Fix Server After Compromise?

baiquni

Member
Sep 5, 2017
5
1
3
Banda Aceh
cPanel Access Level
Root Administrator
Helo,

Recently our server has been compromised. How to check the hacker backdoor, backconnect, etc?

I regularly scan the server using Clamav provided by cPanel plugins and nothing found suspicious files like virus or php backdooring. I have blocking port 2087 and 22 only for intranet access, so if I want to go as root users, I have using VPN if out intranet. I have enable ModSecurity Tools (OWASP) and cPHulk too. But hackers keep coming.

Last, I check /etc/passwd and found this suspicious item like below.

mailman:x:498:497:GNU Mailing List Manager:/usr/local/cpanel/3rdparty/mailman:/bin/bash
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:497:496:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
mysql:x:496:495:MySQL server:/var/lib/mysql:/bin/bash

Is it correct if mailman and mysql user have shell instead of nologin/noshell?

Hope anybody can give me suggestion what I have to do.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hi,

I will suggest you scan you server using maldet to begin with. There are certain other tools that are helpful for you to scan, which includes CXS from Configserver.. You can use it to scan your complete server and get the information you want on backdoors..
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,211
363