SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Oct 2006
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question chkrootkit < Urgent need : How do I execute in cpanel?

    I'm a newbie to server/site security but learning fast due to a scumbag who installed a phishing site in a folder on my server. I think they got in via an old phBB forum install that I never got rid of.

    I have been trying to get up to speed on what I should do (and should've already done before this happened!). As you know, there's a LOT to it so I'll be learning for quite some time.

    I got an email from a security company working for a bank to tell me to "shut down this website". That's how I know it exists. So I can see the phishing site folder path off of one of my websites but I can't delete the folder or any of the files in it (to make it stop working). It simply repopulates and won't go to "trash".

    I have installed chrootkit in the root directory in cpanel on my server (shared hosting) as instructed. But how exactly do I execute/run the program? The instuctions say to type "make sense" to compile C programs. But where do I type it???? I'm clueless and don't see a command line from my end of cpanel. Is that the problem? Only the hosting company can do this? I would think that I should have the ability to protect myself and my interests, no?

    Here are the instructions:
    -----------------------------
    5. Installation
    ---------------

    To compile the C programs type:

    # make sense

    After that it is ready to use and you can simply type:

    # ./chkrootkit
    -------------------------------

    Any help is GREATLY appreciated!!! If you have links to MUST READ INFO on what I need to do to secure my sites for future reference (from a newbie's/dummie's perspective) please send it ASAP.

    Thank you very much.
    Last edited by justbadco1; Sep 25, 2008 at 08:31.

  2. #2
    SitePoint Zealot
    Join Date
    Sep 2008
    Posts
    199
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You have to login in server using SSH as root user.

    Sound like you have logged in FTP account.
    Do you have server? or shared plan on server?

  3. #3
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ask your hosting company to delete it. It should be easy if they put it on there through your web server. A simple "rm" should do it.

    chkrootkit is something for your web hosting company to run, but it shouldn't be needed in your case, unless the host did not lock down the server.

    Anyway, the problem here is that software have bugs. So, you need to keep track of new versions of software, and when you are considering installing a piece of software, check out its history of security vulnerabilities. phpBB used to be very bad with exploits (I don't know if it is still anymore).

  4. #4
    SitePoint Enthusiast Tim Greer's Avatar
    Join Date
    Aug 2001
    Location
    California, home of the bear...
    Posts
    54
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm unclear if you own the shared hosting server or if you're just a client. If you own it, log in as root, decompress the source, and change to the directory, type make sense and then run it with whatever options you want ./chkrootkit. Also consider installing, updating and then running rkhunter. These are just simple programs that do a lot of checks, but you still have to have an idea of what you're doing in a lot of areas to prevent and deal with exploits (on any level).

    It doesn't sound like it's a root level compromise anyway. It sounds like you're the client on a shared server, so as others have said, it's for the host to deal with that level. It sounds like one or more scripts on your account itself are insecure, or your password is weak, or both. Be sure your scripts are up to date, secure and use strong passwords, and don't use the same passwords for scripts/forum logins, databases, etc. as you do for logging into your account. You need your account cleaned up (proactive) and then take preventive steps to stop it from happening in the future.
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    http://www.burlyhost.com/ Shared Hosting, Reseller Hosting, more!
    Industry's most experienced staff! -- Web Hosting With Muscle!

  5. #5
    SitePoint Member
    Join Date
    Oct 2006
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your replies. Sorry it took so long to reply.

    After spending a TON of time trying to figure out what's up, the hosting company was able to delete the folder for me. After this scare, I realize I have a lot to learn about site and server security. I really appreciate all of your feedback.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •