The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked, anyone seen this?

Discussion in 'General Discussion' started by DWHS.net, Jun 16, 2003.

  1. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Jun 13 14:52:42 XXXX sshd[10755]: Could not reverse map address 62.251.241.110.
    Jun 13 14:52:46 XXXX sshd[10755]: Accepted password for rpm from 62.251.241.110 port 2030

    This guy manages to hack in from ssh with the user rpm.

    Password excepted.. what password?

    And what the heck is port 2030..

    Any thoughts or ideas?

    cPanel.net Support Ticket Number:
     
  2. Angel78

    Angel78 Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    413
    Likes Received:
    1
    Trophy Points:
    16
    were you using firewall (port 2030 isnt common for cpanel)

    cPanel.net Support Ticket Number:
     
  3. cass

    cass Well-Known Member

    Joined:
    Jul 17, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Argentina/USA/Mexico
    This looks like someone using a non standard port to log into SSH on your server... is this bad? YES YES!
    If you havent doit search for Root Kits on your box.
    and if you dont want this happening again ...
    secure your server, update your software, kernel, etc.
    upgrade to Edge version of CPANEL 7, goto "Tweak Security" and put the php security thing ON. this will prevent most "php shell" hacks.

    Regards.

    cPanel.net Support Ticket Number:
     
  4. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Nice tips, thanks..

    Luckilly it was trap for the hacker to test our security on a semi-bogus server.

    The main servers have all ssh/telnet disabled.

    Really appreciate the info.

    -Charles

    cPanel.net Support Ticket Number:
     
  5. cass

    cass Well-Known Member

    Joined:
    Jul 17, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Argentina/USA/Mexico
    Well... actually, you dont need SSH/Telnet to hack a server ...
    Just a php shell script will do the job... :rolleyes:
    Also there's cgi scripts to do the same ...
    anyone with access to this ... and with help of any software bug, could upload & run or compule & run anything to exploit something to get root, and they could use their own "SSH/Telnet" on their own custom port, do access the server ...

    Regards.

    cPanel.net Support Ticket Number:
     
  6. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    You disabled SSH? How the heck are you supposed to manage the machine?

    cPanel.net Support Ticket Number:
     
  7. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    We only allow access from certain i.p.'s

    It is still not 100% safe like stated above but it might detour a hack from even trying since it's alot harder to install sniffers and trojans.

    cPanel.net Support Ticket Number:
     
  8. cass

    cass Well-Known Member

    Joined:
    Jul 17, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Argentina/USA/Mexico
    see... any client with access to PHP or CGI, if they are not property configured, could EASY, very EASY install & compile a ssh trojan and run it on any port (if not firewalled) or maybe on a standard port that's not firewalled, but actually the service is not used (ej. port 22 of telnet ...)
    the trojans gives you SSH on a port with the user apache or php run as....
    not to mention if you dont update software on your server and have some root exploit usable on your server... then... someone could simple OWN your server.

    The best you can do ... is (if you know how) try to own your own server... if you can, anyone else can ... if you can't ... maybe anyone else could be ... hehe...

    Finally... you can start with the security tweaks on CPANEL 7 :)

    Just my 0.02

    cPanel.net Support Ticket Number:
     
  9. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    good advise cass,

    I have seen this first hand "not pretty"

    I just cheked out your site it looks very nice.

    cPanel.net Support Ticket Number:
     
  10. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Seeing how everybody has problems with CP7, I can't upgrade until I feel I know I will have everything ok after the smoke clears. :)

    Brenden

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page