Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fix Server After Compromise?

Discussion in 'Security' started by baiquni, Nov 6, 2017.

  1. baiquni

    baiquni Member

    Joined:
    Sep 5, 2017
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Banda Aceh
    cPanel Access Level:
    Root Administrator
    Helo,

    Recently our server has been compromised. How to check the hacker backdoor, backconnect, etc?

    I regularly scan the server using Clamav provided by cPanel plugins and nothing found suspicious files like virus or php backdooring. I have blocking port 2087 and 22 only for intranet access, so if I want to go as root users, I have using VPN if out intranet. I have enable ModSecurity Tools (OWASP) and cPHulk too. But hackers keep coming.

    Last, I check /etc/passwd and found this suspicious item like below.

    mailman:x:498:497:GNU Mailing List Manager:/usr/local/cpanel/3rdparty/mailman:/bin/bash
    dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
    dovenull:x:497:496:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
    mysql:x:496:495:MySQL server:/var/lib/mysql:/bin/bash

    Is it correct if mailman and mysql user have shell instead of nologin/noshell?

    Hope anybody can give me suggestion what I have to do.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,673
    Likes Received:
    73
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    I will suggest you scan you server using maldet to begin with. There are certain other tools that are helpful for you to scan, which includes CXS from Configserver.. You can use it to scan your complete server and get the information you want on backdoors..
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,396
    Likes Received:
    1,606
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page