Becoming so very fed up with Cpanel

**vbtweb** · 07-30-2005 12:18 PM

I kept getting all these messages saying that my server may be compromised, and I couldn't get DNS to work right. All this was all of a sudden out of the blue. So I had to in the end, (as my datacenter doesn't support anything but hardware / serverpronto) go out and pay to have someone look at the server. They said a user (IRON) had run a hacking script flooding other servers with TCP packets. They killed the script and replaced all the changed files. Even though I was 104% sure that user had no idea how to do anything like it, I suspended the account, and I went and made every single user and account change their password to something complex, and I changed the root password. For a week everything has been running fine.

Now today I get these emails,

IMPORTANT: Do not ignore this email.
This message is to inform you that the
account mails has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not be compromised.

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm package findutils did not match the expected checksum. This could mean that your system was compromised (OwN3D). The offending files have been removed and replaced with the OS default. To be safe you should verify that your system has not be compromised.

Modified Files:
S.5..UG. /usr/bin/find

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm package net-tools did not match the expected checksum. This could mean that your system was compromised (OwN3D). The offending files have been removed and replaced with the OS default. To be safe you should verify that your system has not be compromised.

Modified Files:
S.5....T /bin/netstat
S.5..UG. /sbin/ifconfig

And the Trojan scan listed several possibly infected files. I simply can't afford to pay anyone to clean this up over again. Is there anyone who can tell me how using whm to fix this nonsense, and is their any cpanel patch or update that will stop letting this happen?

Thanks

Vance

**chirpy** · 07-30-2005 12:52 PM

Well, this has nothing at all to do with cPanel and everything to do with your OS, which is evidently insecure. Remember that cPanel is just a web hosting application, it does not replace the need for Linux server administration.

Once you have suffered a root compromise you must have an OS restore done on the server. It is almost impossible to clean a root compromise unless you are very luck - the only way to be sure your server is clean if you don't want to do an OS restore is to have the system disk sent of for forensic examination.

You don't mention which OS you are running, but I would hazard a guess that it's RH9 or older. You should have the server rebuilt with a supported OS and then restore your cPanel account data. As it stands, you cannot trust the OS on your server.

**Anbarasan** · 08-06-2009 02:15 AM

We have received the following message,

IMPORTANT: Do not ignore this email.
This message is to inform you that the account dev has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should
verify that your system has not been compromised.

The root password has been changed, we have requested the DC to reset the same.

Now after this how to secure our server to stop this from happening?

**cpanelkenneth** · 08-06-2009 04:42 PM

Please don't dig up ancient topics.

LinkBack

Thread Tools

Becoming so very fed up with Cpanel

Fed up with automatic cpanel email changes

Anyone else fed up with cpanel's support team?