cronjob runs malicious script and tries to login: hack-> Non-base64 authentication's

[chrissweden]

Hi,

 

One of my clients website got hacked and they left some stuff, I removed the client and most of the hackers stuff but I can´t find the script that is run through a cronjob.

 

The cronjob starts at 19:40 which runs my WHMCS cron but at the same times runs the script. Also running the cron manually gives the same outcome. Should I look inside the WHMCS sql file? Or is it calling a script on the server at the same time? Seems unlikely as it only does the WHMCS cron...

 

2013:02:26-19:40:07: *** servers external ip has tried to login with an invalid username: '**hack-> Non-base64 authentication' ***

2013:02:26-19:40:07: servers external ip has tried to log in 16 times, unsuccessfully, this time into **hack-> Non-base64 authentication's account ***

 

 

2013:02:27-13:35:05: servers external ip has tried to log in 16 times, unsuccessfully, this time into **hack-> Non-base64 authentication's account ***

2013:02:27-13:35:05: *** servers external ip has tried to login with an invalid username: '**hack-> Non-base64 authentication' ***

[bear]

The cronjob starts at 19:40 which runs my WHMCS cron but at the same times runs the script.

I'd be checking crontab as well as the cron on your own account, since it's run at the same time. It's possible since you're on the same server as hosted customers (based on what you've said), it's possible something has been added into your account/cron.

If you have root, that's not too hard.

Edit the main cron:

crontab -e

To see the crons of all users (including root), use the following, again as root:

for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done

[chrissweden]

only one cronjob and that's the daily backup. I think it's some sort of mysql injection inside a whmcs table as it runs at the same time as the whmcs cron does.

[bear]

If you feel it's mysql, have you checked the database for that? Just run a search for bits of the output, as a start.

[WHMCS Chris]

It's highly recommended not to have your billing platform on the same server as your clients.

[WHMCS JamesX]

If this is running along with your WHMCS cron task, whether initiated manually or during a scheduled run, you may also want to check your installation for rogue files within folders such as includes/, modules/, etc.

 

If your server had been compromised, files could have been created/moved from elsewhere on the server. As Chris mentioned, it's never really a good idea to host such a system on a server which is also home to your clients and whatever they may upload to it.

Edited February 27, 2013 by WHMCS JamesX

[chrissweden]

yes they uploaded some stuff to the main website which caused some images to redirect to other images. the leak was on a clients website which i removed. i only host 3 clients from like 6 years ago, we stopped offering webhosting since 4 years ago. it's not interesting to make another vps for just these clients, or so i thought...

 

I don't see any new or altered files in the whmcs directory, i did a search for all the file by root and apache but none came up.

[chrissweden]

This is solved, it was whmcs trying to log into directadmin (server status thing) and it failed the login, how stupid of me