WHM email notification upon access

**eth00** · 12-05-2004 04:45 PM

If you guys are interested in even more stuff that can be applied to your server take a look at my website http://eth0.us . I am constantly updating it with new information.

Nice post above, there is a lot of really good information

The fail vs blackhole thing saved me a lot of problems with my server. It went from having to scan ~90k emails to only ~20k per day.

**d-woo** · 12-08-2004 09:49 AM

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.

This works great!!!

Is there any way to get an email when WHM is accessed? ...since WHM is accessed using the same username (root) and password as SSH.

**benito** · 12-12-2004 07:54 AM

Hi!

Just a question, BFD automatically restart on every server reboot ?

**ctbhost** · 12-14-2004 01:33 AM

Originally Posted by 000000000

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.

i have done as suggested above and found a filder called /dev/shm/.../ with the below content:

/dev/shm/... /eggdrop.txt.1
/dev/shm/... /eggdrop.txt.1
/dev/shm/... /eggz/doc/man1/eggdrop.1
/dev/shm/... /eggz/eggdrop.simple.conf
/dev/shm/... /eggz/eggdrop.complete.conf
/dev/shm/... /eggz/eggdrop.advanced.conf
/dev/shm/... /eggz/eggdrop
/dev/shm/... /eggz/eggdrop-1.6.10
/dev/shm/... /eggdrop.txt

is this a problem ?? - should i delete these files

hmmmm tried to navigate into the folder /dev/shm/.../ but it says its an invalid directory

**rs-freddo** · 12-14-2004 03:00 AM

/dev/shm should be empty.

I believe it is ram memory, anyway should be empty. Somebody with more knowledge might be able to tell you more.

**ctbhost** · 12-14-2004 03:26 AM

Originally Posted by rs-freddo

/dev/shm should be empty.

I believe it is ram memory, anyway should be empty. Somebody with more knowledge might be able to tell you more.

yep maybe the case - i rebooted the server and /dev/shm is now empty

**rs-freddo** · 12-14-2004 04:27 AM

/dev/shm can be used like /tmp as a place to run an install from. You now have to check that they did not in fact install an eggdrop somewhere on the server. I would have checked the config file before deleting it....

Anyway, they can now load stuff to /dev/shm/ so you need to find the vulnerable script that's being used to do that...

**ctbhost** · 12-14-2004 04:36 AM

Originally Posted by rs-freddo

I would have checked the config file before deleting it....

Anyway, they can now load stuff to /dev/shm/ so you need to find the vulnerable script that's being used to do that...

i was going to look ast the files but i couldnt access any files in /dev/shm/

i had some suspicious files in /tmp/ and deleted them the other day so i think that was what they installed - but im keeping an eye on things.

BTW this is a fantastic thread - lots of simple to understand information - will be great for newbys -- i know when i was a newby i would see threads say things like wget bla bla bla - then install it - but no instructions on how to install it, that was frustrating

**eth00** · 12-14-2004 09:04 AM

If you look at my guide I go over how to secure the /tmp and shm paritions. You should go ahead and look at it to make /tmp noexec. To fix shm change the mount line in /etc/fstab.

Old:
none /dev/shm tmpfs defaults 0 0

New:
none /dev/shm tmpfs noexec,nosuid 0 0

Yes it is a memory error but there are people that are using it to exploit servers along with /tmp. It is not as common but definatly something that everybody should secure. After you modify the line just unmount /dev/shm and mount /dev/shm and you are secure =-)

**ctbhost** · 12-14-2004 11:49 AM

thanks - have been through your info and just recieved an email from rkhunter

----------------------------------------------------------------------
[ BAD ]
[ Warning! ]
Watch out Root login possible. Possible risk!
* MD5 scan
MD5 compared : 80
Incorrect MD5 checksums : 1

* File scan
Scanned files: 310
Possible infected files: 0

* Rootkits
Possible rootkits:

Scanning took 52 seconds

*important*
Scan your system sometimes manually with full output enabled!
Some errors has been found while checking. Please perform a manual check on this machine *********
---------------------------------------------------------------------------------

i did a manual scan s it recommended and the problems it shows up are as follows

Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information

Checking /etc/xinetd.conf [ Warning! ]

/usr/sbin/kudzu [ BAD ]

What logfile would i check ????
i was still logged in as root when i got this email so is it just detecting my login??? or another unauthorised login ??

**benito** · 12-14-2004 05:06 PM

root login means that you can log to your server directly as root and not using the command "su -"

**jameshsi** · 12-17-2004 03:05 AM

This is really good and helpful for me.

**Ishware** · 12-19-2004 04:20 AM

Brilliant cache of info - as a complete server n00b, this is great stuff.

I have read maybe 2/3 of it at least elsewhere, so having all in one place is great.

BUT...

It would be really really cool if anytime that information appeared, a little warning could be added to the section on limiting SSH to odd port and odd IP addy:

"WARNING: If you have previously installed a firewall and locked down your ports, FIRST go open up the port you want to change SSH to BEFORE you modify the SSH files!"

As soon as I did it -- I'm 99.999% sure that's what I did, b/c I previously installed firewall before... and locked down ports.

ARGH...

But again, I stress, fantastic lot of info there. I'm going to be going through it again once I can...

**djblamire** · 12-27-2004 09:15 AM

On running the Scan for Trojans, it came back with the following.

Are these all genuine, or may any of them be trojans ??

Trojan Scanner
Main >> Security >> Scan for Trojan Horses
Appears Clean

/dev/stderr

Possible Trojan - /usr/bin/annotate
Possible Trojan - /usr/bin/gdlib-config
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libgd.so.2.0.0
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /sbin/depmod
Possible Trojan - /sbin/generate-modprobe.conf
Possible Trojan - /sbin/insmod
Possible Trojan - /sbin/insmod.static
Possible Trojan - /sbin/modinfo
Possible Trojan - /sbin/modprobe
Possible Trojan - /sbin/rmmod
Possible Trojan - /usr/bin/pear
Possible Trojan - /usr/bin/xsltproc
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.so
Possible Trojan - /usr/bin/Magick-config
Possible Trojan - /usr/lib/libMagick.la

21 POSSIBLE Trojans Detected

Thanks
Daniel

**amal** · 01-10-2005 12:12 AM

I have disabled /dev/shm from all my servers. And I have been doing it for months.. I have never experienced any problems without it...

I removed the lines that mounted /dev/shm, and unmounted the currently mounted /dev/shm...

LinkBack

Thread Tools

WHM email notification upon access

What is the use of /dev/shm????

A Beginner's Guide to Name Servers Part-2 (Custom Nameservers for Resellers)

Guide to securing a server?

A Beginner's Guide to Name Servers Part-1 (Setting up nameservers in WHM/Cpanel)