The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacker within cPanel

Discussion in 'General Discussion' started by dev_null, Mar 17, 2007.

  1. dev_null

    dev_null Member

    Joined:
    Mar 15, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hi!

    The other day I monitored a hacker while he/she was trying to get access to my networks FTP service. 37376 attempts were made before I decided to permanently block the IP number from which the attack was launched.

    Time of the attack: Around Thu Mar 15 07:15:00 CET 2007
    IP: 208.116.56.10 (cpanelx9.fuitadnet.com)

    I also reported this incident to the ISP, absue@fuitadnet.com.

    Just wanted to let you know.

    Kind regards,
    Ted Lyngmo
     
  2. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Ted,

    install APF with BFD. This will block him out once he reached 3-5 failed ftp login.
     
  3. dev_null

    dev_null Member

    Joined:
    Mar 15, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, but that won't be necessary. The interesting thing is that the attack was lauched from one of cPanels servers. :eek:
     
  4. gundamz

    gundamz Well-Known Member

    Joined:
    Mar 27, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    probably some automated script.
     
  5. morfargekko

    morfargekko Member

    Joined:
    Jul 3, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Are You realy sure, as I see it it came from fuitadnet.com with the hostname cpanelx9.fuitadnet.com and that is not the same.
     
  6. dev_null

    dev_null Member

    Joined:
    Mar 15, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    You might be right.

    It seems like the address (http://208.116.56.10) actually points to an installation of cPanel.
     
  7. dev_null

    dev_null Member

    Joined:
    Mar 15, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    No doubt :)

    It's worrying that scriptkids have access to an ISPs servers. :eek:
     
  8. carluk

    carluk Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    162
    Likes Received:
    0
    Trophy Points:
    16
    That's not cpanel servers, it's a server with cpanel installed. There is a difference.
     
  9. dev_null

    dev_null Member

    Joined:
    Mar 15, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    That exactly what I wrote Today, 02:33 PM. :)
     
  10. carluk

    carluk Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    162
    Likes Received:
    0
    Trophy Points:
    16
    You might have underlined "installation of cpanel" in a post after, but you still said the above. I presume it was simply an English language mistake?
     
  11. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Brute force attacks are common on FTP/SSH. Consider CSF because it has a realtime daemon that monitors for invalid logins. BFD is based on a cronjob so an attack can be hiting your server thousands of times before they're blocked.
     
  12. dev_null

    dev_null Member

    Joined:
    Mar 15, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Nope. In the earlier posts I assumed it was one of cPanels servers, but after some contemplation I was prepared to agree with morfargekko that pointed out the same thing as you did.

    In the message after I also expressed my concerns about scriptkids having access to the ISPs [or webhosts], and not cPanels, servers.

    Thanks anyway :)
     
  13. dev_null

    dev_null Member

    Joined:
    Mar 15, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I dont think APF or CSF will be the solution for me since I've got a standalone firewall/router/switch in which I do all my blocking. So far I've done it manually, but the amount of attacks seems to have increased lately so I might create a realtime daemon that parses the logs and then connects to the F/W and updates the table of blocked IP addresses. Maybe I can reuse some of CSFs parsers though. Thanks for the hint.
     
  14. easyhoster1

    easyhoster1 Well-Known Member

    Joined:
    Sep 25, 2003
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    16
    You may want to contact the offending IP's NOC.

    OrgName: FortressITX
    OrgID: FORTR-5
    Address: 100 Delawanna Ave
    City: Clifton
    StateProv: NJ
    PostalCode: 07014
    Country: US

    ReferralServer: rwhois://rwhois.fortressitx.com:4443

    NetRange: 208.116.0.0 - 208.116.63.255
    CIDR: 208.116.0.0/18
    NetName: FORTRESSITX
    NetHandle: NET-208-116-0-0-1
    Parent: NET-208-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.PWEBTECH.COM
    NameServer: NS2.PWEBTECH.COM
    Comment:
    RegDate: 2006-04-19
    Updated: 2006-05-17

    OrgAbuseHandle: FIAD-ARIN
    OrgAbuseName: Fortress ITX Abuse Dept
    OrgAbusePhone: +1-973-572-1070
    OrgAbuseEmail: abuse@fortressitx.com

    OrgTechHandle: FIH2-ARIN
    OrgTechName: Fortress ITX Hostmaster
    OrgTechPhone: +1-973-572-1070
    OrgTechEmail: hostmaster@fortressitx.com

    # ARIN WHOIS database, last updated 2007-03-17 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
     
Loading...

Share This Page