Hacked/Intrusion - what to look for ?

[jeroman8]

What should I look for and do, if osreload is not an option, if I suspect someone have had root access to a server - with password ?

I have run chkrootkit, rkhunter, changed pass, hash and I also
run clamdscan on /home, /root, /tmp.
Checked some dirs with eyes (dev/shm, tmp, apache dirs) ...
Looked in some logs but any tips here on what to look for and where would be great.

[thewebhosting]

Which logs have you check? Have you checked the CPanel and access logs?

Cpanel logs:- /var/cpanel/logs
Access logs:- /var/messages

[2fast]

Its very hard to detect intrusions. what i would suggest is increase your security.

A good start is here

This is free software and is designed for the whm.

running rkhunter is your best bet to see if you have been rooted i guess scanning any strange php pages is also a good start scan them with any normal AV like NOD32 etc, they will pick up any c99 shells.

Also in your security center (whm) there is a section which allows you to lock down services specific to a IP or IP range for example.

Only i can ssh to my server either from work or at home, only customers can FTP to the server if they have a dynamic IP thats fine as ive added the IP range.

If you would like any help send me a message and ill add you to MSN and talk you through various security messures you can take.

[jeroman8]

Hi, thanks for your reply!

2fast - How do I lock SSH to only 2-3 IP addresses ?

I read about it a little but cant find a step by step kind of post.

Also, it should be possible to only block root access to one IP while
client SSH access can be done from anywhere. Know anything about that ?

I'll try to find info, but if you have the time, I'd appreciate any help.

Thanks!

[2fast]

sorry for the late reply..

If you are not familiar with IPtables then you can do it through your WHM.

Click on Security > the Security Center > Host Access Control (block IP access) >

there you will have a new page with daemon access controls.

Add the IP's you want to add like this....i have take a screenshot as an example for you..then at the very end of the allow list for sshd you need the deny.



the ip address is just an example, add any ip address you want to allow ssh access above the deny.

Hope this helps.. if you need any more help just let me know

You shouldnt really ever login over ssh as root, you should really su once you are in.

.... here is a quick step by step...

this should work on move linux distros...

Step 1 -

Code:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old

this will make a copy of the file your going to edit just in case

Ok so now edit the file, in Vi, Nano, Pico which ever you want

Step 2 - look for Protocol 2,1 change this to

Code:

Protocol 2

Step 3 - look for the line that should look like

# PermitRootLogin yes

change that to

Code:

PermitRootLogin no

dont forget to remove the #

======================================

then you need to create a user that is allowed to use the SU command so first it might be an idea to create a user for arguments sake ill call the user Bob.

Code:

usermod -G wheel Bob

this add bob to the wheel group, which is allow to use the SU command to prevent any other users from using the SU command do the following.

Open

Code:

/etc/pam.d/su

in a editor i prefer vi and remove the hash (#) from this line

Code:

auth required /lib/security/pam_wheel.so use_uid

================================================== =======

Now you can do this 2nd section first it is up to you. But make sure once you have done it make sure it works... don't close the session you already have open. open a new session and try it

You shouldnt need to restart the sshd daemon for this to work, This is my way of doing it im sure someone will come up with another way that they do it as usual for these types of forum.. my way may not be the best way but it works