Hacker within cPanel

[dev_null]

Hi!

The other day I monitored a hacker while he/she was trying to get access to my networks FTP service. 37376 attempts were made before I decided to permanently block the IP number from which the attack was launched.

Time of the attack: Around Thu Mar 15 07:15:00 CET 2007
IP: 208.116.56.10 (cpanelx9.fuitadnet.com)

I also reported this incident to the ISP, absue@fuitadnet.com.

Just wanted to let you know.

Kind regards,
Ted Lyngmo

[gundamz]

Ted,

install APF with BFD. This will block him out once he reached 3-5 failed ftp login.

[dev_null]

Thanks, but that won't be necessary. The interesting thing is that the attack was lauched from one of cPanels servers.

[gundamz]

probably some automated script.

[morfargekko]

Are You realy sure, as I see it it came from fuitadnet.com with the hostname cpanelx9.fuitadnet.com and that is not the same.

[dev_null]

You might be right.

It seems like the address (http://208.116.56.10) actually points to an installation of cPanel.

[dev_null]

probably some automated script.

No doubt

It's worrying that scriptkids have access to an ISPs servers.

[carluk]

That's not cpanel servers, it's a server with cpanel installed. There is a difference.

[dev_null]

it's a server with cpanel installed.

That exactly what I wrote Today, 02:33 PM.

[carluk]

Thanks, but that won't be necessary. The interesting thing is that the attack was lauched from one of cPanels servers.

You might have underlined "installation of cpanel" in a post after, but you still said the above. I presume it was simply an English language mistake?

[ramprage]

Brute force attacks are common on FTP/SSH. Consider CSF because it has a realtime daemon that monitors for invalid logins. BFD is based on a cronjob so an attack can be hiting your server thousands of times before they're blocked.

[dev_null]

You might have underlined "installation of cpanel" in a post after

but you still said the above. I presume it was simply an English language mistake?

Nope. In the earlier posts I assumed it was one of cPanels servers, but after some contemplation I was prepared to agree with morfargekko that pointed out the same thing as you did.

In the message after I also expressed my concerns about scriptkids having access to the ISPs [or webhosts], and not cPanels, servers.

Thanks anyway

[dev_null]

Brute force attacks are common on FTP/SSH. Consider CSF because it has a realtime daemon that monitors for invalid logins. BFD is based on a cronjob so an attack can be hiting your server thousands of times before they're blocked.

I dont think APF or CSF will be the solution for me since I've got a standalone firewall/router/switch in which I do all my blocking. So far I've done it manually, but the amount of attacks seems to have increased lately so I might create a realtime daemon that parses the logs and then connects to the F/W and updates the table of blocked IP addresses. Maybe I can reuse some of CSFs parsers though. Thanks for the hint.

[easyhoster1]

You may want to contact the offending IP's NOC.

OrgName: FortressITX
OrgID: FORTR-5
Address: 100 Delawanna Ave
City: Clifton
StateProv: NJ
PostalCode: 07014
Country: US

ReferralServer: rwhois://rwhois.fortressitx.com:4443

NetRange: 208.116.0.0 - 208.116.63.255
CIDR: 208.116.0.0/18
NetName: FORTRESSITX
NetHandle: NET-208-116-0-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PWEBTECH.COM
NameServer: NS2.PWEBTECH.COM
Comment:
RegDate: 2006-04-19
Updated: 2006-05-17

OrgAbuseHandle: FIAD-ARIN
OrgAbuseName: Fortress ITX Abuse Dept
OrgAbusePhone: +1-973-572-1070
OrgAbuseEmail: abuse@fortressitx.com

OrgTechHandle: FIH2-ARIN
OrgTechName: Fortress ITX Hostmaster
OrgTechPhone: +1-973-572-1070
OrgTechEmail: hostmaster@fortressitx.com

# ARIN WHOIS database, last updated 2007-03-17 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.