CSF, cpHulk, all kind of security, and I get hacked.

nourjabi

Active Member
Jun 24, 2013
27
0
1
cPanel Access Level
Reseller Owner
Hi everyone,

I'm new here, and I hope I posted this in the right location.

I have a Dedicated Server from iWeb Servers Canada.

Recently I have been attacked from hackers so much, they keep getting in and messing around with my clients Index files using Mass.SH hacks.

I installed CSF today ( Had some hard time configuring it and got my self locked out couple times). But fine now.

Can you help me figure how those hackers are getting in? Security holes? or something?

ps: they managed to clear Secured logs for SSH everytime, so I have no SSH log to see how and where they messed around.

thanks a bunch!
 

georgeb

Well-Known Member
May 23, 2010
49
1
58
Montreal, QC, Canada
cPanel Access Level
Root Administrator
CSF has nothing to do with this kind of hack, you have to control anything that is uploaded to your server, control who is using SSH etc. Many things...If you believe that just installing CSF you are safe, you are wrong, CSF is great but you have to control any file that is uploaded to your server. You can use CXS (with Mod Security) from Config Server, or your own scripts, elaborate security inside your server, control who is connected via SSH etc, check logs, inform you when any other is connected root via SSH. There are many things to check, not just wait until the hacker is inside your server. Many things to do...If you don't know to do those things it is better to hire somebody who knows, like this you'll save a lot of money not been hacked....


Regards
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Most of the time hackers get in through an outdated website, often joomla or wordpress with old plugins.

If they are able to erase root-owned logs, then it is very likely your kernel was old and let an exploit on one hacked site escalate to root priveleges.

At this point you need to have your host make a new server with a clean operating system, new kernel, and new root password, and then migrate all of your users to that server. The sites should be scanned for malware by a professional, ideally prior to moving the to the new server.
 

24x7server

Well-Known Member
Apr 17, 2013
1,907
95
78
India
cPanel Access Level
Root Administrator
Basically hacker are using shell scripts to excite any perl scripts on server so you will have to scan your all websites for the shell scripts, You can find out shell scripts through maldet (LMD) scan.

Also install ConfigServer eXploit Scanner and mod_Security on your server
 

Easylife

Registered
Aug 13, 2013
1
0
1
cPanel Access Level
Root Administrator
maybe your computer system has its own problem, and hacker stolen all these files by vicious code,so I suggest that you should reinstall the system.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

It's a good idea to consult with a qualified system administrator if your server has been rooted. Going forward, the cPanel Security Advisor Addon may be useful for helping you to determine which options you can enable on your system to improve security:

cPanel Security Advisor Addon

Thank you.
 

nourjabi

Active Member
Jun 24, 2013
27
0
1
cPanel Access Level
Reseller Owner
I have worked out few CSF modifications, and ran CSF Security test, and fixed many holes here and there, and seems everything is smooth and all those IPs trying to hack into the server are blocked. :) thanks everyone
 

inthukha

Well-Known Member
Jul 17, 2013
61
0
6
cPanel Access Level
Root Administrator
Well, i m still suggest you to run clamd, LMD, rootkit hunter as well for detecting exploits. because if they change the logs it means they can do anything if their exploit existing in the system.