Hacked by c99 shell on cPanel server --- HELP!

Portal Home > Knowledgebase > Articles Database > Hacked by c99 shell on cPanel server --- HELP!

Posted by chasebug, 10-07-2009, 08:58 PM
Somebody was somehow able to upload c99.php to these 2 folders: /usr/local/cpanel/lang/ /var/cpanel/lang.cache/ I have these functions disabled: ini_set,symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd I tried the c99.php myself and wasn't able to browse to any other folders including /usr/local/cpanel/lang/ So how was this possible?
Posted by rwxguru, 10-07-2009, 09:26 PM
what version of cpanel and what is your OS ?
Posted by rwxguru, 10-07-2009, 09:28 PM
oh forgot and your kernel to get this info run this commands as root : /usr/local/cpanel/cpanel -V cat /etc/redhat-release uname -r
Posted by chasebug, 10-07-2009, 09:42 PM
11.24.5-STABLE_38506 CentOS release 5.3 (Final) 2.6.18-128.e15PAE
Posted by Steven, 10-07-2009, 09:45 PM
First off... that kernel is vulnerable to root exploits.
Posted by chasebug, 10-07-2009, 11:21 PM
OK but what else do I need to do in the meantime to prevent them from uploading to that folder? What am I missing security wise besides the outdated kernel?
Posted by Srv24x7, 10-07-2009, 11:25 PM
Mod_security -- Do you have it installed ?
Posted by web-1, 10-07-2009, 11:35 PM
http://en.wikipedia.org/wiki/Remote_File_Inclusion
Posted by chasebug, 10-08-2009, 02:25 AM
How do I check if mod_security is installed or not?
Posted by VPSGuys, 10-08-2009, 02:34 AM
in WHM go down to plugins and You should see Mod_security
Posted by StevenG, 10-08-2009, 02:43 AM
If c99 shell is in those directories, then it's likely apache is not the culprit, but cpanel is. Which uid owns the files?
Posted by TH-Guy, 10-08-2009, 02:58 AM
Find out which user has put it there (if you still have it on your server): ls -l /usr/local/cpanel/lang/c99.php
Posted by StevenG, 10-08-2009, 03:03 AM
Indeed.. upgrade cpanel and your kernel, establish who owns the files and then log an emergency ticket with cpanel to check it out.. if you don't currently have a sysadmin capable of doing some investigations..
Posted by alfoos, 10-08-2009, 03:25 AM
check phpinfo page to see if mod security is enabled
Posted by StevenG, 10-08-2009, 03:27 AM
Posts like the last one .. should be discounted Welcome to WHT.. but please post relevant details if you're replying in the technical section.
Posted by chasebug, 10-11-2009, 06:11 AM
I have mod_security installed but there's nothing logged when I click on it in WHM. The hacker made several reseller accounts owned by root, also was able to change my hostname, dns, admin email, created new packages, etc. Basically had full access to root in WHM I believe.
Posted by StevenG, 10-11-2009, 07:11 AM
Did you read any suggestions in this thread other than the ones for mod_security? Anyway, so how did you get this cleaned up, I assume you had someone fix it or you got a restore done?
Posted by Steven, 10-11-2009, 12:08 PM
Because your kernel is root vulnerable..!! You obviously didn't listen the first time and brushed it off. The server is now compromised. It probably has some root backdoors installed. Once mod_security is installed you have to manually configure it. Mod_security works for apache only, does not work for whm. If you have something like rvskin installed, its also possible that it was exploited. Theres been exploits in the past. Last edited by Steven; 10-11-2009 at 12:12 PM.
Posted by MH-Andy, 10-11-2009, 12:16 PM
That should find all the c99's on your server
Posted by Steven, 10-11-2009, 12:26 PM
Bad Idea. Encrypted files such as kayako will show up. Example: The best solution is to install clamav and run a clamscan. c99 among other php shells is picked up by clamav.
Posted by chasebug, 10-11-2009, 01:55 PM
All of the damage were already done before I even posted this thread. This is done by the same person who used the c99 shell, the c99.php was found in his account and he made hostname changes, DNS changes, packages, etc. using same account name. My server is fully managed and I did notify the DC about this issue. The server has not been cleaned up, I merely deleted/reversed the accounts/packages/dns/hostname/etc the hacker did. I ran chkrootkit and rkhunter and there doesn't seem to be any hits. Mod_security can help prevent or make it more difficult for c99 shells to run correct? So I have it installed but how do I set it up? I thought there was a rule set where I can download?
Posted by Steven, 10-11-2009, 02:00 PM
Mod_security is only effective if c99 is being ran through apache. From your past posting, it was located in cpanel related directories. If it was executed through cpanel (its possible) mod_security wont block it. You need to find out how it was initially exploited and patch the whole rather then putting a hack fix in place to stop c99.
Posted by chasebug, 10-11-2009, 02:34 PM
My kernel is now updated to 2.6.18-164.e15PAE is this root vulnerable?
Posted by Steven, 10-11-2009, 02:36 PM
No, but it doesn't mean there's not another root exploit on the server now.
Posted by chasebug, 10-11-2009, 03:14 PM
My fully managed tech support is saying that mod_security is a module and there's nothing to configure after it's installed? How do I install the mod_security rules? Install instructions: http://www.atomicorp.com/wiki/index....Security_Rules I can't find modsecurity.conf in the server.
Posted by chasebug, 10-11-2009, 03:21 PM
I have version 2.59 installed and there is a modsec2.conf Do the installation instructions in here work for 2.59 or only for 2.50? http://www.atomicorp.com/wiki/index....Security_Rules
Posted by mikegotroot, 10-11-2009, 03:39 PM
The instructions work for all 2.5 versions of modsecurity, including 2.5.10 (the latest modsecurity).
Posted by Steven, 10-11-2009, 11:17 PM
It sounds like your managed tech has no idea what they are doing.

Add to Favourites Print this Article

Knowledgebase

Hacked by c99 shell on cPanel server --- HELP!

Our Services

Client Menu

Legal