SSH Logs

[webbhost]

Hiya, Someone has recently violated my SSH access, and attacked another computer using it.

Question is, CPANEL says logs are kept?

Where can i find these logs because i need to track back the culprit that did the attack.

Thanks for any info

[AndyReed]

/root/.bash_history

[webbhost]

ok, i have found logs... cant see anything suspicious through?

i dont know how to find out who has been attacking computers, but this is the log if anyone can help? If it doesnt, how else could i find out who is doing this?

Code:

cd /home/
ls
mkdir cpins
cd cpins/
ls
wget layer1.cpanel.net
wget layer1.cpanel.net/latest
ls
rm index.html 
sh latest 
rm -rf installd/
sh latest 
  
shutdown -h now
ls -l
vi /etc/hosts
vi /etc/sysconfig/network
vi /etc/wwwacct.conf 
shutdown -h now
ls
pwd
mount -a
ls
cd home/
ls
cd ..
ls
df
vi /etc/lilo.conf 
cd /boot/
ls
cd ..
ls
cd /boot/
ls
cd grub/
ls
vi grub.conf 
df
ls
grub-install 
vi /etc/grub.conf 
vi /etc/grub.conf 
grub-install /dev/hdd
grub-install /dev/hdd1
df
grub-install /dev/hda
cd /boot/grub/
ls
vi stage1 
ls
cd ..
vi grub/device.map 
ls
grub-install 
vi /etc/grub.conf 
vi /boot/grub/device.map 
cd /boot/grub/
grep hda *
vi grub.conf
grep hda *
grub-install 
grub-install /dev/hdd
grub-install /dev/hdd1
grub-install /dev/hda
grub-install /dev/hda1
grub-install /dev/hdd1
grub-install /dev/hdd
ls
vi etc/fstab 
vi etc/lilo.conf 
shutdown -h now
cd /etc/
ls
vi grub.conf 
cd /boot/
ls
cd grub/
ls
vi grub.conf 
vi device.map 
vi /etc/fstab 
ls
vi device.map 
grub-install 
grub-install /dev/hda
grub
ls
vi device.map 
ls
grub
ls
vi etc/lilo.conf 
lilo -q
ls
passwd root
logout
C:
cd/directory
cd
directory
C/windos
C/windows
C\windows
home
cd/home
/home/
/cd/
\cd\cd\home\webbhost\bin
\cd/home
\cd\home
\cd/home
cd
cd/home
cdhome
cd\home
cd
home
cd/home
cd-home
cd
hine
cd
home
cd home
cd /home
 /webbhost
home /webbhost
cd
cd /home /webbhost
/home /webbhost
cd /home webbhost
sc_serv &
cd /home/webbhost/bin
./sc_serv &
chmod777*
chmod 777 *
chown webbhost *
./sc_serv &
cd /home/webbhost
sc_serv &
sc_serv&
sc_serv &
chmod bin2 777 *
/bin2
cd /home/webbhost/bin2
chmod 777 *
sc_serv &
cd /home/webbhost/bin
sc_serv &
cd /home/webbhost/bin2
sc_serv &
sc_serv2 &
cd /home/webbhost/bin
cs_serv %
cs_serv &
./cs_serv %
./cs_serv &
/scs_serv &
cd /home/webbhost/bin
./ sc_serv &
./ sc_serv %
./ sc_serv*
./ sc_serv
cd /home/webbhost/bin
cs_serv &
./sc_serv &
sc_serv &
sc_serv &
cs_serv &
/dcs_serv &
./cs_serv &
./cs_serv & &
./cs_serv &
cd /home/webbhost/bin2
./sc_serv &
chmod 777 *
./sc_serv &
cd /home/webbhost/bin
./sc_serv &
./sc_serv &
./sc_serv &
kill 4578
cd /homewebbhost/bin2
cd /homewebbhost/bin1
cd /home/webbhost/bin2
./sc_serv &
kill 4474
kill 4356
kill 4474
currprocesses
cd /sbin
ls
cd
cd /home/webbhost/bin
./sc_serv &
cd /home/webbhost/bin2
./sc_serv &
cd /home/webbhost/bin
sc_serv &
./sc_serv &
cd /home/webbhost/bin
./sc_serv &
cd /home/webbhost/bin
./sc+serv &
./sv_serv &
cd/webbhost/bin
cd /home/webbhost/bin
wget http://public.planetmirror.com/pub/lokigames/installers/ut/ut-server-436.tar.gz
cd /home/webbhost/bin
wget http://public.planetmirror.com/pub/lokigames/installers/ut/ut-server-436.tar.gz
cd /home/webbhost/bin
wget http://public.planetmirror.com/pub/lokigames/installers/ut/ut-server-436.tar.gz
