Community Forums
Connect with us on LinkedIn
+ Reply to Thread
Results 1 to 6 of 6
  1. #1
    Member
    Join Date
    Mar 2003
    Posts
    427

    Default Hacked/Intrusion - what to look for ?

    What should I look for and do, if osreload is not an option, if I suspect someone have had root access to a server - with password ?

    I have run chkrootkit, rkhunter, changed pass, hash and I also
    run clamdscan on /home, /root, /tmp.
    Checked some dirs with eyes (dev/shm, tmp, apache dirs) ...
    Looked in some logs but any tips here on what to look for and where would be great.

  2. #2
    Member
    Join Date
    May 2008
    Posts
    1,203

    Default

    Which logs have you check? Have you checked the CPanel and access logs?

    Cpanel logs:- /var/cpanel/logs
    Access logs:- /var/messages

  3. #3
    Member
    Join Date
    Mar 2008
    Posts
    16

    Default

    Its very hard to detect intrusions. what i would suggest is increase your security.

    A good start is here

    This is free software and is designed for the whm.

    running rkhunter is your best bet to see if you have been rooted i guess scanning any strange php pages is also a good start scan them with any normal AV like NOD32 etc, they will pick up any c99 shells.

    Also in your security center (whm) there is a section which allows you to lock down services specific to a IP or IP range for example.

    Only i can ssh to my server either from work or at home, only customers can FTP to the server if they have a dynamic IP thats fine as ive added the IP range.

    If you would like any help send me a message and ill add you to MSN and talk you through various security messures you can take.

  4. #4
    Member
    Join Date
    Mar 2003
    Posts
    427

    Default

    Hi, thanks for your reply!

    2fast - How do I lock SSH to only 2-3 IP addresses ?

    I read about it a little but cant find a step by step kind of post.

    Also, it should be possible to only block root access to one IP while
    client SSH access can be done from anywhere. Know anything about that ?

    I'll try to find info, but if you have the time, I'd appreciate any help.

    Thanks!

  5. #5
    Member
    Join Date
    Mar 2008
    Posts
    16

    Default

    sorry for the late reply..

    If you are not familiar with IPtables then you can do it through your WHM.

    Click on Security > the Security Center > Host Access Control (block IP access) >

    there you will have a new page with daemon access controls.

    Add the IP's you want to add like this....i have take a screenshot as an example for you..then at the very end of the allow list for sshd you need the deny.



    the ip address is just an example, add any ip address you want to allow ssh access above the deny.

    Hope this helps.. if you need any more help just let me know

    You shouldnt really ever login over ssh as root, you should really su once you are in.

    .... here is a quick step by step...

    this should work on move linux distros...

    Step 1 -
    Code:
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
    this will make a copy of the file your going to edit just in case

    Ok so now edit the file, in Vi, Nano, Pico which ever you want

    Step 2 - look for Protocol 2,1 change this to

    Code:
    Protocol 2
    Step 3 - look for the line that should look like

    # PermitRootLogin yes

    change that to

    Code:
    PermitRootLogin no
    dont forget to remove the #

    ======================================

    then you need to create a user that is allowed to use the SU command so first it might be an idea to create a user for arguments sake ill call the user Bob.

    Code:
    usermod -G wheel Bob
    this add bob to the wheel group, which is allow to use the SU command to prevent any other users from using the SU command do the following.

    Open
    Code:
    /etc/pam.d/su
    in a editor i prefer vi and remove the hash (#) from this line

    Code:
    auth required /lib/security/pam_wheel.so use_uid
    =========================================================

    Now you can do this 2nd section first it is up to you. But make sure once you have done it make sure it works... don't close the session you already have open. open a new session and try it

    You shouldnt need to restart the sshd daemon for this to work, This is my way of doing it im sure someone will come up with another way that they do it as usual for these types of forum.. my way may not be the best way but it works
    Last edited by 2fast; 08-26-2008 at 05:24 PM.

  6. #6
    Member duranduran's Avatar
    Join Date
    Apr 2004
    Posts
    198

    Default

    Quote Originally Posted by 2fast View Post
    sorry for the late reply..

    If you are not familiar with IPtables then you can do it through your WHM.

    Click on Security > the Security Center > Host Access Control (block IP access) >

    there you will have a new page with daemon access controls.

    Add the IP's you want to add like this....i have take a screenshot as an example for you..then at the very end of the allow list for sshd you need the deny.



    the ip address is just an example, add any ip address you want to allow ssh access above the deny.

    Hope this helps.. if you need any more help just let me know

    You shouldnt really ever login over ssh as root, you should really su once you are in.

    .... here is a quick step by step...

    this should work on move linux distros...

    Step 1 -
    Code:
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
    this will make a copy of the file your going to edit just in case

    Ok so now edit the file, in Vi, Nano, Pico which ever you want

    Step 2 - look for Protocol 2,1 change this to

    Code:
    Protocol 2
    Step 3 - look for the line that should look like

    # PermitRootLogin yes

    change that to

    Code:
    PermitRootLogin no
    dont forget to remove the #

    ======================================

    then you need to create a user that is allowed to use the SU command so first it might be an idea to create a user for arguments sake ill call the user Bob.

    Code:
    usermod -G wheel Bob
    this add bob to the wheel group, which is allow to use the SU command to prevent any other users from using the SU command do the following.

    Open
    Code:
    /etc/pam.d/su
    in a editor i prefer vi and remove the hash (#) from this line

    Code:
    auth required /lib/security/pam_wheel.so use_uid
    =========================================================

    Now you can do this 2nd section first it is up to you. But make sure once you have done it make sure it works... don't close the session you already have open. open a new session and try it

    You shouldnt need to restart the sshd daemon for this to work, This is my way of doing it im sure someone will come up with another way that they do it as usual for these types of forum.. my way may not be the best way but it works
    Hi,

    How can i block root user to access WHM panel ?

Similar Threads & Tags
Similar threads

  1. PHP-Intrusion Detection System
    By MiCR0 in forum cPanel Developers
    Replies: 3
    Last Post: 07-25-2009, 10:35 PM
  2. Intrusion Detection cpanel
    By liang3391 in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 06-17-2009, 09:27 AM
  3. Free Intrusion Testing
    By HostDime in forum cPanel and WHM Discussions
    Replies: 10
    Last Post: 02-24-2004, 01:29 AM
  4. hacker INTRUSION , PLEASE READ
    By Radio_Head in forum cPanel and WHM Discussions
    Replies: 15
    Last Post: 02-19-2004, 03:08 PM
  5. Anyone know how to debug this intrusion.
    By DWHS.net in forum cPanel and WHM Discussions
    Replies: 0
    Last Post: 06-15-2003, 01:08 PM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube