The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

(hacked) cPanel & whm slow & time out

Discussion in 'General Discussion' started by thanatopsizer, Mar 28, 2004.

  1. thanatopsizer

    thanatopsizer Member

    Joined:
    Dec 5, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Yesterday I noticed my server was running very slowly, so I checked the running processes and say the following:

    ./gma xxx.xxx.xxx.xxx 0 0 0


    and in place of the x's was an ip. My pure-ftpd had been hacked and my server was performing a denial of service attack. Because I could not deal with the problem at the time, I shut the server off. I have restarted it and switched from pure-ftpd to pro-ftpd, and everything apears to be running normal. I checked all of my logs; and the only suspicious things I found were a feq connection attempts within one second of eatchother which all disconnected the same second. Anyway, now that I have eveything backonline, cpanel is extremely slow, and using the ssl port times out; as does whm, so I am at a loss for what to do; I know the hacked process isn't running, and I have restarted cpanel as well as the whole server, but it has not helped the situation. Any suggestions would be greatly appreciated.
     
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    You need a security audit. There are quite a few reputable places in the ads forum.
     
  3. thanatopsizer

    thanatopsizer Member

    Joined:
    Dec 5, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    That is a good thought, but I am more interested in getting everything on my server backonline first.

    I am of course having an odd problem now, if I view the services running on my system, cpanel says that httpd, exim, ftpd, imap, and cppop have all failed; and yet all of them are running, and all of them work; web pages still load, I can still send and recieve emails, and my messages log file shows everything starting fine...

    Mar 29 14:32:32 challenger exim: exim shutdown failed
    Mar 29 14:32:32 challenger exim: antirelayd shutdown failed
    Mar 29 14:32:32 challenger exim: spamd shutdown failed
    Mar 29 14:32:32 challenger exim: exim startup succeeded
    Mar 29 14:32:32 challenger exim: exim startup succeeded
    Mar 29 14:32:33 challenger exim: antirelayd startup succeeded
    Mar 29 14:32:43 challenger proftpd[5964]: challenger.pixelop.com - ProFTPD killed (signal 15)
    Mar 29 14:32:43 challenger proftpd[5964]: challenger.pixelop.com - ProFTPD 1.2.9 standalone mode SHUTDOWN
    Mar 29 14:32:43 challenger proftpd: proftpd shutdown succeeded
    Mar 29 14:32:43 challenger proftpd[6516]: challenger.pixelop.com - ProFTPD 1.2.9 (stable) (built Fri Dec 19 18:21:13 EST 2003) standalone mode STARTUP
    Mar 29 14:32:43 challenger proftpd: proftpd startup succeeded
    Mar 29 14:33:19 challenger xinetd: xinetd shutdown failed
    Mar 29 14:33:19 challenger xinetd[6561]: Server in.ntalkd is not executable [file=/etc/xinetd.d/ntalk] [line=8]
    Mar 29 14:33:19 challenger xinetd[6561]: Error parsing attribute server - DISABLING SERVICE [file=/etc/xinetd.d/ntalk] [line=8]
    Mar 29 14:33:19 challenger xinetd[6561]: Server in.qpopper is not executable [file=/etc/xinetd.d/pop-3] [line=8]
    Mar 29 14:33:19 challenger xinetd[6561]: Error parsing attribute server - DISABLING SERVICE [file=/etc/xinetd.d/pop-3] [line=8]
    Mar 29 14:33:19 challenger xinetd[6561]: Server in.talkd is not executable [file=/etc/xinetd.d/talk] [line=8]
    Mar 29 14:33:19 challenger xinetd[6561]: Error parsing attribute server - DISABLING SERVICE [file=/etc/xinetd.d/talk] [line=8]
    Mar 29 14:33:19 challenger xinetd[6561]: Server in.telnetd is not executable [file=/etc/xinetd.d/telnet] [line=8]
    Mar 29 14:33:19 challenger xinetd[6561]: Error parsing attribute server - DISABLING SERVICE [file=/etc/xinetd.d/telnet] [line=8]
    Mar 29 14:33:19 challenger xinetd[6561]: Must specify a server in ntalk
    Mar 29 14:33:19 challenger xinetd[6561]: Must specify a server in pop-3
    Mar 29 14:33:19 challenger xinetd[6561]: Must specify a server in talk
    Mar 29 14:33:19 challenger xinetd[6561]: Must specify a server in telnet
    Mar 29 14:33:19 challenger xinetd[6561]: xinetd Version 2.3.12 started with libwrap loadavg options compiled in.
    Mar 29 14:33:19 challenger xinetd[6561]: Started working: 1 available service
    Mar 29 14:33:19 challenger xinetd: xinetd startup succeeded


    Any ideas why cpanel's status is showint them as failed? One other thing, Cpanel still will not load in ssl mode, but will load in non ssl. I do not expect complete instructions on how to resolve everything (although it would be nice) but any suggestions would be helpful.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    For the status, make sure chksrvd is running:

    /etc/init.d/chkservd stop
    /etc/init.d/chkservd start

    As for SSL. Shutdown httpd and check that all the processes have definitely shutdown, then start:

    /etc/init.d/httpd stop
    ps axf | grep -v grep | grep httpd
    (repeat until all gone)
    /etc/init.d/httpd start

    However, if your server has been hacked you can no longer trust it. Unless you have a forensic security audit of the whole server done by a professional company that specialises in Linux security (which could cost $1000's) it is impossible to say that it is 100% clean.

    You should backup all your user data and have an OS restore done of the server.
     
  5. Tom Pyles

    Tom Pyles Well-Known Member

    Joined:
    Apr 26, 2002
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Stupid question for you. Are you positive that your server was hacked? I have seen FTP sessions that were not terminated properly. Server load will climb causing things to slow down depending on the server specs. Killing the process will return things to normal. I can't say for sure that this is what happened in your case.

    Have you run chkrootkit to see if anything was found? Regardless, any suspicion that you were hacked, you should have an expert look into it.
     
  6. thanatopsizer

    thanatopsizer Member

    Joined:
    Dec 5, 2003
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I backed up everything on my server to its second hard drive, but just so there are no doubts, this is what my output liiked like...


    [​IMG]







    That along with a process showed as ./gma xxx.xxx.xxx.xxx 0 0 0 makes me very suspicious; and there were 2 instances of my ftp server running (I'm again not sure how) but it's all taken care of now...
     
Loading...

Share This Page