The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Compromised Server Questions

Discussion in 'Security' started by alex128002, Jun 27, 2015.

  1. alex128002

    alex128002 Registered

    Joined:
    Jun 27, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal
    cPanel Access Level:
    Root Administrator
    Hi,

    An hacker has been able to infiltrate my server with cPanel / WHM.
    He's currently able to create / suspend / unsuspend accounts, as well as log into somes FTP accounts and inject PHP files.
    I have modified every passwords, but he still has access to the server. I really don't know how he still can access the server.

    Here's an example from the log file on how an account was created :

    Code:
    Jun 24 17:01:58 main named[2867]: received control channel command 'reconfig'
    Jun 24 17:01:58 main named[2867]: loading configuration from '/etc/named.conf'
    Jun 24 17:01:58 main named[2867]: using default UDP/IPv4 port range: [1024, 65535]
    Jun 24 17:01:58 main named[2867]: using default UDP/IPv6 port range: [1024, 65535]
    Jun 24 17:01:58 main named[2867]: couldn't mkdir '/var/run/named': Permission denied
    Jun 24 17:01:58 main named[2867]: generating session key for dynamic DNS
    Jun 24 17:01:59 main named[2867]: couldn't mkdir '/var/run/named': Permission denied
    Jun 24 17:01:59 main named[2867]: could not create /var/run/named/session.key
    Jun 24 17:01:59 main named[2867]: failed to generate session key for dynamic DNS: permission denied
    Jun 24 17:01:59 main named[2867]: sizing zone task pool based on 131 zones
    Jun 24 17:01:59 main named[2867]: Warning: view localhost_resolver: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
    Jun 24 17:01:59 main named[2867]: Warning: view internal: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
    Jun 24 17:01:59 main named[2867]: reloading configuration succeeded
    Jun 24 17:01:59 main named[2867]: zone hackerdomain.com/IN/internal: loaded serial 2015062401
    Jun 24 17:01:59 main named[2867]: zone hackerdomain.com/IN/external: loaded serial 2015062401
    Jun 24 17:01:59 main named[2867]: any newly configured zones are now loaded
    Jun 24 17:01:59 main named[2867]: zone hackerdomain.com/IN/internal: sending notifies (serial 2015062401)
    Jun 24 17:01:59 main named[2867]: zone hackerdomain.com/IN/external: sending notifies (serial 2015062401)
    Jun 24 17:02:03 main named[2867]: received control channel command 'reload hackerdomain.com IN external'
    Jun 24 17:02:03 main named[2867]: zone hackerdomain.com/IN/external: loaded serial 2015062403
    Jun 24 17:02:03 main named[2867]: received control channel command 'reload hackerdomain.com IN internal'
    Jun 24 17:02:03 main named[2867]: zone hackerdomain.com/IN/internal: loaded serial 2015062403
    Jun 24 17:02:04 main named[2867]: zone hackerdomain.com/IN/internal: sending notifies (serial 2015062403)
    Jun 24 17:02:04 main named[2867]: zone hackerdomain.com/IN/external: sending notifies (serial 2015062403)
    
    
    And here's the email that cPanel sent to me :

    Code:
    New Account created.
    
    Domain: hackerdomain.com
    IP Address: xxx.xx.xx.xx (Shared)
    CGI Access: Enabled
    Username: hackerdomain
    Password: ***HIDDEN***
    cPanel Theme: x3
    Home Directory: /home
    Quota: 15,000 MB
    Name Server 1: swdomains.venus.orderbox-dns.com
    Name Server 2: swdomains.mercury.orderbox-dns.com
    Name Server 3: swdomains.mars.orderbox-dns.com
    Name Server 4: swdomains.earth.orderbox-dns.com
    Contact Email: admin@hackerdomain.com
    Package: giga
    Feature List: default
    Locale: en
    
    The account was set up by the reseller “main” with the effective user ID of “root”.
    
    Does someone have an idea on how the hacker can access the server?

    Thank you in advance for your help.
     
    #1 alex128002, Jun 27, 2015
    Last edited by a moderator: Jun 27, 2015
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you believe your server is compromised, and you're unsure of the way forward, you should look into hiring a professional to assist you. Waiting for a reply on the forum is not the best way to go here.

    cPanel cannot assist you with a compromised server. You might want to contact your Hosting Provider or Data Center for suggestions on locking down that server until you can get a security professional to assist you with cleaning it up, if thats even possible. Once the server is compromised, the only real, best option is to reload the server from scratch and restore accounts from safe backups.

    Good luck with this.
     
    quizknows likes this.
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Alex.
    I know nothing regarding security, so i'm not really placed to offer any clean up assistance, however i am intrigued.

    Did you change the root password ?

    If reloading the server is not an option, then i'd like to suggest that you configure Host Access Control so that only your own IP's are granted access to these areas.
    This might afford you some time to seek further advice.
     
Loading...

Share This Page