The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

defaced and delogged

Discussion in 'General Discussion' started by chash, May 14, 2005.

  1. chash

    chash Member

    Joined:
    Jan 11, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I got defaced and delogged. I intend to do a reload next week but in the meantime
    I need some information (The server was defaced but I still "own" it and the data center is aware of the situation):

    What are the log files, ownership, and permissions?
    How can I restore logwatch?

    If anyone can provide the information requested I'll be grateful.
     
  2. chash

    chash Member

    Joined:
    Jan 11, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Need to resore secure cpanel/WHM access

    Someone got "deloger" onto my system and ran it.

    This little gem deletes all logs and history making it difficult to trace what has been done to the system.

    As many programs expect their log files to be accessible, their absence generates all sorts
    of errors. I have replaced all the ones I know about (and others I learn of from errors in the ones I knew) and I have replaced logwatch, but
    I can't get WHM secure access running. This makes me suspect that I am still missing some logs.

    The point of the hack was to deface the system; all index files were replaced.

    I have run chkrootkit and searched the system for suspicious activity, but I haven't found anything but the exploit files, missing logs, and inserted index files.

    I am certainly not going to log in to WHM as root insecurely; I'd appreciate any advice
    to get secure WHM access going again.

    This is just for a temporary fix; I'll get a reload next week and harden the thing.

    servermatrix has been wonderfully helpful, going far beyond what I would have expected for an unmanaged server, but I agree that a reload is called for in this situation.

    So, any ideas out there?
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The problem is that you can no longer trust anything at all about the server. The only responsible thing you can do is have it reloaded immediately and secured properly. If you have user data on the server, have SM add a new OS disk and migrate the data over from the old disk:
    http://forum.ev1servers.net/showthread.php?s=&threadid=38797

    Leaving a root compromised server on the internet not only risks everything on your server but usually acts as a staging post for spammers, DDos atacks and hope to hack other peoples servers. It's for these reasons that the first thing you should do is either get it unhooked and investigates or reloaded straight the way, secured and restored.
     

Share This Page