The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hmmm... server seems to be hacked.

Discussion in 'Security' started by TeknikL, Oct 3, 2014.

  1. TeknikL

    TeknikL Registered

    Joined:
    Oct 3, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I have a centos 6.5 box which runs CPanel and it appears to be hacked...
    It's running bash 4.1.2

    I can't login via ssh as root anymore even with the correct PW
    I can't SU to root when I ssh in as a different account I created as a safeguard
    iptraf showed some SSH logins initially but they are gone now after I started trying to lock things down.

    any help would be appreciated, I'm guessing it's likely time to backup wipe and reload since I only had one site in this box... is there an easy way to do this with CPanel?

    M
     
  2. TeknikL

    TeknikL Registered

    Joined:
    Oct 3, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I got in via console root session I left open (thank jesus, even though you're never supposed to do this) and used sudo via ssh to export the data via :

    for x in `ls /var/cpanel/users` ; do /scripts/pkgacct $x ; done

    I am reloading from scratch into a centos 7 box, but can I import this info after?

    how do I export the actual WHM config?
     
  3. MikeDVB

    MikeDVB Well-Known Member
    PartnerNOC

    Joined:
    Jun 4, 2008
    Messages:
    212
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Indiana, USA
    I would personally advise you hire a competent server administrator to look into this for you. It's not possible for anybody to remotely confirm or deny your server has been hacked based upon what little information you've provided.
     
  4. TeknikL

    TeknikL Registered

    Joined:
    Oct 3, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I am actually a qualified server administrator. I have nailed down the source IPs but not yet the method of intrustion. I was using the cPanel-CentOS-6.4-x86_64.iso so this may affect many more people than me, in light of the bash vulnerabilities.

    M
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Do you have console access or KVM access?
     
  6. MikeDVB

    MikeDVB Well-Known Member
    PartnerNOC

    Joined:
    Jun 4, 2008
    Messages:
    212
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Indiana, USA
    I should have been more specific - I thought it but did not say it - but you should hire a server administrator that is familiar with intrusions/security/investigating intrusions.

    I know Steven from Rack911 is good at this sort of thing.

    Sorry for not being specific enough. I wasn't intending to criticize you.
     
    cPanelJared likes this.
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, it's difficult to determine if/how your system was exploited because often times an attacker will cover their tracks. It's often a good idea to consult with a security specialist to help determine the cause/source.

    Thank you.
     
Loading...

Share This Page