The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Active system attach

Discussion in 'General Discussion' started by hst, Jun 26, 2002.

  1. hst

    hst Well-Known Member

    Joined:
    Feb 24, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Ran /scripts/cpup recently on two servers. One has stopped sending active system attack emails but other alerts still comming through. Any ideas to get this working and to make sure the port monitoring is still working?
     
  2. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    read this post

    http://forums.cpanel.net/read.php?TID=3523
     
  3. hst

    hst Well-Known Member

    Joined:
    Feb 24, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    It stopped on it own

    Its stopped sending on its own. I ran etc/rc.d/init.d/portsentry restart and it went fine but still no alerts are coming any more.
     
  4. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    one of our servers had this problem Graceful restarting that box solved the problem
     
  5. hst

    hst Well-Known Member

    Joined:
    Feb 24, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    tried graceful restart but its still not sending

    I tried the graceful restart as you suggested but it's still not sending the alerts. I know the email address is right because I'm getting the other messages like cgi scripts installed but not the system attack messages. Im stumped
     
  6. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:47dd99347b][i:47dd99347b]Originally posted by hst[/i:47dd99347b]

    I tried the graceful restart as you suggested but it's still not sending the alerts. I know the email address is right because I'm getting the other messages like cgi scripts installed but not the system attack messages. Im stumped[/quote:47dd99347b]
    Because you haven't any active system attack, means there is no attack to your system
     
  7. hst

    hst Well-Known Member

    Joined:
    Feb 24, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Thats not it

    I was getting one meg files about attacks until the apache and cp upgrade and then they stopped. Other servers continue to get the messages.
     
  8. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:d2cd445d59][i:d2cd445d59]Originally posted by hst[/i:d2cd445d59]

    I was getting one meg files about attacks until the apache and cp upgrade and then they stopped. Other servers continue to get the messages.[/quote:d2cd445d59]
    You are seriously under attack! We usually under attack, but when and exploit is known in server softwares then we are heavily under attack i.e. last know vulnerabilities in Apache 1.3.24

    Did you update your Apache to 1.3.26? However there is another known exploit in bind which will be resolved in bind 9.2.2 or 9.3.0

    What kinds of attack alerts did you receive?
     
  9. hst

    hst Well-Known Member

    Joined:
    Feb 24, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    All kinds of attacks but they are blocked

    We have hundreds of accounts on our servers so you can imagine we get a bunch of all kinds of attacks. They get shut down by the systems.
     
  10. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:93f373d537][i:93f373d537]Originally posted by hst[/i:93f373d537]

    We have hundreds of accounts on our servers so you can imagine we get a bunch of all kinds of attacks. They get shut down by the systems.[/quote:93f373d537]
    monitor your servers
     
  11. xnull

    xnull Well-Known Member

    Joined:
    Sep 9, 2001
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    Heh, that's nothing.. We were getting 2mb-20mb attack logs by email every day for about 8 months.. They stopped for a while and I'm getting them again every once in a while now (software error? or no attacks?) lol..
     
  12. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:8f856fa3e2][i:8f856fa3e2]Originally posted by xnull[/i:8f856fa3e2]

    Heh, that's nothing.. We were getting 2mb-20mb attack logs by email every day for about 8 months.. They stopped for a while and I'm getting them again every once in a while now (software error? or no attacks?) lol..[/quote:8f856fa3e2]
    it seems that you are new to hackers I wrote it in this thread about what they want to do

    http://forums.cpanel.net/read.php?TID=3523


    RPC information located at Port 111 is a place to find out where services are running. Numerous vulnerabilities exist, along with exploits ready and waiting for services such as rpcbind and rpcmountd. Network File Service (NFS) has a known rpc-update exploit, the Network Information Service (NIS) update daemon rpc.ypupdated contains vulnerabilities in how it passes commands to certain function calls. This could allow a remote attacker to trick the service into executing arbitrary commands on the system with root privileges. Additionally, client server environments that use remote program calls and port 111 to register and make themselves available, are unfortunately also listing their availability to the less-than nice people who are trying to crack your system. For the unprotected systems that have portmapper running on port 111, a simple &rpcinfo& request is adequate for the potential exploiter to obtain a list of all services running.

    Also bind 9.2.1 has vulnerability now that will be resolved in the next version 9.2.2 or 9.30

    There are some of these exploits that hackers try to get into your system
     
  13. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Fremont CA
    sorry to bring this thread from the dead, but it seems no one really answered why the monitoring stopped, likewise on our systems, it seems the emails stopped over time, nothing has really changed over the months instead of the usual cpanel updates etc...
     
Loading...

Share This Page