The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked by another mail server?

Discussion in 'Security' started by LaxSlash1993, Oct 14, 2015.

  1. LaxSlash1993

    LaxSlash1993 Member

    Joined:
    Oct 8, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Buffalo, NY
    cPanel Access Level:
    Root Administrator
    A little background here.

    Was hosted with BudgetVM until I learned that they're quite literally public enemy #1 to Spamhaus. Moved the webserver over back to my other provider. Logged in via SSH, and got greeted by a weird last login message. Ran 'last' and this got returned:

    Code:
    Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
    Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
    Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
    Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
    Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
    Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
    Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
    Keith    pts/1        mail.jjbdwz.cn   Sun Oct 11 02:40 - 02:40  (00:00)
    
    So I changed the passwords (which are/were rated 100/100 for security strength) and then tried logging into the root account to do the same. Problem.

    Sudo returns:
    Code:
    sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes
    Su returns:
    Code:
    su: cannot set user id: Resource temporarily unavailable
    Checked the mail queues via WHM, and strangely nothing shows up as being sent out, even as failed. However, my main domain is listed on Spamhaus. So I sent the removal request in using the abuse e-mail address, only to find out that I can't access my webmail port now as it just times out. All other cPanel services seem to be working as expected.

    I've tried disabling both cPHulk and Fork Bomb Protection..... no dice. Tried two graceful reboots. Again, no dice. Same issues/errors.

    Not sure how they got in, either. None of the sites (4 in all) have been set-up yet - they all return 403 Forbidden errors when trying to access them (Indexing is turned off).

    I'm out of ideas. Help?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you using a firewall that could be blocking the webmail ports? If not, try installing a firewall management utility such as CSF to easily manage firewall rules and ensure ports are not blocked:

    ConfigServer Security & Firewall

    Thank you.
     
  3. LaxSlash1993

    LaxSlash1993 Member

    Joined:
    Oct 8, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Buffalo, NY
    cPanel Access Level:
    Root Administrator
    No way of doing or checking that... I'm locked out of sudo.

    Edit: Have an update. Good news is it appears to be a flase flag. The hostname was a residual ReverseDNS entry from a spammer that leased my IP Address before I did. The provider took care of that pretty quickly. Bad news is that I'm still locked out of sudo. If possible... can this be moved out of security and somewhere more appropriate, seeing as this ended up not being a security issue but rather an issue of a ReverseDNS Pointer still existing from the previous owner that I never knew about?
     
    #3 LaxSlash1993, Oct 14, 2015
    Last edited: Oct 14, 2015
  4. LaxSlash1993

    LaxSlash1993 Member

    Joined:
    Oct 8, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Buffalo, NY
    cPanel Access Level:
    Root Administrator
    Going to bump this. I can not use root in WHM, use sudo, or su into root, because of the errors mentioned in the OP. I have to reboot it (the server) every 2 hours to be able to get back in - and that doesn't even always work. Nothing in limits.conf, and limits.d's config file says that root should be entitled to 'unlimited' processes. This happens when root only has 39 processes up and running.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Maybe i'm barking up the wrong tree here, in which case please accept my apologies.

    I had something very similar happen to me when i first got my server.
    I was locked out of root access via ssh, and it turned out to be CPHulk.
    Apparently, there were a large number of failed login attempts (assumed to be potential hackers i guess).
    I also had to reboot to gain access, this was literally within hours of whm going live.
    Since deploying CSF, moving the SSH port and tightening up HostAccesControl i've not seen this issue.
     
Loading...

Share This Page