Anatomy Of A Hack (Feb 27 2008)
From Deep Thought
[edit]
Background
Hacking pointed index.php to http://z-xwvd.mail15.su Written at 11:57 PM EST owner: theener
[edit]
/var/log/secure
Feb 26 11:53:40 host Cp-Wrap[3543]: Pushing "32043 GETDOMAINIP theenergydetective.com " to '/usr/local/cpanel/bin/apacheadmin' for UID: 32043 Feb 26 11:53:40 host Cp-Wrap[3543]: CP-Wrapper terminated without error Feb 26 11:53:40 host Cp-Wrap[3548]: Pushing "32043 LISTSUBDOMAINS 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 32043 Feb 26 11:53:40 host Cp-Wrap[3548]: CP-Wrapper terminated without error Feb 26 11:53:40 host Cp-Wrap[3556]: Pushing "32043 LISTMULTIPARKED 0 " to '/usr/local/cpanel/bin/apacheadmin' for UID: 32043 Feb 26 11:53:40 host Cp-Wrap[3556]: CP-Wrapper terminated without error Feb 26 11:53:40 host Cp-Wrap[3560]: Pushing "32043 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32043 Feb 26 11:53:41 host Cp-Wrap[3560]: CP-Wrapper terminated without error Feb 26 11:53:41 host Cp-Wrap[3575]: Pushing "32043 LISTDBS " to '/usr/local/cpanel/bin/postgresadmin' for UID: 32043 Feb 26 11:53:41 host Cp-Wrap[3575]: CP-Wrapper terminated without error Feb 26 11:53:41 host Cp-Wrap[3584]: Pushing "32043 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32043 Feb 26 11:53:41 host Cp-Wrap[3584]: CP-Wrapper terminated without error Feb 26 11:53:46 host Cp-Wrap[3660]: Pushing "32043 DBCACHE" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32043 Feb 26 11:53:46 host Cp-Wrap[3660]: CP-Wrapper terminated without error Feb 26 11:54:02 host Cp-Wrap[3763]: Pushing "32043 NULLIFY theenergydetective.com test " to '/usr/local/cpanel/bin/mxadmin' for UID: 32043 Feb 26 11:54:02 host Cp-Wrap[3763]: CP-Wrapper terminated without error Feb 26 11:54:03 host Cp-Wrap[3776]: Pushing "32043 NULLIFY theenergydetective.com test " to '/usr/local/cpanel/bin/mxadmin' for UID: 32043 Feb 26 11:54:03 host Cp-Wrap[3776]: CP-Wrapper terminated without error Feb 26 11:54:03 host Cp-Wrap[3780]: Pushing "32043 NULLIFY theenergydetective.com test " to '/usr/local/cpanel/bin/mxadmin' for UID: 32043 Feb 26 11:54:03 host Cp-Wrap[3780]: CP-Wrapper terminated without error
[edit]
/var/log/messages
Feb 27 23:56:01 host pure-ftpd: (?@219.64.125.180) [INFO] New connection from 219.64.125.180 Feb 27 23:56:02 host pure-ftpd: (?@219.64.125.180) [INFO] funfit is now logged in Feb 27 23:56:35 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//public_html/index.html uploaded (283 bytes, 0.89KB/sec) Feb 27 23:56:39 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//public_html/cms_site/index.php uploaded (283 bytes, 0.88KB/sec) Feb 27 23:56:48 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//public_html/cms_site/original/index.htm uploaded (283 bytes, 0.85KB/sec) Feb 27 23:57:17 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//tmp/webalizer/index.html uploaded (283 bytes, 0.89KB/sec) Feb 27 23:57:19 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//tmp/webalizerftp/index.html uploaded (283 bytes, 0.89KB/sec) Feb 27 23:57:20 host pure-ftpd: (funfit@219.64.125.180) [INFO] Logout. Feb 27 23:57:20 host pure-ftpd: (?@219.64.125.180) [INFO] New connection from 219.64.125.180 Feb 27 23:57:21 host pure-ftpd: (?@219.64.125.180) [INFO] funfit is now logged in Feb 27 23:57:52 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//public_html/index.html uploaded (283 bytes, 0.89KB/sec) Feb 27 23:57:57 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//public_html/cms_site/index.php uploaded (283 bytes, 0.89KB/sec) Feb 27 23:58:05 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//public_html/cms_site/original/index.htm uploaded (283 bytes, 0.89KB/sec) Feb 27 23:58:34 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//tmp/webalizer/index.html uploaded (283 bytes, 0.88KB/sec) Feb 27 23:58:37 host pure-ftpd: (funfit@219.64.125.180) [NOTICE] /home/funfit//tmp/webalizerftp/index.html uploaded (283 bytes, 0.89KB/sec) Feb 27 23:58:37 host pure-ftpd: (funfit@219.64.125.180) [INFO] Logout.
