The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

a hacker attack?.. require help ASAP

Discussion in 'General Discussion' started by Sheldon, Jul 16, 2004.

  1. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    sshd:
    Authentication Failures:
    unknown (port-203-99-28-246.jet.net.nz ): 1 Time(s)
    Unknown Entries:
    1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=port-203-99-28-246.jet.net.nz : 1 Time(s)
    Invalid Users:
    Unknown Account: 2 Time(s)

    --------------------- SSHD Begin ------------------------


    Failed logins from these:
    alex/password from 203.99.28.246: 2 Time(s)

    Users logging in through sshd:
    root logged in from adsl-63-200-37-129.dsl.snfc21.pacbell.net (63.200.37.129) using password: 1 Time(s)
    root logged in from Ottawa-ppp3517205.sympatico.ca (206.172.191.76) using password: 1 Time(s)
    fpoint logged in from port-203-99-28-246.jet.net.nz (203.99.28.246) using password: 1 Time(s)
    root logged in from StCatherines-ppp109257.sympatico.ca (216.209.112.188) using password: 1 Time(s)
    root logged in from adsl-66-127-232-81.dsl.sntc01.pacbell.net (66.127.232.81) using password: 14 Time(s)
    root logged in from Ottawa-ppp3517273.sympatico.ca (206.172.191.144) using password: 1 Time(s)
    kale logged in from port-203-99-28-246.jet.net.nz (203.99.28.246) using password: 1 Time(s)
    kyerme logged in from 216.59.226.233 using password: 1 Time(s)

    **Unmatched Entries**
    Illegal user alex from 203.99.28.246

    ---------------------- SSHD End -------------------------


    --------------------- SSHD Begin ------------------------


    Failed logins from these:
    guest/password from 64.81.121.35: 6 Time(s)
    test/password from 64.81.121.35: 6 Time(s)

    Scanned from these:
    213.154.112.77

    **Unmatched Entries**
    Illegal user test from 64.81.121.35
    Illegal user test from 64.81.121.35
    Illegal user test from 64.81.121.35
    Illegal user test from 64.81.121.35
    Illegal user test from 64.81.121.35
    Illegal user guest from 64.81.121.35
    Illegal user guest from 64.81.121.35
    Illegal user guest from 64.81.121.35
    Illegal user guest from 64.81.121.35
    Illegal user guest from 64.81.121.35
    Illegal user test from 64.81.121.35
    Illegal user guest from 64.81.121.35

    ---------------------- SSHD End -------------------------


    Is that a bad thing?... This is over the past 2 days!!!

    Sheldon

    PS. I should also mention, user alex, user fpoint and user kale dont have ssh. :(
     
  2. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Possible Trojan - /usr/bin/podchecker
    .
    .
    .

    Possible Trojan - /usr/bin/pstruct
    .
    .

    Possible Trojan - /usr/bin/splain
    .

    Possible Trojan - /usr/bin/xsubpp


    Possible Trojan - /usr/bin/curl
    .

    Possible Trojan - /usr/lib/libcurl.so.2.0.2
    .
    .
    .

    Possible Trojan - /usr/bin/curl-config

    Possible Trojan - /usr/bin/dbiprof

    Possible Trojan - /usr/bin/pear


    Any of those actually trojans?
     
  3. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    Try chkrootkit ( http://www.chkrootkit.org/ ). To see if it comes up with anything. If it comes up with anything other than the 1 caused by the default cpanel firewall, you have a problem.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    To check for valid SSH logins, try:
    last -da
    or
    lastlog
    and check they're coming from IP addresses that you expect.

    For any repeated SSH failed login attempts, you should block them in your firewall (you do have one, right?)

    Ignore the WHM Trojan Scanner - it's next to useless. As compunet2 mentioned, install chkrootkit and rootkit hunter (and you should also have an IDS running, like Tripwire).
    Could be tricky, since cPanel doesn't come with a "default firewall" ;) I presume you mean, the false-positive often generated by SMTP over SSL (port 465).
     
  5. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    hmmmm interesting... thanks guys
     
  6. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Checking `bindshell'... INFECTED (PORTS: 465)

    How fix?
     
  7. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    Thats a normal false alarm. Don't worry about the bindshell report.
     
  8. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Can I get a double verification on this?
     
  9. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    I am sure you could get 10X verification if you went searching through these forums.
    :p

    I do not think anyone is going to "guarantee" it, especially without access to your box, but it is a known false positive.

    Check #7 on the chkrootkit faq for more information ;)
     
  10. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    notification when hack attempts

    I've been getting illegal login attempts also and blocking them at the firewall.

    What I'd like to know is if there is a way when something like this happens I can have the server send me a msg to my cellphone so I can call the datacenter and have them add the IPs to the firewall.

    right now, i have it set so that when the log notifictions come in, it does, but really that's too late. I need it when it happens. (it don't find it till i check my email later in the day)

    Unders "server setup" there is a "contact manager" and IF there was an entry for "illegal login" I could set my cell phones email address there.

    any way to do this now?

    Thank you.
     
  11. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
  12. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You can also change the port and IP that SSH binds to.

    For example instead of allowing SSH to bind to a wildcard ex all IP's on the server. Set in the SSH conf to connect to only one IP and a random port such as 34546.

    Then the hacker/hackers/script kiddies will have a harder time trying to get access to your system via SSH anyhow :)

    You could also lock down root, but be careful!
     
  13. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    I dont think the DC is going to provide service like that for free. Illegal login attempts are common place and just a part of running a server, you need to install a firewall, (hard or soft). Only draw back is every now and then a client will loose a password, or forget to change it on their ftp or some other program, it tries to logon X number of times and they get blocked....:D ooops so sorry
     
  14. eazistore

    eazistore Well-Known Member

    Joined:
    Nov 7, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    Hi RandyO,

    I have installed brute Force detector BFD quite awhile ago.
    And 1 fine day, I try to access WHM and cPanel from a clients place.
    I hit the WRONG password too many time and I was shut off. :eek:
    BFD sent an email to root@mydomain.com for notification :p

    Since then, I'm not able to access to my server or clients site at all from that company which I failed the password.

    Is there any solution to allow my client to access again?
    Any help is appreciated :D
     
  15. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    I am not at my workstation but I do think that you can go to your etc/BFD (or where ever the install is) and there is a host_deny file, you should find the IP listed. I use APF and they have both hosts_allow and deny folders. Also APF makes entry's to the ip_tables file. So you may want to grep the ip there also.
    Sorry not more specific but it has been some time since I had to "undo" one of thses. I bet you a $1 that someone here can tell you the paths better :)
     
  16. matt621

    matt621 Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    I don't know what or who a "DC" is. But I would suggest that since "illegal login attemps are common place and just a part of running a server" that would be all the more reason to include something like this.

    I didn't ask for a program that would automatically monitor, scan and block such things, but simply a notification. Since whm has a dozen other things it monitors and notifies on, asking for one more, one that is far more common place than the others, seems like a reasonable request to me.
     
  17. SalaTar

    SalaTar Member

    Joined:
    Jun 8, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Illegal user test from 64.81.121.35

    prob is BFD/APF adds just the word/user "test" to block conf, not ip on this attack
     
  18. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    "Data Center" is DC. I think that a program that Does do just that, (automatically monitor, scan and block such things) IS the way to go. I see enough of these attacks a week on my server logs to make me NOT want to be notified every time it happens. They are transient attacks and by the time you see it :eek: or are notified, it is over. I would say it is closing the barn door AFTER the cow gets out. Preventitive measures are you only hope.
     
Loading...

Share This Page