HELP! Hacker delete accounts +reseller priv root

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
Hello!

Today 14 accounts on one server was deleted.
After checking this I found that it was a reseller account deleting them.
This reseller account had root priviligies.

The reseller account was setup by the "hacker".
It is not one of our clients so we have not installed this account.

After going over our servers I found one more account on another server
and the password it had was: hackedhost010.

I restore the deleted accounts and suspended the "hacker account".
I change root password, force cpanel upgrade.
chrootkit and rkhunter report nothing.


What else should I do ?
What has happened - how ??

Anyone, please give your thoughts on what I should do next!!




Logs/info:


[email protected] [~]# grep arabserv /var/log/*


/var/log/secure:Dec 15 14:59:14 gais groupadd[23494]: new group: name=arabserv, gid=32283
/var/log/secure:Dec 15 14:59:14 gais useradd[23496]: new user: name=arabserv, uid=32282, gid=32283, home=/home/arabserv, shell=/bin/bash
/var/log/secure:Dec 15 15:05:41 gais Cp-Wrap[30620]: Pushing "32282 RESELLERSUSERS arabserv " to '/usr/local/cpanel/bin/reselleradmin' for UID: 32282
/var/log/secure:Dec 15 15:05:41 gais Cp-Wrap[30622]: Pushing "32282 GETDOMAINIP arabservers.com " to '/usr/local/cpanel/bin/apacheadmin' for UID: 32282


/var/log/exim_mainlog:2006-12-15 14:59:21 1GvDar-00068i-B7 <= [email protected] U=root P=local S=717 T="New account on zzzhostzz.com (arabservers.com)" from <[email protected]> for [email protected]
/var/log/messages:Dec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: loaded serial 2006121501
/var/log/messages:Dec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: sending notifies (serial 2006121501)
/var/log/messages:Dec 15 14:59:18 gais named[1976]: received notify for zone 'arabservers.com'


Mail new account:

+===================================+
| New Account Info |
+===================================+
| Domain: serv2arab.com
| Ip: dd.dd.dd.dd (n)
| HasCgi: y
| UserName: serv2ara
| PassWord: 151213
| CpanelMod: x
| HomeRoot: /home
| Quota: 0 Meg
| NameServer: ns1.xxzzxx.com
| Contact Email:
+===================================+
Account was setup by: root (root)
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
I'd hire someone to review your machine, if the attacker had root they could have placed some hidden backdoors and other nasties on your box,not to mention grab your shadow file and are cracking it right now for every account on the system...
 

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
God..I actually contacted you on your page with the contact form but
I did not write phone so it complained and when I pressed back button the messages was gone - it was a long, good message!!

Anyway - I'll do it again soon!

I just run chkrootkit again and rkhunter, check common places manually as well, nothing found. I really think they actually got hold of my server password!
Somehow !? - maybe when I logged in on 2086, but how do they sniff that if theres no script on server....

So I belive they logged in to WHM and created the accounts.
To bad there is no logs for this - cpanel logs is just recent hours it seems and there
is nothing in messages och secure - just root from my IP.
 

GCIS

Active Member
Dec 12, 2006
26
0
151
The machine should be considered comprimised, and should not be used. Back up all user files and settings, and perform a fresh install on the box. After the format, you'll need to re-load files, accounts, and settings by hand, to verify that no malicious software or settings remain.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
I just run chkrootkit again and rkhunter, check common places manually as well, nothing found. I really think they actually got hold of my server password!
Somehow !? - maybe when I logged in on 2086, but how do they sniff that if theres no script on server....
Speaking from my own experience; I can't count the number of times I've received that answer after informing a system administrator that their system was the source of an attack, and had probably been compromised. These system admins kept saying that the system couldn't possibly be compromised, even when there was a root shell bound to port 60000, accessible to anyone with a copy of telnet on their system.

How can it be that a system administrator can't tell that a system has been hacked? More importantly, what can you do to find out if a particular system has been compromised?

