I think my server is hacking other servers...
Hey, my cPanel server keeps making FTP connections to other servers and brute forcing passwords... I've gotten a few complaints. Right now un netstat it shows several ftp data streams going to other servers. how can I check to see where these originate from? I dont see anyone logged in doing it, and I'm not falling victim to a rootkit (according to rkhunter). Any suggestions?
Thanks!
Nick
PHP could be script doing it.
2 ways i can think of tracing it.
1.) turn off remote FTP connection in php.ini and check error logs see who spamming.
2.) check top and see what domains are using the most CPU Time and then check them accounts and there code.
I will take a look, thanks!
If you have a firewall running on that server, block OUTBOUND TCP 21 so that your server can't contact other FTP servers on their default port. That will stop the reports.
But that is in no way a fix to your problem. You've obviously got a script on there somewhere that is doing this - It could be a localized exploit of a user account or it could be a full root server compromise. But you have to stop the activity from affecting others first.
If you have console access to the server, you should take it off the network and start looking into logs, running processes, etc - and don't reboot it before you get a chance to look, because any useful evidence of a hack that may be useful could disappear after a reboot and other things.
As root: lsof -n|grep TCP|grep ftp
You should be able to see what process is running that is connecting to remote FTP servers.
Mike
Stopping php from being able to send ftp commands stopped it, so now I just have to track down the offender.
LinkBack URL
About LinkBacks
Reply With Quote