Jump to content

cronjob runs malicious script and tries to login: hack-> Non-base64 authentication's


chrissweden

Recommended Posts

Hi,

 

One of my clients website got hacked and they left some stuff, I removed the client and most of the hackers stuff but I can´t find the script that is run through a cronjob.

 

The cronjob starts at 19:40 which runs my WHMCS cron but at the same times runs the script. Also running the cron manually gives the same outcome. Should I look inside the WHMCS sql file? Or is it calling a script on the server at the same time? Seems unlikely as it only does the WHMCS cron...

 

2013:02:26-19:40:07: *** servers external ip has tried to login with an invalid username: '**hack-> Non-base64 authentication' ***

2013:02:26-19:40:07: servers external ip has tried to log in 16 times, unsuccessfully, this time into **hack-> Non-base64 authentication's account ***

 

 

2013:02:27-13:35:05: servers external ip has tried to log in 16 times, unsuccessfully, this time into **hack-> Non-base64 authentication's account ***

2013:02:27-13:35:05: *** servers external ip has tried to login with an invalid username: '**hack-> Non-base64 authentication' ***

Link to comment
Share on other sites

The cronjob starts at 19:40 which runs my WHMCS cron but at the same times runs the script.

I'd be checking crontab as well as the cron on your own account, since it's run at the same time. It's possible since you're on the same server as hosted customers (based on what you've said), it's possible something has been added into your account/cron.

If you have root, that's not too hard.

Edit the main cron:

crontab -e

To see the crons of all users (including root), use the following, again as root:

for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

Link to comment
Share on other sites

If this is running along with your WHMCS cron task, whether initiated manually or during a scheduled run, you may also want to check your installation for rogue files within folders such as includes/, modules/, etc.

 

If your server had been compromised, files could have been created/moved from elsewhere on the server. As Chris mentioned, it's never really a good idea to host such a system on a server which is also home to your clients and whatever they may upload to it.

Edited by WHMCS JamesX
Link to comment
Share on other sites

yes they uploaded some stuff to the main website which caused some images to redirect to other images. the leak was on a clients website which i removed. i only host 3 clients from like 6 years ago, we stopped offering webhosting since 4 years ago. it's not interesting to make another vps for just these clients, or so i thought...

 

I don't see any new or altered files in the whmcs directory, i did a search for all the file by root and apache but none came up.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated