The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hijacked server?

Discussion in 'General Discussion' started by valkira, Feb 23, 2009.

  1. valkira

    valkira Active Member

    Joined:
    May 3, 2004
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Croatia
    cPanel Access Level:
    Root Administrator
    Today I've received two emails from lfd stating:

    Subject: lfd on xxxxxx.xxxxxx.tld: Account modification alert
    =====================================================
    Time: Mon Feb 23 04:02:20 2009 +0100

    Reported Modifications:

    Account [root] password has changed
    =====================================================

    Subject:lfd on xxxxxx.xxxxxx.tld: SSH login alert for user root from 94.75.224.3 (EU/-/hosted-by.leaseweb.com)
    =====================================================
    Time: Mon Feb 23 04:02:29 2009 +0100
    IP: 94.75.224.3 (EU/-/hosted-by.leaseweb.com)
    Account: root
    Method: password authentication
    =====================================================

    I'm quite happy that I left screen running on the server, so that I could change back the root password, delete the new account (Reported by lfd - New account [plesk-root] has been created with uid:[0] gid:[0] login:[/root] shell:[/bin/sh]) and take a look at the damage:

    - syslog was stopped
    - nothing in /var/log
    - exim not running


    Any one else had this? a friend of mine had 3 servers with this same issue...
     
    #1 valkira, Feb 23, 2009
    Last edited: Feb 23, 2009
  2. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    So how did they get in, in the first place to be able to change the root password?
     
Loading...

Share This Page