gunzip ut-server-436.tar.gz
cd /home/webbhost/bin
tar -xvf UT-SERVER-436.tar
tar -xvf ut-server-436.tar
exit
shutdown -h now
cd /home/webbhost/bin
sc_serv &
./sc+serv &
./sc_serv &
cd /home/webbhost/bin
./sc+serv &
grep riskukw
cd:
cd
locate httpd.conf
cd /home/testing/public_html
chown root.nobody .htaccess
chown root.nobody .htaccess
chown root.nobody .htaccess
chown root.root .htaccess
chown root.nobody .htaccess
locate cgi-sys
sbin/restart
home/webbhost
/cd/home/webbhost
cd/home
cd ¬
cd
home
home/
cd home
cd - home
cd - home/webbhost
cd~
cd~webbhost
cd~/webbhost
cd~
cd
#home
/home
cd ~
cd~
cd ~ /webbhost
#bom
/bin
cd /home/webbhost
/bin
cd bin
sc_Serv
cd sc_serv
./sc_serv
cd $imagemagick
cd /imagemagick
root@host [~]# cd $imagemagick
root@host [~]# cd /imagemagick
root@host [/imagemagick]#
gzip -dc TimageMagick-alphaev6-unknown-linux-gnu.tar.gz
gzip -dc imageMagick-alphaev6-unknown-linux-gnu.tar.g
gzip -dc imageMagick-alphaev6-unknown-linux-gnu.tar.gz
gzip -dc /imagemagick/imageMagick-alphaev6-unknown-linux-gnu.tar.gz
/home/adz21c/extra/bin/link
/home/adz21c/extra/bin/links
vi /etc/nameserverips 
ifconfig 
vi /etc/nameserverips 
service named status
service bind status
vi /etc/hosts
cd /scripts/
./fixetchosts 
vi /etc/hosts
vi /etc/nameserverips 
vi /etc/hosts
ls
cd /etc/hosts
vi /etc/hosts
./fixetchosts 
vi /etc/hosts
./fixndc 
service cpanel restart
w
./fixndc 
service cpanel restart
vi /etc/resolv.conf 
ifconfig 
vi /etc/resolv.conf 
cat /etc/nameserverips 
vi /etc/nameserverips 
vi /etc/hosts
ping google.com
cd /
ping google.com
ping google.com
vi /etc/resolv.conf 
ls
ls
vi /etc/hosts
vi /etc/resolv.conf 
vi /etc/hosts
cd scripts/
./fixetchosts 
vi /etc/hosts
./fixndc 
cat /etc/*release*
service cpanel restart
w
ifconfig 
vi /etc/hosts
ping 66.79.166.20
ssh 66.79.160.100 -lroot

[sawbuck]

So 5 days since this happened? Running "last" from the prompt may give you some info. If your box was rooted then the tracks are easily covered. Since your post gives the impression that you don't have much experience being a sysadmin your best bet is to hire someone to help you out.

[webbhost]

it happened again today..

[sawbuck]

it happened again today..

Then you should take this box offline until you can fix the problem.

[webbhost]

"this box?" as in that log?

[sawbuck]

"this box?" as in that log?

Box is slang for server. You really should get a grip on this problem. If your server is being used to hack/crack then the issue could become much bigger (meaning legal ramifications) in a hurry.

[chirpy]

Yup. You need to either have your datacenter or a server administrator check your server over incase you've suffered a root compromise. The very least you should do is reset your passwords and install the likes of rkhunter and chkrootkit to check the server. If you didn't do those commands in the .bash_history and you dont' know anyone who did, you could have very serious problems.

[jeremy_reliable]

Looks like someone setup shoutcast and unreal tournament servers on there.

like people have said in previous posts, the content in that .bash_history file is pretty much useless in a real attack since the with root access the hacker could have just removed the lines with the evidence. At very least you should reset your root pass right away.