The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP! Hacker delete accounts +reseller priv root

Discussion in 'General Discussion' started by jeroman8, Dec 15, 2006.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Hello!

    Today 14 accounts on one server was deleted.
    After checking this I found that it was a reseller account deleting them.
    This reseller account had root priviligies.

    The reseller account was setup by the "hacker".
    It is not one of our clients so we have not installed this account.

    After going over our servers I found one more account on another server
    and the password it had was: hackedhost010.

    I restore the deleted accounts and suspended the "hacker account".
    I change root password, force cpanel upgrade.
    chrootkit and rkhunter report nothing.


    What else should I do ?
    What has happened - how ??

    Anyone, please give your thoughts on what I should do next!!




    Logs/info:


    root@gais [~]# grep arabserv /var/log/*


    /var/log/secure:Dec 15 14:59:14 gais groupadd[23494]: new group: name=arabserv, gid=32283
    /var/log/secure:Dec 15 14:59:14 gais useradd[23496]: new user: name=arabserv, uid=32282, gid=32283, home=/home/arabserv, shell=/bin/bash
    /var/log/secure:Dec 15 15:05:41 gais Cp-Wrap[30620]: Pushing "32282 RESELLERSUSERS arabserv " to '/usr/local/cpanel/bin/reselleradmin' for UID: 32282
    /var/log/secure:Dec 15 15:05:41 gais Cp-Wrap[30622]: Pushing "32282 GETDOMAINIP arabservers.com " to '/usr/local/cpanel/bin/apacheadmin' for UID: 32282


    /var/log/exim_mainlog:2006-12-15 14:59:21 1GvDar-00068i-B7 <= root@zzzhostzz.com U=root P=local S=717 T="New account on zzzhostzz.com (arabservers.com)" from <root@gais.wopsa11.com> for hoss@zzzhostzz
    /var/log/messages:Dec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: loaded serial 2006121501
    /var/log/messages:Dec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: sending notifies (serial 2006121501)
    /var/log/messages:Dec 15 14:59:18 gais named[1976]: received notify for zone 'arabservers.com'


    Mail new account:

    +===================================+
    | New Account Info |
    +===================================+
    | Domain: serv2arab.com
    | Ip: dd.dd.dd.dd (n)
    | HasCgi: y
    | UserName: serv2ara
    | PassWord: 151213
    | CpanelMod: x
    | HomeRoot: /home
    | Quota: 0 Meg
    | NameServer: ns1.xxzzxx.com
    | Contact Email:
    +===================================+
    Account was setup by: root (root)
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I'd hire someone to review your machine, if the attacker had root they could have placed some hidden backdoors and other nasties on your box,not to mention grab your shadow file and are cracking it right now for every account on the system...
     
  3. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    God..I actually contacted you on your page with the contact form but
    I did not write phone so it complained and when I pressed back button the messages was gone - it was a long, good message!!

    Anyway - I'll do it again soon!

    I just run chkrootkit again and rkhunter, check common places manually as well, nothing found. I really think they actually got hold of my server password!
    Somehow !? - maybe when I logged in on 2086, but how do they sniff that if theres no script on server....

    So I belive they logged in to WHM and created the accounts.
    To bad there is no logs for this - cpanel logs is just recent hours it seems and there
    is nothing in messages och secure - just root from my IP.
     
  4. GCIS

    GCIS Active Member

    Joined:
    Dec 12, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    The machine should be considered comprimised, and should not be used. Back up all user files and settings, and perform a fresh install on the box. After the format, you'll need to re-load files, accounts, and settings by hand, to verify that no malicious software or settings remain.
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Speaking from my own experience; I can't count the number of times I've received that answer after informing a system administrator that their system was the source of an attack, and had probably been compromised. These system admins kept saying that the system couldn't possibly be compromised, even when there was a root shell bound to port 60000, accessible to anyone with a copy of telnet on their system.

    How can it be that a system administrator can't tell that a system has been hacked? More importantly, what can you do to find out if a particular system has been compromised?

    Sometimes, it is nearly impossible to be certain that a system hasn't been compromised; if the intruder was any good, it will be completely impossible to determine that a system has been hacked.

    The best approach to proving that a rootkit has been installed on a particular system is to boot the system from a known secure operating system install, such as a rescue CD, and (using a known-safe copy of md5sum) compare the checksums of system binaries to checksums from the genuine article.

    Recently, conventional rootkits have begun supplanting 'kernel module rootkits', which are much more difficult to detect. But on systems compromised with conventional rootkits, comparison is still the best approach -- one made easier with the help of several utilities.

    Although, as I said above it is difficult to tell in some cases, but here are some symptoms of a server that has been compromised:

    • Applications that suddenly don't respond as expected.
    • Additional user accounts that you can't account for (these may be made to look like system accounts)
    • New files or directories with unusual names.
    • Additional network traffic that can't be traced to a particular process
    • Server running significantly slower.
     
  6. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Top marks, jeroman8, for finding the hacker. Now you must move to the next step.

    Question: "Should we nuke the Planet?"
    Answer: "It's the only way to be sure."

    Although it may seem painful, in a case like this, the only way to be sure that all hacker files have been removed is to reformat / reinstall. Once that has been done, make sure to setup ModSecurity (thru WHM) and setup Rules to prevent Users / Hackers from using certain functions.

    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /dev/shm "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
     
  7. markfrompf

    markfrompf Well-Known Member

    Joined:
    Mar 27, 2006
    Messages:
    176
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles, CA
    Definitely one of the worst parts of hosting...
     
  8. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Hi ,


    On your hacked server ...
    were c compilers disabled ?
    did you have php safe mode on, or phpsuexec ?
    was kernel updated to latest ?

    Thank you
     
Loading...

Share This Page