The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Compromised Server

Discussion in 'General Discussion' started by mygregory, May 28, 2004.

  1. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    First ever Cpanel dedicated server, after reselling for a long time.

    Less than a month into things, my server is compromised and doing rogue tcp traffic. Got a WHM red message: exim security prob.

    Upgraded to

    WHM 9.2.0 cPanel 9.3.0-R5
    Fedora - WHM X v3.1.0


    System still compromised, server provider has limited the port.

    What next? How could I have avoided this.
    Any help much appreciated.


    G.
    Fedora - WHM X v3.1.0
     
  2. Wallaby

    Wallaby Well-Known Member

    Joined:
    Aug 15, 2001
    Messages:
    131
    Likes Received:
    1
    Trophy Points:
    18
    Steve at sales@rack911.com is a very good guy on security issues ("thelinuxguy" is his username on various fora).
     
  3. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Interpreting Bandmin

    It would appear that the update to the next newest release did the trick, though whm reports same versions as before

    Exim is now the latest 4.34

    BUT HOW CAN I BE SURE? It has stopped.

    If you keep refreshing bandmin and the numbers don't change much, does that mean that the rogue tcp traffic has been halted?
     
  4. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    Have you installed a firewall?

    Very well worth the time/effort/resources!
     
  5. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Firewall and Security progs.

    No, and if you mean physical box it cannot be done. The server, though managed by me, is not under my physical control but with a provider. If you mean firewall software then I'd be interested to know about the possible solutions, that are compatible with cpanel.

    What I have found most difficult about the current situation is that cpanel gives you the impression that you can actually pretty much run a server with very little command line knowledge and their updates will keep you protected, when in fact all it takes is for one of the many scripts, modules, services (here exim) to have a security flaw in an update and you will be left with a mess.

    Cpanel did not even report anything but allowed the compromised port/s to do 40Gig of traffic in 6-10 hours. It was only the providers phone call that allerted me.

    As far as I know, there is no way to actually trace/close-off or limit a port except from the command line and it is beyond my capabilities. Of course I could learn, but it means entirely reworking my business expectations. It's hard enough in such an environment just to gain customers. But then if you spend an entire day, like the one just spent it eats away at any profitability.

    I would love some pointers to some good programs that work well with cpanel and would allow real control tracking of ports and limiting bandwidth on them, and also tracking down bad traffic etc. Also: does anybody know where one can find the full logs that report details on this unknown TCP traffic? You certainly can't access any of this from cpanel.


    Any pointers would be much appreciated:confused:
     
  6. Izzee

    Izzee Well-Known Member

    Joined:
    Feb 6, 2004
    Messages:
    469
    Likes Received:
    0
    Trophy Points:
    16
    Maybe you could benefit from some one who could do all the security fixes for you then your time could be better spent tending your business.
    I spotted this thread the other day that might be of interest and it looks like there are more offers like this in the same forum. Could be useful in your situation.
    HTH.
     
  7. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    mygregory,

    apf firewall is very popular amongst cpanel users (software firewall) and is very easy to install.

    Here's a link to some simple instructions for installation:
    http://www.webhostgear.com/61.html

    you should also checkout that site's other tutorials for improving security.
     
  8. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Looks interesting

    Thank you for your kind help,

    Useful resource. Will probably install APF, though not sure if I need to take any other action beforehand to stop the current use of the ports.
     
  9. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    Before I installed APF, I thought that my server was fairly secure. Amazing how after I installed it, my logwatch email showed me how many packets were dropped by the firewall.

    I still get some errant attempts by hackers (to no avail), but as soon as I discover the problem, I simply deny access to their IP/IP range and the hackers "Go Away!!!"

    Well worth 20-30 minutes of your time to install this!

    My advice, be proactive as opposed to retroactive:)
     
  10. DrGreen

    DrGreen Active Member

    Joined:
    May 5, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    how can you find out there ip`s?
    and then lbock it
     
Loading...

Share This Page