The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked!!!

Discussion in 'General Discussion' started by vishal, Dec 24, 2003.

  1. vishal

    vishal Well-Known Member

    Joined:
    Jan 28, 2003
    Messages:
    340
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Hello All,

    Wishing you all a Merry Christmas :)

    My Server got hacked yesterday, The hacker Replaced all the index.html file including Cpanel's skins files. I found a script called cancer.txt and many other scripts including the Suckit. I manage to remove all the script.

    The the next step i took is submit a ticket to data center to re-install the OS without formatting. Which they did and my server was back. My IEDA of doing this was to get a New Drive attached as /backup to backup all the sites so that i could easily restore the sites and my downtime would be less.

    The data center did something different and all i have now is

    a New Drive where Redhat 9.0 with Cpanel Installed. My Old HDD with all the data was mounted as /old/var /old/home and so on...

    Now the Only Option i could think is Maully creating the accounts and copy the folders from /old/home to /home.
    I have around 550 accts on the server.

    Anything you all can suggest i could do to restore the accounts as they were before.

    Thank you,
     
  2. cyon

    cyon Well-Known Member
    PartnerNOC

    Joined:
    Jan 15, 2003
    Messages:
    320
    Likes Received:
    0
    Trophy Points:
    16
    i was hacked also.
    there was suckit and another rootkit.
    they must be a hole in cpanel, this is not the first post about beeing hacked..
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    One question...did you all have the latest kernel installed?
     
  4. cyon

    cyon Well-Known Member
    PartnerNOC

    Joined:
    Jan 15, 2003
    Messages:
    320
    Likes Received:
    0
    Trophy Points:
    16
    Yes, I have 2.4.20-24.8
     
    #4 cyon, Dec 24, 2003
    Last edited: Dec 24, 2003
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Did they just upload the rootkits to your /tmp directory or did they actually manage to take control of your server and replace index.html pages etc. ?
     
  6. vishal

    vishal Well-Known Member

    Joined:
    Jan 28, 2003
    Messages:
    340
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Yes this is what they did to me, replaced all index files and other rootkits.

    Thanks,
     
  7. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    And you were running the latest kernel?
     
  8. eperdeme

    eperdeme Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Manchester, UK
    cPanel Access Level:
    DataCenter Provider

    That is an old kernel thats exploitable, be a real man and install FreeBSD, you know it's the right thing to do.
     
  9. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16

    Get away from the roothat default kernels. They pretty much suck.
     
  10. incastle

    incastle Registered

    Joined:
    Jun 10, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I was hacked also by techteach who replaced my index.*
    destroyed my dns and firtd other goodies. I too am trying to figure out the how to move from slave to master all the
    the important things
     
  11. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    What kernel were you running? Any idea how they compromised your machine? Do you have shell accounts?
     
  12. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    You could copy all of the /var/named/ files to the master, chown -R named:named all of them. Then copy the /etc/named.conf to the master and change all references of slave to master. This would be the quickest way if you do not have a master backup of the master nameserver files.
     
  13. incastle

    incastle Registered

    Joined:
    Jun 10, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1

    I did that
    what is next steps (move databases websites themselves etc)
    not all accounts are showing up
     
  14. Higgins

    Higgins Well-Known Member

    Joined:
    Jan 31, 2003
    Messages:
    82
    Likes Received:
    0
    Trophy Points:
    6
    It must not be an Cpanel Bug why the Box is HAcked but the Group which has Hacked the Server (one of ours two) provides a CPanel Scanner on their Website.

    After the Attack on our Server i have mounted the /tmp Directory as "noexec" and we had another Attack yesterday, but they couldnt get it managed to do the same as befor.

    Maybe mounting the /tmp Directory as "noexec" is a littlebit Security against those Script-Kiddis.
     
  15. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    i wonder when the next cpanel stable version will be released.
     
  16. jacob

    jacob Member

    Joined:
    Jan 30, 2003
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
  17. vishal

    vishal Well-Known Member

    Joined:
    Jan 28, 2003
    Messages:
    340
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Buddy, How do we mount /tmp as "noexec" ?

    Thanks in advance.
     
  18. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Good point!

    Do you use a shell script to monitor /tmp ? If so, I would be interested in it :)
     
  19. Dillard

    Dillard Well-Known Member

    Joined:
    Feb 26, 2003
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    The Netherlands
    I think it's done in /etc/fstab .

    But i saw an other suggestion also, nosuid , but I have no clue where to put this.

    Can anyone tells me ?
     
  20. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
Loading...
Similar Threads - Hacked
  1. xtronica
    Replies:
    9
    Views:
    658

Share This Page