At this time it is recommended that you upgrade your kernel to the latest version available for your distribution or you compile a 2.6.24.2 or above version.

Don’t ignore this as it can be a major security issue.

More info on this:
http://it.slashdot.org/article.pl?sid=08/02/10/2011257

If you need help with your kernel upgrade you can contact us as we can do it for you (for a fee of course).

I will try to tell you a few tricks over a series of tutorials on how to detect such scripts and how to protect your self in the future.

First let’s see how we can detect them. On a normal cPanel server there are many processes running but most of them run under dedicated users (such as cpanel, exim, etc.). You have to worry only about processes running under the user “nobody”. Now unfortunately Apache is also running under the user nobody but we will ignore those processes.

So what to do to see what processes are running under the user nobody? Simple, just type:

ps aux | grep nobody

This should output a few apache processes but NOTING else (on a cPanel powered server). If you are seeing any other processes that look suspect that it’s time you investigate.

How to do this? Simple again, let’s trace where that process is running from. Look at the second column in from of the suspect process. You should see there the process id. Let’s suppose that this is 12345.

Now let’s see some information about this process from /proc. For this go ahead and do:

ls -la /proc/12345

You should now see some information about that process and most import that cwd (current working directory) . This is the place where that process runs from !

The output will look similar to:

root@server [/]# ls -la /proc/12345
total 0
dr-xr-xr-x 3 root root 0 Mar 18 09:28 ./
dr-xr-xr-x 311 root root 0 Mar 15 03:26 ../
dr-xr-xr-x 2 root root 0 Mar 18 23:23 attr/
-r——– 1 root root 0 Mar 18 23:23 auxv
-r–r–r– 1 root root 0 Mar 18 23:09 cmdline
lrwxrwxrwx 1 root root 0 Mar 18 23:23 cwd -> /root/
-r——– 1 root root 0 Mar 18 23:23 environ
lrwxrwxrwx 1 root root 0 Mar 18 23:00 exe -> /usr/bin/perl*
dr-x—— 2 root root 0 Mar 18 09:30 fd/
-rw-r–r– 1 root root 0 Mar 18 23:23 loginuid
-r–r–r– 1 root root 0 Mar 18 23:23 maps
-rw——- 1 root root 0 Mar 18 23:23 mem
-r–r–r– 1 root root 0 Mar 18 23:23 mounts
-r——– 1 root root 0 Mar 18 23:23 mountstats
lrwxrwxrwx 1 root root 0 Mar 18 23:23 root -> //
-r——– 1 root root 0 Mar 18 23:23 smaps
-r–r–r– 1 root root 0 Mar 18 23:07 stat
-r–r–r– 1 root root 0 Mar 18 23:00 statm
-r–r–r– 1 root root 0 Mar 18 23:09 status
dr-xr-xr-x 3 root root 0 Mar 18 23:23 task/
-r–r–r– 1 root root 0 Mar 18 23:23 wchan

If you now have the information you need you can now delete that file(s) and don’t forget the terminate that process.

Something like this should work:

kill -9 12345

I hope this is useful for you. I will write a fallow up as soon as possible.

An arbitrary file inclusion vulnerability has been discovered in the Horde webmail application. At present, we can confirm that this security vulnerability in question affects Horde 3.1.6 and earlier. Based on incomplete information at this time, we also believe this affects Horde Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware at this time).

cPanel customers should update their cPanel and WHM servers immediately to prevent any chance of compromise. The patch will be available in builds 11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated builds will be available immediately to all fast update servers. The builds will be available to all other update servers within one hour of this posting.

To check which version of cPanel and WHM is on your server, simply log into WebHost Manager (WHM) and look in the top right corner, or execute the following command from the command line as root:

/usr/local/cpanel/cpanel -V

You can upgrade your server by navigating to ‘cPanel’ -> ‘Upgrade to Latest Version’ in WebHost Manager or by executing the following from the command line as root:

/scripts/upcp

It is recommended that all use of Horde 3.1.6 and earlier be stopped (on cPanel and non-cPanel systems alike) until Horde updates can be applied. You can disable Horde on your cPanel system by unchecking the box next to ‘Server Configuration’ -> ‘Tweak Settings’ -> ‘Mail’ -> ‘Horde Webmail’ within WHM, and saving the page with the new settings.

A server compromise trend has been recently reported targeting multiple hosting platforms. RedHat Enterprise Linux & Centos 4/5 and Fedora Core 5/6 are the most common targets. This compromise is not believed to be specific to cPanel software. This issue has been seen on systems running a variety of control panels.

The vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The majority of the affect servers come from a single undisclosed data-center. All affected systems have password-based authentication enabled. Based upon these findings, it’s believed that the attacker has gained access to a database of root login credentials for a large group of Linux servers.

Once access is gained, the attacker downloads and compiles Stealth Zapper 1.0, which is used to clean all traces of the attackers access and movements through the system. The attacker then downloads a script used to gather information from Apache and compiles a list of statistics for each site hosted on the server. This information is then sent to an undisclosed location for the attacker to view. Once the information is sent successfully, the attacker downloads an agent binary built from the Boxer 0.99 BETA 3 root-kit. This binary is secured with encrypted keys to only allow access from the attackers Boxer installation. This agent binary is built with several additional scripts developed by the attacker to load a web server into memory and inject the random JavaScript into the HTML code after Apache has served the file, but before it has traveled through the TCP transport back to the web site visitor. The attacker will first run the agent binary to load it into memory. This activates the root-kit, which will then go on to copy itself to the seven binary locations below which will keep the agent running at all times, including after a reboot.

