The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Adding accounts without logging into WHM - hacked?

Discussion in 'Security' started by craigwillis, May 20, 2010.

  1. craigwillis

    craigwillis Registered

    Joined:
    May 20, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    I have just noticed and deleted 2 accounts that have been created in my WHM install.

    Someone has managed to add these accounts to point to known spam sites.

    What I'd like to know, is how this could happen, especially if they have no access to WHM via logging in as root?

    Also, how I can prevent this from happening in future?

    I have changed the root password to the server for added security,
     
  2. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Did you by chance try to search the logs or do anything before deleting them? You could have checked what time the account was created (based on timestamps of the home dir files) and then cross check the logs to see what exactly happened.
     
  3. craigwillis

    craigwillis Registered

    Joined:
    May 20, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    What logs would I be checking?
     
  4. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    /usr/local/cpanel/logs

    The directory /usr/local/cpanel/logs contains several logs that can be very useful.

    access_log logs all access to the WebHost Manager and cPanel. It is very verbose, with source and destination IP addresses, timestamps, and the exact URLs requested. It is in an Apache-style format.

    error_log logs errors that occur in cPanel-related services.

    login_log logs logins to the WHM, cPanel and Webmail.

    There is no provision for viewing these logs via the WebHost Manager. They must be viewed using the shell as root, using cat or less or grep.
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    That statement alone tells me that you have been root compromised

    First thing I would do is change all your passwords and perform full anti-virus and trojan scans on your home computer just for safety though none of that in and of itself may help too much at this point.

    The compromise could have come in from a wide variety of sources from an exploit to stealing your own root password to brute force attack but the larger issue is that your server at this point has indeed been compromised and I would be willing to bet they did a lot more than just create accounts.

    Standard modus operandi for hacking is once you gain access to a server is to create multiple backdoor ways back into the server and cover your tracks modifying log traces to evade quick detection.

    You have accounts mysteriously appearing and also being used for what you described then you have a very serious problem and at this point very likely have rootkits and other hacker related processes installed that you still don't know about.

    If you are extremely lucky, all they did is created the accounts but I very seriously doubt that is all that has been done. :rolleyes:
     
Loading...

Share This Page