[CentOS] Server Hacked: Cpanel

Wed Aug 9 16:31:01 UTC 2006
Rodrigo Barbosa <rodrigob at darkover.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Aug 09, 2006 at 12:29:14PM -0400, Drew Weaver wrote:
> 	If they got in via SSH and all they did was deface his website
> they must be stand-up guys, huh? Most likely they just wrote an
> executable to his /tmp directory and then used apache's amazing
> recursion checking to execute it. This is the most common case I've seen
> on the dozens of cPanel 'hacks' I've encountered.

/tmp, /var/tmp and /dev/shm based compromizes do seem to account for
70%+ of the hacking on cPanel servers these days.

I blame canned script kiddies tools for that. It is simply the easiest
way to go.

Usually you will have a perl script there, so even nodev,noexec
won't stop that.

[]s

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE2g3FpdyWzQ5b5ckRAmWkAJ4g1IJjWeGnGJspIhfvl5AciIWF0QCgjLss
zmtRb/dBOc+h3G8eMmBP0mA=
=dwM5
-----END PGP SIGNATURE-----