The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked or not?

Discussion in 'General Discussion' started by gvard, Jan 11, 2008.

  1. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Greetings from Greece,

    There seems to be a strange issue with one of our servers. Yesterday afternoon I received an e-mail from Configserver's security & firewall with the following:

    This was an unauthorised connection from an unknown server. Immediately I logged in my server to see what has happened.....

    In /var/log/secure I saw the following:

    SSH (protocol 2) runs at a custom port. The things that are strange are the following:

    1) The root password consists of 15 scrambled characters and according to the logs, the user guessed the password in only 3 tries!

    2) I immediatelly changed the root password and ran rkhunter with no strange results. I did a security check on the server without finding anything strange (I also checked /usr/local/apache/domlogs all the logfiles of the hosted domains and didn't find this IP anywhere).

    3) According to /var/log/secure the user stayed online for less than a minute, but I can't see him in "last -a" command!

    12 hours have passed and nothing strange happened on the server. Suddenly Alertra sent me an e-mail that the page size of the main server's IP (default cpanel page) has changed. The changes were the following:

    Old default cPanel code sample:

    New default cPanel code sample:
    5 minutes later Alertra notified me that the default cPanel page has changed again back to normal. Since then this happens once each hour (changing to a page with a different javascript and then after 2-3 minutes changing back).

    The file /usr/local/apache/htdocs/index.html doesn't have any javascript code as I see it and it was last changed several months ago. The server also runs PHP5 with suPHP so I don't know if a CMS exploit could apply in this occasion.

    Any ideas? Nothing else has appeared in the hosted sites and I don't know what has happened :(
     
    #1 gvard, Jan 11, 2008
    Last edited: Jan 11, 2008
  2. Hispalab

    Hispalab Well-Known Member

    Joined:
    Apr 17, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Madrid -Spain
    If the hacker know your root password in only 3 tries!
    :eek:
    Think about this .... Probably they have a sniffer on your hosting network or is an "ex"... ex.wife, ex-secretary, ex-worker, ex...

    Regards,
     
  3. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Hello,

    No ex-* here that has or had access to this kind of information. Any ideas on what makes the index page change (or insert remotely the javascript code via a module or something) and then change back (from what does it change back, from cpanel script?)?
     
  4. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
  5. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    What OS and kernel are you using? Did you try the history command to see what was done? It is probably a bot that logged in and ran some type of script or commands. There's a good chance it got rid of it's tracks however.
     
  6. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    Well, nothing can be seen in history also. As it seems it's a rootkit named Suckit, since I'm not able to create directories/files with only numbers:

    [root@host5 ~]# mkdir 2
    mkdir: cannot create directory `2': No such file or directory

    ... I'm going for a format/reinstall, unless someone knows how to remove the rootkit.
     
  7. gvard

    gvard Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2003
    Messages:
    195
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Athens/GREECE
    cPanel Access Level:
    DataCenter Provider
    btw, I'm using Fedora release 7 and 2.6.21 kernel, suckit gets installed in the kernel :(
     
  8. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
Loading...
Similar Threads - Hacked
  1. xtronica
    Replies:
    9
    Views:
    659

Share This Page