The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacked and frustrated

Discussion in 'Security' started by hope2besecured, Jun 29, 2011.

  1. hope2besecured

    hope2besecured Registered

    Joined:
    Jun 29, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    So I was hacked Saturday night or so, and ever since we have been trying to figure out how.
    The frustration is they were able to steal money from our payment processor account once they were able to breach our servers. (and it's a lot, and I won't mention it to keep your jaw from dropping)

    We operate on a cloud server that is managed. Let me outline the story and analysis from our security person at the datacenter.


    lfd on vm228.customer.blacklotus.net: WHM/cPanel root access alert from 178.73.222.206 (EU/-/cms206.speckledfloor.com)

    Time: Sat Jun 25 10:56:27 2011 -0700
    IP: 178.73.222.206 (EU/-/cms206.speckledfloor.com)
    User: root


    Within minutes of that they did all sorts of things, downloaded database, backups, etc. The security analysis for what happened is below:

    The cPanel and WHM access and the operations are carried out during the time
    17:56:19 to 18:12:46 [5:56 PM to 6:12 PM]. But the ssl access log shows that the
    IP 178.73.222.206 was accessing different pages like
    http://***********.com/demo.php and http://*************.com/login.php
    from 11:18 AM to 11:23 AM. So it is clearly evident that the IP was trying to
    access the ***********.com urls and then logged into the whm/cPanel.

    So it can be either through any malware program on customer's local machine.

    The access log doesn't show any signs of compromise through customer's scripts
    /files.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    FIRST ACCESS LOG ENTRY FROM THE IP 178.73.222.206

    c******/access-logs/**********.com-ssl_log:178.73.222.206 - -
    [25/Jun/2011:11:18:02 -0700] "GET /login.php HTTP/1.1" 200 4773
    "http://************.com/demo.php" "Mozilla/4.0 (compatible;
    MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; EmbeddedWB 14.52 from:
    bsalsa EmbeddedWB Home EmbeddedWB 14.52; SLCC2; .NET CLR 2.0.50727; .NET CLR
    3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"




    LAST ACCESS LOG ENTRY FROM THE IP 178.73.222.206

    c******/access-logs/**********.com:178.73.222.206 - -
    [25/Jun/2011:11:23:20 -0700] "GET /info.php HTTP/1.1" 404 389
    "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
    Trident/4.0; EmbeddedWB 14.52 from: bsalsa EmbeddedWB Home EmbeddedWB 14.52;
    SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center
    PC 6.0; .NET4.0C; .NET4.0E)"
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    FIRST CPANEL ACCESS LOG ENTRY FROM THE IP 178.73.222.206

    178.73.222.206 - - [06/25/2011:17:56:19 -0000] "GET / HTTP/1.1" 401 0
    "" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
    Trident/4.0; EmbeddedWB 14.52 from: bsalsa EmbeddedWB Home EmbeddedWB 14.52;
    SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center
    PC 6.0; .NET4.0C; .NET4.0E)"

    LAST CPANEL ACCESS LOG ENTRY FROM THE IP 178.73.222.206

    178.73.222.206 - root [06/25/2011:18:12:46 -0000] "GET
    /cpsess748341418/json-api/loadavg HTTP/1.1" 200 0
    "https://208.********:2087/cpsess748341418/scripts/command"
    "Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 6.1; WOW64; Trident/4.0;
    EmbeddedWB 14.52 from: bsalsa EmbeddedWB Home EmbeddedWB 14.52; SLCC2; .NET CLR
    2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
    .NET4.0C; .NET4.0E)"
    -----

    So far we've not been able to detect any system or file damage at this time, but if accounts were accessed they all appear to be legitimate.



