Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

hijacked server?

Discussion in 'General Discussion' started by valkira, Feb 23, 2009.

  1. valkira

    valkira Active Member

    Joined:
    May 3, 2004
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Croatia
    cPanel Access Level:
    Root Administrator
    Today I've received two emails from lfd stating:

    Subject: lfd on xxxxxx.xxxxxx.tld: Account modification alert
    =====================================================
    Time: Mon Feb 23 04:02:20 2009 +0100

    Reported Modifications:

    Account [root] password has changed
    =====================================================

    Subject:lfd on xxxxxx.xxxxxx.tld: SSH login alert for user root from 94.75.224.3 (EU/-/hosted-by.leaseweb.com)
    =====================================================
    Time: Mon Feb 23 04:02:29 2009 +0100
    IP: 94.75.224.3 (EU/-/hosted-by.leaseweb.com)
    Account: root
    Method: password authentication
    =====================================================

    I'm quite happy that I left screen running on the server, so that I could change back the root password, delete the new account (Reported by lfd - New account [plesk-root] has been created with uid:[0] gid:[0] login:[/root] shell:[/bin/sh]) and take a look at the damage:

    - syslog was stopped
    - nothing in /var/log
    - exim not running


    Any one else had this? a friend of mine had 3 servers with this same issue...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 valkira, Feb 23, 2009
    Last edited: Feb 23, 2009
  2. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    1
    Trophy Points:
    166
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    So how did they get in, in the first place to be able to change the root password?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice