The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacked server

Discussion in 'General Discussion' started by sphost, Jul 8, 2009.

  1. sphost

    sphost Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    My server is hacked by backd00red , they gained access to the server and changed rot password, they defaced most site on the server!
    how can they access the root? i have a very strong password.

    my question, how do i secure the server now after it is reinstalled?

    thanks

    Tom
     
  2. wonker

    wonker Active Member

    Joined:
    Dec 5, 2007
    Messages:
    29
    Likes Received:
    2
    Trophy Points:
    3
    Maybe with the latest openssh exploit that is rumoured all over the web ?
     
  3. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Was everything updated, do you run the latest kernel on your machine? Did you do anything towards security on your server or did you let it do its own thing after you ordered it?
     
  4. UBERHOST

    UBERHOST Well-Known Member

    Joined:
    Jan 13, 2008
    Messages:
    102
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    California, US
    A good reason to have "PasswordAuthentication=no" in sshd_config and use keys instead.
     
  5. sphost

    sphost Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    just left it as is !!
     
  6. sphost

    sphost Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    is there is any reliable company out there that offer server securing service?
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I will be glad to take a look and help you clean up the mess and secure your server. Contact me!

    I have more than 30 years field experience in network and server security, written
    many network security books, teach on the subject, and own several computer security
    consulting firms with clients around the globe so I am definitely in a position to help
    you recover and can show you a lot of things you maybe didn't think about originally
    that may or may not of led to the current breach. The bigger question is if you
    fully grasp the extent of your current situation you just described? There is also a
    very good chance that whoever got into your server also installed backdoors for
    themselves to regain access again at a later date and that will also need to be
    determined and closed out in addition to hardening the security on your server.

    Don't worry about any money at the moment, I am more concerned with
    stopping attacks like these and I am only glad to help and can give you a
    very big helping hand working through this issue. We need to get your server
    back to a safe state and get you much better security so you don't have to
    go through this again. I am most concerned that you may have far more issues
    than you are aware (or even begin to grasp at the current moment) since I have
    dealt with the clean up of thousands of these sort of attacks. I would almost
    guarantee your server now has a huge number of backdoors and other security
    compromises already in place to be concerned about above and beyond the
    original path of exploit and that is what I would be most concerned about first.
    If these issues are not handled properly right now, you are just going to run
    into the same situation again or far worse. Once that is addressed then the
    fun task of cleanup can press forward and then server security hardening so
    that this becomes an isolated incident that doesn't repeat for you.

    I will be on for another few hours and keep an eye on private messages
    if you want to reach me. I'll also send you a message how to reach me.

    EDIT: Regarding italics above. I'm going offline now but will be back tomorrow
     
    #7 Spiral, Jul 8, 2009
    Last edited: Jul 8, 2009
  8. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    Please list each one including ISBN.

    Please list each one to include URLs.
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    JPetersen:

    I would love to answer your questions but the last time it slipped
    publicly my identity online, that was a huge mistake and I am very
    careful now what I let slip and choose my words very carefully and
    very deliberately for good reason. Don't think I am blowing you off
    because I am here and now giving you a thoughtful personal answer.

    Someone I helped a few years ago and later flew up to meet me
    posted my identity the next week and I got rushed with thousands of
    "help me", "can I hire you", and "how do you security this or that" and
    general fan lore questions which to be honest was a bit overwhelming.
    I would prefer not to get into all that all over again so I am sure you
    can respect my interest in privacy.

    If you are really that curious though, it is not exactly rocket science to
    figure out who I am just on what side facts you already know about me
    and my writings and posts in this and dozens of other forums but I would
    prefer you leave that to your own quiet speculation. Many thanks. :cool:

    Anyway, to your larger and unspoken question ...

    I am here first and foremost because I enjoy helping people and I do what
    I can to help those who really need help concentrating the most on
    those people I feel need the help the most. Most of these people would
    not be able to afford hiring anyone at my level so they have really nowhere
    to turn other than to scout online help forums (like this one and dozens
    of other similar forum communities) out there.

    I have a different name in every forum community but you can be sure
    that I monitor a great many of them as these are the place you find people
    with the most questions and in the most need and I help people where I can.

    If you doubt any of that, just read all my posts here posted through the years.

    Now in the case of sphost, he got hit with an unexpected attack per his post
    above and clearly thought his security was "good enough" which it obvioiusly
    wasn't and that is good enough for me. Under those conditions, I'll help anyone
    that asks for my help assuming they can get my attention but I watch these
    forums fairly close so it is not all that hard to do.

    -Spiral

    PS: Incidentally, for those who have a need to know, I do let them know,
    and most of those people and the people I choose to help and there have
    been many through the years, most I can now consider friends,
    some very close friends.
     
    #9 Spiral, Jul 8, 2009
    Last edited: Jul 8, 2009
  10. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    I do know who you are, and googling for "your name" (with quotes) and "author" does not return any results of books written by you. Please send me a PM with the names of the books you have authored, including ISBN. I promise I will not share this information with anyone, and I will not ask you to help me, or ask about hiring you, or ask about how to do anything that pertains to security. If your books sound interesting, I would purchase them instead so that you can be rewarded for your efforts.

    Thanks.
     
  11. sphost

    sphost Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    sorry to bump into the thread once again, anyone knows.
     
  12. ckh

    ckh Well-Known Member

    Joined:
    Dec 6, 2003
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Phoenix, AZ
    cPanel Access Level:
    DataCenter Provider
  13. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    As I told you, I'll help you with that! :rolleyes:

    I can give you a long list of people and companies that can help you
    but there is very few, if any, that could help you to the extent that
    I can and I am not asking for any money either which is a plus for you.

    Just to give you other options, chk's recommendation of asking Chirpy for
    help isn't a bad idea and I have known Chirpy plenty long enough and I
    have seen his work enough first hand to vouch for him. I also routinely
    use his firewall script myself. PlatinumServerM, also around here, has
    reasonable enough experience to help you with this issue and has his own
    server management company as well. A friend of mine, Crosswinds, might
    be able to help you. I don't know if he would take you on since his interests
    lie elsewhere but crosswinds is one of the very few people I can talk to on
    a peer level and that says a whole lot actually and I know he would have
    the necessary skills to help you out and be able to rip through your server
    and get you back where you need to be with real security added in the
    process along the way. These are the few people around here that I would
    personally trust outside myself. ;)

    If you are feeling a bit paranoid or otherwise just wanting to do everything
    yourself, that is fine. Talk to me and I'll still try to guide you through
    the steps of where to go, what to look for, what to update, and what
    you need to know to get your server fixed and heavily secured. If you
    are lucky, maybe find out exactly how you were originally hacked if you
    haven't already destroyed the evidence the hacker may have left behind.
     
  14. sphost

    sphost Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Thanks alot for your recommendation.

    Spiral, i really appreciate your offer, thing is that server were formatted, and my DC did a reinstall so what i am basically looking for is someone to secure my server not to restore it.

    as for your free offer, i do appreciate it as well, but i prefer to pay for what i get. while IT IS so kind of you, still i really cant accept that. however, if you are seriouse about helping me to do it myself, this will make me learn a lot, i recommend that you post a SECURE YOUR SERVER type of thread in public so other people benefit from it as well, like this thread which is very usefull but unfortunatly i did all what is mentioned there but my server got hacked so looks like there is a lot more to be done.
     
  15. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    That would be my primary professional specialty! :D

    I could help you diagnose the issue and track down the source of the
    original attack but if you already reloaded the server, there is not much
    use in that so yes the next step would be to secure the server and
    I definitely can help you with that far beyond your wildest dreams.

    Generally it is good to dig through things for forensic purposes before
    blowing away the server but since you've already jumped ahead,
    not much can be done other than to press forward with getting
    you re-setup again and secured so this doesn't happen again.

    There is absolutely a WHOLE LOT more to be done!

    If you have read my posts here, you will see that I often address
    many issues that are often overlooked. While the "secure your server"
    type threads here and elsewhere are useful for the basics, they often
    overlook many of the more important areas where you might be vulnerable
    and the hackers out there aren't going to be so ignorant. The bigger
    thing to know and understand is "how things work" and the reasons why
    there are vulnerabilities. A hacker doesn't think about where you have
    secured your server so much as what you may have missed.

    Regarding posting a thread, I'm actually in the process of doing much
    better than that. I have a new book that is coming out soon that
    will have a CD that automatically secures everything for Linux servers
    particularly those running Cpanel or Plesk. Once we get the bugs
    worked out in that program and some of the licensing issues, I'm
    considering posting a link to downloading it on here so that may
    be coming along fairly soon.

    Now regarding your mentioning "you did all", I would like to sit down
    with you and discuss exactly everything you can remember you did
    originally as that will give me some insight as to your original configuration,
    the areas you may have missed, and where you more likely got hacked,
    and also would tell me what areas I may need to bring you more up to
    speed on and get you to strengthen your understanding.

    Regarding your offer to pay, I won't recend my offer but I'll do it this way.
    If you think my help to you is valuable, you can go ahead and pay me
    what you think it is worth to you. Fair enough?

    I'll be offline for the next hour or so as there is a place I need to be
    but I'll be online most of this evening if you want to try to catch up
    to me. I left you a message yesterday with my contact info so that
    you can reach me outside of the private messages here.
     
  16. sphost

    sphost Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6

    this was basically what i did http://forums.cpanel.net/f7/beginners-guide-securing-your-server-30159.html
     
  17. ddmd

    ddmd Registered

    Joined:
    Jul 11, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Maybe they did not found your root password, but another user pass and exploited some local vulnerability to get root?

    Did you check your logs to see if they brute forced it? As far as monitoring, this is what I just posted on another thread:

    I had a similar problem a while ago and used the ossec tool (open source) to find all offending packages. It has a nice rootkit/worm/exploits detection tool in there....

    After that, I kept that running with Snort and modsecurity (all open source) to monitor my systems. I lately also found sucuri to remotely check if my sites have been defaced, blacklisted, etc.

    links:
    Welcome to the Home of OSSEC
    ModSecurity: Open Source Web Application Firewall
    Snort :: Home Page
    Sucuri information security (BETA)
     
  18. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Sphost was (and still - unfortunately) using an obsolete almost EOL version
    of Fedora and the BIND server had originally not been patched or secured
    in the original server configuration and the hackers had used an old exploit
    to gain a root shell via a DNS attack. It would not have worked on most
    servers today so they were actually lucky finding his server.

    His server has now been fully secured and the vulnerable areas have
    been manually patched and reconfigured so the previous vulnerabilities
    no longer exist, the server fully hardened, and an extensive list of
    defensive technologies have been put in place to help protect him
    from future exploit and hacking attempts.

    He's in a lot better shape now and has also been upgraded in the process
    to Apache 2.2.11 along with SuHosin hardened SuPHP and other goodies
    including well configured firewall and port scan monitors, root kit detectors,
    intelligent traffic monitoring, self updating protection, and other fun stuff.
     
Loading...

Share This Page