M 88M 7% /boot
/dev/hdc2 53G 40G 11G 80% /home
/dev/hdc3 9.7G 210M 9.0G 3% /var
/dev/hdc6 9.8G 1.2G 8.2G 13% /
none 247M 0 247M 0% /dev/shm

So,I loggin into root via ssh
dir /home
shows following:
admin aquota.user houyicheng nukehost top100cn
aquota.group ftp lost+found tmp

the "admin houyicheng nukehost top100cn"is the name I made.
Is the else folders normal?
and why DA shows huge disk usage in home folder?

Regards
peter
 
It's no ploblems now.
I've checked the scripts the guy installed on my server.it's a IRC bot called "eggdrop".
Is it possible to install such a project without ssh and FTP?How he can install it to my server.(not a successful install just install whole files to a 777 cache folder)

Regards
peter
 
Barring protections from either .htaccess or in httpd.conf, any directory with 777 permissions can be written to from any web-browser on the Internet.

Jeff
 
Thanks.
How can I do to prevent writing to my cache folder from remote?and why the files' gid and uid is "apache"?
Now I turn PHP safe mode on.Is this can prevent writing from others?

Regards
peter
 
I dont know what your policies are, but I would strongly warn against allowing your users to run eggdrop bots. They're not allowed by (I would imagine) a majority of datacenters - as they're often used by slick talking malicious users.
 
thanks.what I meant above is someone install the eggdrop to my server from remote.There is no other users on this server.
After this,I've disabled SSH,turn PHP safemode on,and add a .htaccess file in cache folder:
<files *>
order allow,deny
deny from all
</files>

I'm surely the guy install that scripts Neither via SSH nor via FTP.

Regards
peter
 
One thing is strange:
when I check the cron log.I've found something as below:
Dec 26 20:10:00 server CROND[11433]: (root) CMD (/usr/local/sim/sim -q >> /dev/null 2>&1)
Dec 26 20:10:00 server CROND[11437]: (root) CMD (/usr/local/directadmin/dataskq)
Dec 26 20:10:00 server CROND[11439]: (apache) CMD (/home/top100cn/domains/top100cn.net/public_html/cache/movie/.psy/y2kupdate >/dev/null 2>&1)
Dec 26 20:11:00 server CROND[11585]: (root) CMD (/usr/local/directadmin/dataskq)
Dec 26 20:11:00 server CROND[11587]: (apache) CMD (/home/top100cn/domains/top100cn.net/public_html/cache/movie/.psy/y2kupdate >/dev/null 2>&1)
Dec 26 20:12:00 server CROND[11639]: (root) CMD (/usr/local/directadmin/dataskq)
Dec 26 20:12:00 server CROND[11641]: (apache) CMD (/home/top100cn/domains/top100cn.net/public_html/cache/movie/.psy/y2kupdate >/dev/null 2>&1)
Dec 26 20:13:00 server CROND[11692]: (root) CMD (/usr/local/directadmin/dataskq)
Dec 26 20:13:00 server CROND[11694]: (apache) CMD (/home/top100cn/domains/top100cn.net/public_html/cache/movie/.psy/y2kupdate >/dev/null 2>&1)
Dec 26 20:14:00 server CROND[11745]: (root) CMD (/usr/local/directadmin/dataskq)
Dec 26 20:14:00 server CROND[11747]: (apache) CMD (/home/top100cn/domains/top100cn.net/public_html/cache/movie/.psy/y2kupdate >/dev/null 2>&1)
Dec 26 20:15:00 server CROND[11798]: (root) CMD (/usr/local/sim/sim -q >> /dev/null 2>&1)
Dec 26 20:15:00 server CROND[11802]: (root) CMD (/usr/local/directadmin/dataskq)
Dec 26 20:15:00 server CROND[11804]: (apache) CMD (/home/top100cn/domains/top100cn.net/public_html/cache/movie/.psy/y2kupdate >/dev/null 2>&1)
Dec 26 20:16:00 server CROND[12214]: (root) CMD (/usr/local/directadmin/dataskq)
Dec 26 20:16:00 server CROND[12216]: (apache) CMD (/home/top100cn/domains/top100cn.net/public_html/cache/movie/.psy/y2kupdate >/dev/null 2>&1)

I've deleted all the files under .psy/ folder.Why they keeping CROND?
How can I stop this!
My /etc/crontab as below:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly


*/5 * * * * root /usr/local/sim/sim -q >> /dev/null 2>&1
~
~
~
~
~
~
~
~
~
~
"/etc/crontab" 13L, 314C

the "sim -q" use for what?Can I del it or Can I totally stop crond?It's no use to me.

Regards
peter
 
Last edited:
peterhou said:
Thanks.
How can I do to prevent writing to my cache folder from remote?and why the files' gid and uid is "apache"?
Now I turn PHP safe mode on.Is this can prevent writing from others?

Regards
peter
Click to expand...
I am testing a script called "feed2js" and it requires that the cache folder be set as 777. Like peterhou's case, files generated by the script in this cache folder all have gid and uid as "apache". What should I do to make it write gid and uid as "username" of a particular site?
 
You can change the ownership of the file manually or through a script. But then the script won't be able to manipulae them.

The script appears to be insecure if it requires 777.

Jeff
 
You must log in or register to reply here.
Back
Top