The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked?

Discussion in 'General Discussion' started by encryption, Feb 5, 2009.

  1. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    I have a strong suspicion one of my servers has been compromised. I just received an email message from WHM/CPanel telling me that a new user account was created. Below are the details of the account

    //////////////

    +===================================+
    | New Account Info |
    +===================================+
    | Domain: x1x6.com
    | Ip: ************ (n)
    | HasCgi: y
    | UserName: x1x6com
    | PassWord: ***HIDDEN***
    | CpanelMod: x
    | HomeRoot: /home
    | Quota: 0 Meg
    | Contact Email: ipconfig_01@hotmail.com
    | Package: default
    | Feature List: default
    | Language: english
    +===================================+
    Account was setup by: root (root)

    //////////////

    I did not create this account and it appears it was setup by "root". However when I login via SSH, the last logged in IP was mine and I do not see any other users logged in. Moreover, I have a script that alerts me on root logins to the server via SSH (which is also on a non-standard port).

    I have combed through the CPanel access logs and it appears he was somehow able to gain access to WHM/CPanel via http (not https) port 2086 and was using an unused IP address available on the server.

    Any ideas how I can dig deeper into this? (considering he still doesnt have SSH access). I have already banned the IP address via CSF though I'm curious how he managed to gain access to the server via WHM by escalating his account.
     
    #1 encryption, Feb 5, 2009
    Last edited: Feb 7, 2009
  2. zigzam

    zigzam Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    206
    Likes Received:
    0
    Trophy Points:
    16
    Seen the same thing a few months back when one of my servers was hacked. Never found the method of entry and everything was up to date.
     
  3. drkm

    drkm Member

    Joined:
    Jan 21, 2009
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Sounds interesting. Anymore details?
     
  4. Voltar

    Voltar Well-Known Member

    Joined:
    Apr 30, 2007
    Messages:
    269
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bakersfield, California
    I would consider the box untrusted until you can confirm for sure if anything else was compromised. Run rkhunter/chkrootkit and look for anything modified, change your root password, etc. If you have the ability, see if you can get your datacenter to boot a live CD and a KVM/IP, and do you checks using known good media/files as it would be easy for someone with root access to 'spoof' a clean bill of health output from a rootkit checker.

    Also, if you are using CSF for a firewall, you could easily block traffic to your unused IPs. Furthermore, you may want to enable ssl redirection in WHM's tweak settings so cPanel/WHM http will be redirected to https (sans the proxy subdomains if you have them enabled).
     
  5. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    I've had the datacenter run a few checks and they say that this person probably gained access via mod_frontpage older than 1.6.1 which is vulnerable to a buffer overflow and may have given the attacker root access.

    They also said

    ////////

    I was unable to find any useful information in your logs that would help in determining how your server was compromised. I ran a rootkit checker and did not find any rootkits on your machine. I suspect that your server was either compromised via an exploit that is not yet know, the frontpage module, or a virus on your machine that logged your root password.

    ////////

    So I dont know if I should reformat the entire box or just wait and watch. Its going to be a major PITA to move to a new machine with 50+ clients on this one alone.
     
    #5 encryption, Feb 7, 2009
    Last edited: Feb 7, 2009
  6. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, I have disabled the use of the unused IP and the re-direct was already in place, so I dont know how he could have still used the non-SSL port to login to WHM.

    The attacker from this IP address 94.97.169.235 is from Saudi Arabia (based on the IP-geo-location lookup) but it could well be spoofed.

    Can anyone of the CPanel staffers offer some guidance on where to poke in order to see how this person got in ? Is there a way WHM can email you if someone logs into WHM? At this stage I feel like a sitting duck not knowing if this person has actually logged into WHM or not from a different IP.

    Is there anywhere to detect who has logged into WHM and from what IP or even how many simultaneous users are in WHM be displayed right where the OS / CPanel information and Server load is displayed in the top right corner?
     
    #6 encryption, Feb 7, 2009
    Last edited: Feb 7, 2009
  7. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, as a first counter-measure, you should change whm/ssh passwords and make them strong enough (let's say, 18 alphanumeric chars only you can remember or have well noted in a crypted excel/word file).

    As for the logins to whm, you can check /usr/local/cpanel/logs/access_log

    Frontpage modules are a source of headaches because letting it work with default configuration is a malware magnet. You can deactivate it and only activate for specific users.
     
Loading...
Similar Threads - Hacked
  1. xtronica
    Replies:
    9
    Views:
    659

Share This Page