/sbin/ifconfig
/sbin/fsck
/sbin/route
/bin/basename
/bin/cat
/bin/mount
/bin/touch

The rootkit renames these system binaries by adding a random set of characters to the end of the file name. Additionally, a 0 byte file with a different set of random characters is created based upon the target binary’s name similar to the following:

/sbin/routewWmVTnBL6szkobbNZ9Iz
/sbin/routeGnAxnt168fMJAxHiru22

These files are hidden on the live filesystem of an affected system. In order to view these files, the system must be rebooted into a safe environment such as a system rescue CD.

The JavaScript being loaded by this web server is directing users to another server that scans the web site user for a number of known vulnerabilities. These vulnerabilities are then used to add the web site user to a bot net. More information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3.

If you feel your server is compromised, you can run the tests below to confirm.

The easiest test is to attempt to create a directory with a numerical name:

mkdir 1

If your server is compromised, this will result in the error below:

[root\@cpanel ~]# mkdir 1
mkdir: cannot create directory `1′: No such file or directory

This isn’t always the case in older variants of the rootkit. To be certain your server isn’t compromised, it’s best to sniff packets for a brief 3-5 minute period. You can do this using the command below:

tcpdump -nAs 2048 src port 80 | grep “[a-zA-Z]\{5\}\.js’”

If this reports packets being sent that match the regex above, then the server is most likely compromised. Additional detection methods require an in-depth knowledge of kernel debugging.

Cleaning the Random JavaScript Toolkit requires the server to be booted into a safe environment and the removal of all infected binaries. Since it is believed that the attacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether. It is recommended that you contact your data-center, NOC, or a qualified administrator to have the server properly cleaned and secured.

More information on this issue as well as discussions can be found at the following URLs:

http://forums.cpanel.net
http://www.webhostingtalk.com/showthread.php?t=651748
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3

1. Log on your server as root
2. Type the fallowing command

netstat -plan|grep :80|awk {’print $5′}|cut -d: -f 1|sort|uniq -c|sort -n

You will see a list of IP’s with the number of connections each once has to your server.

3. If any IP’s have more then 100 connections then there is a chance that this is your attacker. Go ahead and block this IP using APF if you have it installed or CSF

apf -d IP
or
csf -d IP

Hope it helps !

If you have any questions don’t hesitate to leave a comment.

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

How to install?

1. Login as root to your server
2. Download the package and extract it

wget http://prdownloads.sourceforge.net/rkhunter/rkhunter-1.3.0.tar.gz
tar -xzf rkhunter*

3. Run the installer

cd rkhunter-*
./installer.sh –layout default –install

4. Run rkhunter

/usr/local/bin/rkhunter -c

Enjoy !

1. Login to your server as root
2. Run the fallowing command

chmod 0700 /usr/bin/wget

Please note that disabling wget might cause some scripts to stop working. A known problem is that Fantastico will stop updating after this. The solution is pretty easy…
Before you disable wget make sure that you do a copy of it with the initial permissions. You can use any name that you want, the fallowing is just an example:

cp /usr/bin/wget /usr/bin/wget_secret

In the Fantastico configuration input the location to wget as:

/usr/bin/wget_secret

If for some reason you you want to revert the change you simply have to do:

chmod 0711 /usr/bin/wget

If you have any questions or suggestions please leave a comment.

(D)DoS Deflate is a shell script developed by Zaf, originally for use on MediaLayer servers to assist in combating denial of service attacks. However, it was seen to be very effective for our purpose, and therefore was released as a contribution to the web hosting community. (D)DoS Deflate is now used by not only many web hosts, but by many people who run their own servers looking for additional security in dealing with such attacks. 

How to install 

Installing DOS-Deflate is one of the simplest out there.

1. Login to your server as root
2. Download the install script

wget http://www.inetbase.com/scripts/ddos/install.sh

3. Run the installer

sh install.sh

DOS-Deflate should now be installed.

Please note that DOS-Deflate uses APF to ban IPs so you must have it installed for DOS-Deflate to work properly. I guide on how to install APF can be found here.

Customizing DOS-Deflate is very easy. You have to edit /usr/local/ddos/ddos.conf with your favorite editor for example

pico /usr/local/ddos/ddos.conf

Every setting is explained in the configuration file so I will not go over them as the explanations are quite easy to fallow up.

If you run into any problems please leave a comment here and I’ll try to help out.

chkrootkit is a tool to locally check for signs of a rootkit.  It
contains:

* chkrootkit: a shell script that checks system binaries for
   rootkit modification.

* ifpromisc.c: checks if the network interface is in promiscuous
   mode.

* chklastlog.c: checks for lastlog deletions.

* chkwtmp.c: checks for wtmp deletions.

* check_wtmpx.c: checks for wtmpx deletions.  (Solaris only)

* chkproc.c: checks for signs of LKM trojans.

* chkdirs.c: checks for signs of LKM trojans.

* strings.c: quick and dirty strings replacement.

* chkutmp.c: checks for utmp deletions.

How to install chkrootkit

1. Login to your server as root
2. Download chkrootkit and extract the archive

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.47

3. Install chkrootkit

make sense

4. Now lets run chkrootkit

/root/chkrootkit-0.47/chkrootkit

Make sure you run it on a regular basis, perhaps you can include the scan in a cron job.

We do not guaranty that the following steps will make your server hack proof, but it will greatly reduce your chances of compromise.

Basic Steps to Securing CPanel (Linux based OS):

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items…

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static

/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

These are measures that can be taken to secure your server, with SSH access.

Udate OS, Apache and CPanel to the latest stable versions.

This can be done from WHM/CPanel.

Restrict SSH Access

Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

Install chkrootkit