    -------

    Today I was able to find this hacker poking around by looking through my notification emails, this is the same hacker:

    Time: Fri Jun 24 08:26:06 2011 -0700
    IP: 178.73.217.237 (EU/-/cast237.guitarspoke.com)
    Failures: 5 (cpanel)
    Interval: 300 seconds
    Blocked: Permanent Block

    Log entries:

    178.73.217.237 - root [06/24/2011:15:21:26 -0000] "GET /cpsess4811030428/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
    178.73.217.237 - root [06/24/2011:15:21:31 -0000] "POST /login/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
    178.73.217.237 - root [06/24/2011:15:23:06 -0000] "GET /cpsess8921312361/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
    178.73.217.237 - root [06/24/2011:15:23:14 -0000] "POST /login/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
    178.73.217.237 - root [06/24/2011:15:26:04 -0000] "POST /login/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect




    Any advice???

    Here's from a previous security enhancing service as to what was done to make the server more secure:

    1. safe_mode = On

    By enabling safe_mode parameter, PHP scripts are able to access files only
    when their owner is the owner of the PHP scripts. This is one of the most
    important security mechanisms built into the PHP. Effectively counteracts
    unauthorized attempts to access system files (e.g. /etc/paswd) and adds many
    restrictions that make unauthorized access more difficult.

    2. expose_php = Off

    Turning off the "expose_php" parameter causes that PHP will not disclose
    information about itself in HTTP headers that are being sent to clients in
    responses to web requests.

    3. display_errors = Off

    If the display_errors parameter is turned off, PHP errors and warnings are not
    being displayed. Because such warnings often reveal precious information like
    path names, SQL queries etc., it is strongly recommended to turn this
    parameter off on production servers.

    4. allow_url_fopen = Off

    If it is enabled, this will give you the option to allow the treatment of URLs
    (like http:// or ftp://) as files. This can exploit some vulnerability in
    server and can execute any script on server.

    5. disable_functions = dl,system,exec,passthru,shell_exec,symlink,ini_restore,imap_body,imap_list,imap_open,mysql_list_dbs,popen,stream_select,socket_select,socket_create,socket_create_listen,socket_create_pair,socket_listen,socket_accept,socket_bind,socket_strerror,readlink,symlink,link,pfsockopen,ini_alter,dl,openlog,syslog,putenv,pcntl_exec,pcntl_fork,pcntl_signal,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,fpassthru,detcwd,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate

    Add the functions show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen to the disable_functions. This directive allows you to disable certain functions for security reasons. It receives a comma-delimited list of function names. This directive is NOT affected by whether Safe Mode is turned On or Off.
     
  2. ravindradhainwa

    ravindradhainwa Well-Known Member

    Joined:
    Jan 24, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I suggest you following points;

    1 :: Disable WHM and SSH access for all. Enable it for your IP only.
    2 :: You can also disable default FTP user on your server.
    3 :: Change SSH port.
    4 :: Change Root password to harder.
     
  3. hope2besecured

    hope2besecured Registered

    Joined:
    Jun 29, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    The only thing that on your list wasn't done is only my ip for cpanel access. Everything else is IP blocked and on your list as well.
     
  4. system1351

    system1351 Member

    Joined:
    May 17, 2010
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    World Wide Web
    cPanel Access Level:
    Root Administrator
    hi,

    only allow your static IP to enter in the ssh, that is the solution.


    nano /etc/ssh/sshd_config
    put this line in the end of the file

    AllowUsers root@190.x.x.x

    190.x.x.x change for your ipaddress

    then save the file and, service sshd restart.

    only with that ipaddress and user (root) can enter in ssh


    i suggest not change the ssh port, that not help in nothing, is very easy scan a ip address with nmap and try with telnet or other to find the ssh port.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:


    The dates don't make sense with your comments above, assuming you pasted these bits out of order. That IP should have zero access to this server on July 7 if he walked into the server on June 25.

    If he got root access, changes are slim it was a customers computer, IMHO. It was probably yours, or who ever has root.
     
  6. rlshosting

    rlshosting Well-Known Member

    Joined:
    Apr 23, 2009
    Messages:
    170
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    We have gotten hacked too including money stolen from us but we bought a VPS just for the billing system only. No clients accounts. Everything has been peachy since then.
     
Loading...

Share This Page