Hacked by another mail server?

[LaxSlash1993]

A little background here.

Was hosted with BudgetVM until I learned that they're quite literally public enemy #1 to Spamhaus. Moved the webserver over back to my other provider. Logged in via SSH, and got greeted by a weird last login message. Ran 'last' and this got returned:

Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)

So I changed the passwords (which are/were rated 100/100 for security strength) and then tried logging into the root account to do the same. Problem.

Sudo returns:

sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes

Su returns:

su: cannot set user id: Resource temporarily unavailable

Checked the mail queues via WHM, and strangely nothing shows up as being sent out, even as failed. However, my main domain is listed on Spamhaus. So I sent the removal request in using the abuse e-mail address, only to find out that I can't access my webmail port now as it just times out. All other cPanel services seem to be working as expected.

I've tried disabling both cPHulk and Fork Bomb Protection..... no dice. Tried two graceful reboots. Again, no dice. Same issues/errors.

Not sure how they got in, either. None of the sites (4 in all) have been set-up yet - they all return 403 Forbidden errors when trying to access them (Indexing is turned off).

I'm out of ideas. Help?

 

[cPanelMichael]

Hello

Are you using a firewall that could be blocking the webmail ports? If not, try installing a firewall management utility such as CSF to easily manage firewall rules and ensure ports are not blocked:

ConfigServer Security & Firewall

Thank you.

 

[LaxSlash1993]

No way of doing or checking that... I'm locked out of sudo.

Edit: Have an update. Good news is it appears to be a flase flag. The hostname was a residual ReverseDNS entry from a spammer that leased my IP Address before I did. The provider took care of that pretty quickly. Bad news is that I'm still locked out of sudo. If possible... can this be moved out of security and somewhere more appropriate, seeing as this ended up not being a security issue but rather an issue of a ReverseDNS Pointer still existing from the previous owner that I never knew about?

 

[LaxSlash1993]

Going to bump this. I can not use root in WHM, use sudo, or su into root, because of the errors mentioned in the OP. I have to reboot it (the server) every 2 hours to be able to get back in - and that doesn't even always work. Nothing in limits.conf, and limits.d's config file says that root should be entitled to 'unlimited' processes. This happens when root only has 39 processes up and running.

 

[cPanelMichael]

sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes

Hello

Does the issue persist if you disable "Shell Fork Bomb Protection" in WHM? It's documented at:

Shell Fork Bomb Protection - Documentation - cPanel Documentation

Thank you.

 

[keat63]

Maybe i'm barking up the wrong tree here, in which case please accept my apologies.

I had something very similar happen to me when i first got my server.
I was locked out of root access via ssh, and it turned out to be CPHulk.
Apparently, there were a large number of failed login attempts (assumed to be potential hackers i guess).
I also had to reboot to gain access, this was literally within hours of whm going live.
Since deploying CSF, moving the SSH port and tightening up HostAccesControl i've not seen this issue.