Someone hacked server, need to track this
Today someone hacked our server. Reseller password and root where changed and all accounts where suspened. Is there any way to see who (IP) and when changed root password? are there any cpanel/ehm logs? There are logs for apache, but they are useless...
Please help
PS: I got root password back.
ssh in
more /var/log/secure
I see A lot of "Failed password for root" <- someone was trying to brute force. But there is no "Accepted password" logs. These are only ssh logs ( I think) and I think someone hacked server using WHM.Originally Posted by adamd84
Maby a good idea to install BFD
Yeah, probably, but as i already said, i don't think that that was the problem. Problem is in WHM, how can I track who did what?
The only logs you'll have for cPanel/WHM are in /usr/local/cpanel/logs/*
If your root password was changed, it suggests a root compromise on the server. IF that's the case you should have the server OS wiped out and reinstalled and restore from backup as you cannot trust the server anymore as it could have backdoors installed - then have it secured against root compromise attacks.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Keeping on topic and catching Chirpy at the same time... your firewall and Login Failure Daemon modules... do they work against invalid WHM and Cpanel logins as well, or just standard httpd authentication, SSH, FTP and mail?
Basically... if someone were trying to brute force a cpanel or WHM login on my server, would the LFD block them?
hire an experienced administrator to review and lock down your server. if you're not sure how they got in or where to check you need to hire a professional to consult and correct the issue
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
I think i have found what was the problem and how did they change password (it's stupid, do i'm not going to post explanation here :P ).
And about this brute force attack. APF doean't seem to work:
How can i solve this?Code:Unable to load iptables module (ip_tables), aborting.
-- EDIT:
modprobe ip_tables results:
Code:FATAL: Could not load /lib/modules/2.6..../modules.dep: No such file or directory
Last edited by qrees; 06-21-2006 at 03:41 PM.
No - ATM I haven't found a way to track them through SSL connections.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Seems like your installation of APF/BFD is broken. What version are you using? Have you tried reinstalling?
Upload Guardian 2.0 - Sign up for our early beta
ServerProgress - Server security, consulting and assistance
The problem is iptables which doesn't work.
modprobe ip_tables:
Code:FATAL: Could not load /lib/modules/2.6.9-11.EL/modules.dep: No such file or directory
reinstall iptables/upgrade kernel. should do it
Not everything that is counted counts and not everything that counts can be counted
Ok, rebooting the server helped. And that's why it's impossible to have 100% uptime
Hiya host - Shared hosting
2.6.9-11.EL
That kernel is vulnerable to exploits.
Rack911.com - Competent Server Administration
Server Security - Administration - Managed Servers - Optimization - High Traffic Clusters
LinkBack URL
About LinkBacks
Reply With Quote