LinkBack URL
About LinkBacks
Hacked or not?
Greetings from Greece,
There seems to be a strange issue with one of our servers. Yesterday afternoon I received an e-mail from Configserver's security & firewall with the following:
This was an unauthorised connection from an unknown server. Immediately I logged in my server to see what has happened.....Time: Thu Jan 10 16:29:51 2008
IP: 66.197.215.165 (server63.dedicatedusa.com)
Account: root
Method: password authentication
In /var/log/secure I saw the following:
SSH (protocol 2) runs at a custom port. The things that are strange are the following:Jan 10 16:26:33 host5 sshd[330]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server63.dedicatedusa.com user=root
Jan 10 16:26:36 host5 sshd[330]: Failed password for root from 66.197.215.165 port 47306 ssh2
Jan 10 16:27:08 host5 sshd[330]: Failed password for root from 66.197.215.165 port 47306 ssh2
Jan 10 16:27:09 host5 sshd[331]: Connection closed by 66.197.215.165
Jan 10 16:27:54 host5 sshd[425]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server63.dedicatedusa.com user=root
Jan 10 16:27:56 host5 sshd[425]: Failed password for root from 66.197.215.165 port 53151 ssh2
Jan 10 16:29:49 host5 sshd[425]: Accepted password for root from 66.197.215.165 port 53151 ssh2
Jan 10 16:29:49 host5 sshd[425]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 10 16:30:27 host5 sshd[425]: pam_unix(sshd:session): session closed for user root
1) The root password consists of 15 scrambled characters and according to the logs, the user guessed the password in only 3 tries!
2) I immediatelly changed the root password and ran rkhunter with no strange results. I did a security check on the server without finding anything strange (I also checked /usr/local/apache/domlogs all the logfiles of the hosted domains and didn't find this IP anywhere).
3) According to /var/log/secure the user stayed online for less than a minute, but I can't see him in "last -a" command!
12 hours have passed and nothing strange happened on the server. Suddenly Alertra sent me an e-mail that the page size of the main server's IP (default cpanel page) has changed. The changes were the following:
Old default cPanel code sample:
New default cPanel code sample:<body>
<div id="body-content">
<h1>Great Success <i>!</i>
<br />
Apache is working on your cPanel<sup>®</sup> and WHM™ Server</h1>
5 minutes later Alertra notified me that the default cPanel page has changed again back to normal. Since then this happens once each hour (changing to a page with a different javascript and then after 2-3 minutes changing back).<body>
<script language='JavaScript' type='text/javascript' src='vsdlu.js'></script>
<div id="body-content">
<h1>Great Success <i>!</i>
<br />
Apache is working on your cPanel<sup>®</sup> and WHM™ Server</h1>
The file /usr/local/apache/htdocs/index.html doesn't have any javascript code as I see it and it was last changed several months ago. The server also runs PHP5 with suPHP so I don't know if a CMS exploit could apply in this occasion.
Any ideas? Nothing else has appeared in the hosted sites and I don't know what has happened
Reply With Quote
