The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

All accounts suddenly jailshells and passwords dont work??

Discussion in 'General Discussion' started by wzd, Mar 24, 2007.

  1. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Ok here is a pretty puzzle for everyone: :)

    I wake up today and try logging in with my "wizard" account into my server. SSH keeps saying Access Denied even though i'm certain i'm typing in the correct password (I even type it one finger at a time). - I get some coffee and go about unblocking myself from the firewall (brute force protection)

    After a long amount of digging and managing to use the ConfigServer Explorer (THANK GOD FOR IT) http://www.configserver.com/cp/cse.html
    . I was able to re-edit the sshd_config and re-enable direct root access.

    ALL the accounts in /etc/password were like this one:

    sharp:x:32070:32071::/home/sharp:/usr/local/cpanel/bin/jailshell


    This is INCLUDING my "wizard" account which wasn't accepting my password. (It was a bash account before)

    I then used passwd to reset the password for "wizard" account - Still couldn't su from the wizard account (access denied) until i also modded the account to be using /bin/bash even though it was part of wheel

    -- What is the meaning of this? :( How did ALL THE ACCOUNTS suddenly covert to jailshell? and none of the passwords work for anyone! (They are unable to get in via Cpanel or SSH or FTP) I've tested one or two of my own personal Cpanel accounts on the same server and i have to reset the password ...

    It now looks like we have to reset every single password for every single account - POP3 passwords and everything else are working fine. It's just the main users password.

    Looking forward to finding out how the hell this happened? :confused:


    Some MISC system information below:

    Code:
    Linux 2.6.9-42.0.10.EL #1 Tue Feb 27 09:24:42 EST 2007 i686 athlon i386 GNU/Linux
    Code:
    
    -- A debug code from trying to login from another shell
    
    OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to coder.devb0x.net [216.32.75.90] port 22.
    debug1: Connection established.
    debug1: identity file /home/wizard/.ssh/identity type -1
    debug1: identity file /home/wizard/.ssh/id_rsa type -1
    debug1: identity file /home/wizard/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
    debug1: match: OpenSSH_3.9p1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.9p1
     
  2. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    You server have probably been hacked.

    Do some screening for changed files, there are many scripts at out there that can detect root kit and whatnots.
     
  3. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    That's what i thought at first as well but it's not so - The server was locked down quite well by ConfigServer people before and i had RK hunter running on it plus reports of all sorts.

    All the latest software has been installed and i would have received notifications via email of major file changes in the important directories - I had directory watching on system directories and i have SSH logins for all users notifications...

    Also no funny accounts found - Root password was the same

    I strongly suspect it's something else but what it is i have no idea, :confused:
     
  4. Koreru

    Koreru Member

    Joined:
    Nov 17, 2006
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Anyone ever find the reason for this?

    We just had it happen on one of our servers.

    (Root password is the same/No rootkits detected)
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page