MOON
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
System: Linux csr818.wilogic.com 2.6.18-419.el5xen #1 SMP Fri Feb 24 22:50:37 UTC 2017 x86_64
User: digitals (531)
PHP: 5.4.45
Disabled: NONE
$ pwd: /proc/self/root/proc/self/root/scripts.20110531.215904.25158/
Upload Files
File: //proc/self/root/proc/self/root/scripts.20110531.215904.25158/hackcheck
#!/usr/bin/perl
# cpanel - hackcheck                              Copyright(c) 2010 cPanel, Inc.
#                                                           All Rights Reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

BEGIN { unshift @INC, '/usr/local/cpanel'; }

require '/scripts/HTTPreq.pm';

use Cpanel::OSSys;
use Cpanel::iContact ();
use Cpanel::RpmUtils;
use Cpanel::HttpRequest ();
use Cpanel::Rand        ();
use Cpanel::FileUtils   ();
use Cpanel::SafeDir     ();
use Cpanel::Sys::OS     ();

$| = 1;

my $tmpdir    = Cpanel::Rand::gettmpfile();
my $is_hacked = '';
if ( mkdir($tmpdir) && -d $tmpdir ) {
    foreach my $num ( 0 .. 9 ) {
        Cpanel::FileUtils::touchfile( $tmpdir . '/' . $num );
        if ( !-f $tmpdir . '/' . $num ) {
            $is_hacked = 'Could not create file ' . $tmpdir . '/' . $num . ':' . $!;
            last;
        }
        elsif ( !unlink( $tmpdir . '/' . $num ) ) {
            $is_hacked = 'Could not remove file ' . $tmpdir . '/' . $num . ':' . $!;
            last;
        }
        Cpanel::SafeDir::safemkdir( $tmpdir . '/' . $num );
        if ( !-d $tmpdir . '/' . $num ) {
            $is_hacked = 'Could not create directory ' . $tmpdir . '/' . $num . ':' . $!;
            last;
        }
        elsif ( !rmdir( $tmpdir . '/' . $num ) ) {
            $is_hacked = 'Could not remove directory ' . $tmpdir . '/' . $num . ':' . $!;
            last;
        }
    }
    if ( !$is_hacked ) {
        if ( !rmdir($tmpdir) ) {
            $is_hacked = 'Could not remove directory ' . $tmpdir . ':' . $!;
        }
    }
}
else {    # Can't make random directory in /tmp
    $is_hacked = "Failed to create directory $tmpdir: $!";
}

if ($is_hacked) {
    my $req = Cpanel::HttpRequest->new( 'hideOutput' => 1 );
    my $downloaded_msg = $req->request( 'host' => 'www.cpanel.net', 'port' => '80', 'url' => '/security/notes/random_js_toolkit.txt' );
    my $msg = <<"EOM";
Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

$is_hacked

$downloaded_msg
EOM
    print "[hackcheck] Possible rootkit detected\n$msg";

    Cpanel::iContact::icontact(
        'application' => 'hackcheck',
        'level'       => 1,
        'subject'     => qq{[hackcheck] Possible root compromise detected},
        'message'     => $msg,
        'msgtype'     => ''
    );
}

exit if -e '/etc/disablehackcheck';
exit if -e '/etc/debian_version';

my ( $system, $nodename, $release, $version, $machine ) = Cpanel::OSSys::uname();

if ( -e '/etc/fedora-release' ) {
    $distro = 'fedora';
    ($version) = Cpanel::Sys::OS::getversionfromfile('/etc/fedora-release');
}
elsif ( -e '/etc/gentoo-release' ) {
    exit();
}
elsif ( -e '/etc/trustix-release' ) {
    $distro = 'trustix';
    ( $version, $ises ) = Cpanel::Sys::OS::getversionfromfile('/etc/trustix-release');
    if ($ises) { exit(); }
}
elsif ( -e '/etc/whitebox-release' ) {
    $distro = 'whitebox';
    ( $version, $ises ) = Cpanel::Sys::OS::getversionfromfile('/etc/whitebox-release');
    exit();
}
elsif ( -e '/etc/caos-release' ) {
    $distro = 'caos';
    ( $version, $ises ) = Cpanel::Sys::OS::getversionfromfile('/etc/caos-release');
    exit();
}
elsif ( -e "/etc/SuSE-release" ) {
    $distro = 'suse';
    ($version) = Cpanel::Sys::OS::getversionfromfile('/etc/SuSE-release');
}
elsif ( -e "/etc/mandrake-release" ) {
    $distro = 'mandrake';
    ($version) = Cpanel::Sys::OS::getversionfromfile('/etc/mandrake-release');
}
elsif ( -e "/etc/redhat-release" ) {
    $distro = 'redhat';
    ( $version, $ises ) = Cpanel::Sys::OS::getversionfromfile('/etc/redhat-release');
}
else {
    $norpmsupport = 1;
}