Sometimes, it is nearly impossible to be certain that a system hasn't been compromised; if the intruder was any good, it will be completely impossible to determine that a system has been hacked.

The best approach to proving that a rootkit has been installed on a particular system is to boot the system from a known secure operating system install, such as a rescue CD, and (using a known-safe copy of md5sum) compare the checksums of system binaries to checksums from the genuine article.

Recently, conventional rootkits have begun supplanting 'kernel module rootkits', which are much more difficult to detect. But on systems compromised with conventional rootkits, comparison is still the best approach -- one made easier with the help of several utilities.

Although, as I said above it is difficult to tell in some cases, but here are some symptoms of a server that has been compromised:

  • Applications that suddenly don't respond as expected.
  • Additional user accounts that you can't account for (these may be made to look like system accounts)
  • New files or directories with unusual names.
  • Additional network traffic that can't be traced to a particular process
  • Server running significantly slower.
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Top marks, jeroman8, for finding the hacker. Now you must move to the next step.

Question: "Should we nuke the Planet?"
Answer: "It's the only way to be sure."

Although it may seem painful, in a case like this, the only way to be sure that all hacker files have been removed is to reformat / reinstall. Once that has been done, make sure to setup ModSecurity (thru WHM) and setup Rules to prevent Users / Hackers from using certain functions.

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /dev/shm "
SecFilterSelective THE_REQUEST "cd /var/tmp "
 

markfrompf

Well-Known Member
Mar 27, 2006
176
0
166
Los Angeles, CA
Definitely one of the worst parts of hosting...
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Hello!

Today 14 accounts on one server was deleted.
After checking this I found that it was a reseller account deleting them.
This reseller account had root priviligies.

The reseller account was setup by the "hacker".
It is not one of our clients so we have not installed this account.

After going over our servers I found one more account on another server
and the password it had was: hackedhost010.

I restore the deleted accounts and suspended the "hacker account".
I change root password, force cpanel upgrade.
chrootkit and rkhunter report nothing.


What else should I do ?
What has happened - how ??

Anyone, please give your thoughts on what I should do next!!




Logs/info:


[email protected] [~]# grep arabserv /var/log/*


/var/log/secure:Dec 15 14:59:14 gais groupadd[23494]: new group: name=arabserv, gid=32283
/var/log/secure:Dec 15 14:59:14 gais useradd[23496]: new user: name=arabserv, uid=32282, gid=32283, home=/home/arabserv, shell=/bin/bash
/var/log/secure:Dec 15 15:05:41 gais Cp-Wrap[30620]: Pushing "32282 RESELLERSUSERS arabserv " to '/usr/local/cpanel/bin/reselleradmin' for UID: 32282
/var/log/secure:Dec 15 15:05:41 gais Cp-Wrap[30622]: Pushing "32282 GETDOMAINIP arabservers.com " to '/usr/local/cpanel/bin/apacheadmin' for UID: 32282


/var/log/exim_mainlog:2006-12-15 14:59:21 1GvDar-00068i-B7 <= [email protected] U=root P=local S=717 T="New account on zzzhostzz.com (arabservers.com)" from <[email protected]> for [email protected]
/var/log/messages:Dec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: loaded serial 2006121501
/var/log/messages:Dec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: sending notifies (serial 2006121501)
/var/log/messages:Dec 15 14:59:18 gais named[1976]: received notify for zone 'arabservers.com'


Mail new account:

+===================================+
| New Account Info |
+===================================+
| Domain: serv2arab.com
| Ip: dd.dd.dd.dd (n)
| HasCgi: y
| UserName: serv2ara
| PassWord: 151213
| CpanelMod: x
| HomeRoot: /home
| Quota: 0 Meg
| NameServer: ns1.xxzzxx.com
| Contact Email:
+===================================+
Account was setup by: root (root)
Hi ,


On your hacked server ...
were c compilers disabled ?
did you have php safe mode on, or phpsuexec ?
was kernel updated to latest ?

Thank you