The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked/Intrusion - what to look for ?

Discussion in 'General Discussion' started by jeroman8, Aug 23, 2008.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    What should I look for and do, if osreload is not an option, if I suspect someone have had root access to a server - with password ?

    I have run chkrootkit, rkhunter, changed pass, hash and I also
    run clamdscan on /home, /root, /tmp.
    Checked some dirs with eyes (dev/shm, tmp, apache dirs) ...
    Looked in some logs but any tips here on what to look for and where would be great.
     
  2. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    Which logs have you check? Have you checked the CPanel and access logs?

    Cpanel logs:- /var/cpanel/logs
    Access logs:- /var/messages
     
  3. 2fast

    2fast Member

    Joined:
    Mar 8, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Its very hard to detect intrusions. what i would suggest is increase your security.

    A good start is here

    This is free software and is designed for the whm.

    running rkhunter is your best bet to see if you have been rooted i guess scanning any strange php pages is also a good start scan them with any normal AV like NOD32 etc, they will pick up any c99 shells.

    Also in your security center (whm) there is a section which allows you to lock down services specific to a IP or IP range for example.

    Only i can ssh to my server either from work or at home, only customers can FTP to the server if they have a dynamic IP thats fine as ive added the IP range.

    If you would like any help send me a message and ill add you to MSN and talk you through various security messures you can take.
     
  4. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Hi, thanks for your reply!

    2fast - How do I lock SSH to only 2-3 IP addresses ?

    I read about it a little but cant find a step by step kind of post.

    Also, it should be possible to only block root access to one IP while
    client SSH access can be done from anywhere. Know anything about that ?

    I'll try to find info, but if you have the time, I'd appreciate any help.

    Thanks!
     
  5. 2fast

    2fast Member

    Joined:
    Mar 8, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    sorry for the late reply..

    If you are not familiar with IPtables then you can do it through your WHM.

    Click on Security > the Security Center > Host Access Control (block IP access) >

    there you will have a new page with daemon access controls.

    Add the IP's you want to add like this....i have take a screenshot as an example for you..then at the very end of the allow list for sshd you need the deny.

    [​IMG]

    the ip address is just an example, add any ip address you want to allow ssh access above the deny.

    Hope this helps.. if you need any more help just let me know :)

    You shouldnt really ever login over ssh as root, you should really su once you are in.

    .... here is a quick step by step...

    this should work on move linux distros...

    Step 1 -
    Code:
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
    this will make a copy of the file your going to edit just in case :)

    Ok so now edit the file, in Vi, Nano, Pico which ever you want :)

    Step 2 - look for Protocol 2,1 change this to

    Code:
    Protocol 2
    Step 3 - look for the line that should look like

    # PermitRootLogin yes

    change that to

    Code:
    PermitRootLogin no 
    dont forget to remove the # :)

    ======================================

    then you need to create a user that is allowed to use the SU command so first it might be an idea to create a user for arguments sake ill call the user Bob.

    Code:
    usermod -G wheel Bob
    this add bob to the wheel group, which is allow to use the SU command to prevent any other users from using the SU command do the following.

    Open
    Code:
    /etc/pam.d/su
    in a editor i prefer vi and remove the hash (#) from this line

    Code:
    auth required /lib/security/pam_wheel.so use_uid
    =========================================================

    Now you can do this 2nd section first it is up to you. But make sure once you have done it make sure it works... don't close the session you already have open. open a new session and try it :)

    You shouldnt need to restart the sshd daemon for this to work, This is my way of doing it im sure someone will come up with another way that they do it as usual for these types of forum.. my way may not be the best way but it works :)
     
    #5 2fast, Aug 26, 2008
    Last edited: Aug 26, 2008
  6. duranduran

    duranduran Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    How can i block root user to access WHM panel ?
     
Loading...
Similar Threads - Hacked Intrusion
  1. xtronica
    Replies:
    9
    Views:
    658

Share This Page