if ( $machine =~ /64/ ) {
    $distro .= "-64";
}

chomp( $hostname = `hostname` );

if (   ( ( getpwnam("xfs") )[1] ne "*" && ( getpwnam("xfs") )[1] !~ /^\!\!/ )
    || ( ( getpwnam("daemon") )[1] ne "*" && ( getpwnam("daemon") )[1] !~ /^\!\!/ ) ) {
    if ( $system =~ /freebsd/i ) {
        if ( ( getpwnam("xfs") )[0] ne "" ) {
            system( "/usr/sbin/pw", "lock", "xfs" );
        }
        system( "/usr/sbin/pw", "lock", "daemon" );
    }
    else {
        if ( ( getpwnam("xfs") )[0] ne "" ) {
            system( "/usr/bin/passwd", "-l", "xfs" );
        }
        system( "/usr/bin/passwd", "-l", "daemon" );
    }
}

open( PASSWD, "/etc/passwd" );
while (<PASSWD>) {
    s/\n//g;
    next if (/^\#/);
    ( $user, undef, $uid, undef ) = split( /:/, $_, 3 );
    next if ( $user eq "" );
    if ( $uid == 0 && $user ne "root" && $user ne "toor" ) {
        if ( $system =~ /freebsd/i ) {
            system( "/usr/sbin/pw", "lock", "$user" );
        }
        else {
            system( "/usr/bin/passwd", "-l", "$user" );
        }
        print "uid 0 account ($user) - BAD!\n";

        $msg = <<"EOM";
IMPORTANT: Do not ignore this email.
This message is to inform you that the account $user has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.
EOM
        print "[hackcheck] $user has a uid 0 account\n";
        Cpanel::iContact::icontact(
            'application' => 'hackcheck',
            'level'       => 1,
            'subject'     => qq{[hackcheck] $user has a uid 0 account},
            'message'     => $msg,
            'msgtype'     => ''
        );
    }
}
close(PASSWD);

exit if $system =~ /freebsd/i;
exit if $ises;

$glibccheck = `rpm -V glibc 2>&1`;
if ( $glibccheck =~ /not installed/ ) {
    die "rpm database is corrupt.  rpm claims glibc is not installed.  hackcheck cannot continue";
}

@UPDATES = split( /\n/, httpreq( 'httpupdate.cpanel.net', "/pub/hackcheck/$distro/${version}/hackcheck.db" ) );

foreach (@UPDATES) {
    exit if (m/ErrorDocument/);
}

foreach (@UPDATES) {
    ( $name, $rpmv, $file, undef ) = split( /=/, $_, 4 );
    if ( $ARGV[0] ne "" ) {
        if ( $name ne $ARGV[0] ) {
            next;
        }
    }
    chomp( $crpmv = `rpm -V $name` );
    $up2date = 0;
    if ( !$crpmv ) { $up2date = 1; }
    if (   $crpmv =~ /libc.so.6\(GLIBC_2.0\)/
        && $crpmv =~ /libc.so.6\(GLIBC_2.1\)/ ) {
        $up2date = 1;

    }
    @CTC = split( /\n/, $crpmv );
    foreach (@CTC) {
        s/\.\.T\s/\.\.\. /g;
        s/\.\.C\s/\.\. /g;    # Remove rpm's half-backed SELinux context check info
        if (/^\.+\s/) {
            $up2date = 1;
        }
        else {
            $up2date = 0;
            last;
        }
    }
    if ($up2date) {
        print "$name passes checksum\n";
    }
    else {
        print "$name fails checksum !!!\n";
        $msg = '';
        $msg = <<"EOM";
IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm package $name did not match the
expected checksum. This could mean that your system was compromised (OwN3D).
The offending files have been removed and replaced with the OS default.
To be safe you should verify that your system has not been compromised.
EOM
        $msg .= "\nModified Files:\n$crpmv\n";

        print "[hackcheck] $name failed checksum test\n$msg\n\n";

        Cpanel::iContact::icontact(
            'application' => 'hackcheck',
            'level'       => 1,
            'subject'     => qq{[hackcheck] $name failed checksum test},
            'message'     => $msg,
            'msgtype'     => ''
        );

        Cpanel::RpmUtils::rpmcmd( "-Uvh", "--replacepkgs", "--nodeps", "--force", "http://httpupdate.cpanel.net/pub/hackcheck/$distro/${version}/$file" );
    }
}
close(U);
@ Telegram