The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Becoming so very fed up with Cpanel

Discussion in 'General Discussion' started by vbtweb, Jul 30, 2005.

Thread Status:
Not open for further replies.
  1. vbtweb

    vbtweb Member

    Joined:
    Jan 10, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    I kept getting all these messages saying that my server may be compromised, and I couldn't get DNS to work right. All this was all of a sudden out of the blue. So I had to in the end, (as my datacenter doesn't support anything but hardware / serverpronto) go out and pay to have someone look at the server. They said a user (IRON) had run a hacking script flooding other servers with TCP packets. They killed the script and replaced all the changed files. Even though I was 104% sure that user had no idea how to do anything like it, I suspended the account, and I went and made every single user and account change their password to something complex, and I changed the root password. For a week everything has been running fine.

    Now today I get these emails,

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the
    account mails has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not be compromised.

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the rpm package findutils did not match the expected checksum. This could mean that your system was compromised (OwN3D). The offending files have been removed and replaced with the OS default. To be safe you should verify that your system has not be compromised.

    Modified Files:
    S.5..UG. /usr/bin/find

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the rpm package net-tools did not match the expected checksum. This could mean that your system was compromised (OwN3D). The offending files have been removed and replaced with the OS default. To be safe you should verify that your system has not be compromised.

    Modified Files:
    S.5....T /bin/netstat
    S.5..UG. /sbin/ifconfig

    And the Trojan scan listed several possibly infected files. I simply can't afford to pay anyone to clean this up over again. Is there anyone who can tell me how using whm to fix this nonsense, and is their any cpanel patch or update that will stop letting this happen?


    Thanks

    Vance
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, this has nothing at all to do with cPanel and everything to do with your OS, which is evidently insecure. Remember that cPanel is just a web hosting application, it does not replace the need for Linux server administration.

    Once you have suffered a root compromise you must have an OS restore done on the server. It is almost impossible to clean a root compromise unless you are very luck - the only way to be sure your server is clean if you don't want to do an OS restore is to have the system disk sent of for forensic examination.

    You don't mention which OS you are running, but I would hazard a guess that it's RH9 or older. You should have the server rebuilt with a supported OS and then restore your cPanel account data. As it stands, you cannot trust the OS on your server.
     
  3. Anbarasan

    Anbarasan Registered

    Joined:
    Sep 12, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    We have received the following message,

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the account dev has user id 0 (root privs).
    This could mean that your system was compromised (OwN3D). To be safe you should
    verify that your system has not been compromised.

    The root password has been changed, we have requested the DC to reset the same.

    Now after this how to secure our server to stop this from happening?
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Please don't dig up ancient topics.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page