I have suspected I have had hacker ghosts through a Sierra Wireless (Air) usb port hub ... but that's another story, which happy to elaborate on when I get to the bottom of it ...
However I discovered my ghosts quite by accident ... Cpanel notified me that strange i.p.'s were logging into the server as root ... when only 2 users have this permission ... I also realised they were logging in at the same time as I was.
Before I knew the ghosts existed, I used the Host Access Control in an endeavor to block the IPs and their ranges using the (example) 1.133.0.0/255.255.255.0 - they are gradually making their way through all Australian, (all Telstra) IP addresses - ssh and whmanager ... (yes I've tracked them and keep a vigilant netstat -aon)
I discovered they were making their way via my entry into cpanel, because I would be blocked too when I attempted to login in as root ... that was until I repaired the device to be Broadband only, re-enabled the hacked passwords and disabled the radio.
I could now login to the server again and appeared to no longer have my ghosts ... but alas they showed up again, but this time from IP's that had supposedly been blocked in ssh and whmanager.
I will replace the device tomorrow - and hand it over the police to handle this week with the history ... but
Question 1.: Can I block ALL activities of these IP Blocks in the Host Access Control, but all administrators of the shared web resources, will not be blocked from their cpanels and Website Admin -
Question 2: Is there any way to prevent the ghosting? One of my disgruntled ex tekkies who is smarter than I might have left a back door.
Question 3: Any other suggestions
I've managed this server for about 10 years
Cheers
However I discovered my ghosts quite by accident ... Cpanel notified me that strange i.p.'s were logging into the server as root ... when only 2 users have this permission ... I also realised they were logging in at the same time as I was.
Before I knew the ghosts existed, I used the Host Access Control in an endeavor to block the IPs and their ranges using the (example) 1.133.0.0/255.255.255.0 - they are gradually making their way through all Australian, (all Telstra) IP addresses - ssh and whmanager ... (yes I've tracked them and keep a vigilant netstat -aon)
I discovered they were making their way via my entry into cpanel, because I would be blocked too when I attempted to login in as root ... that was until I repaired the device to be Broadband only, re-enabled the hacked passwords and disabled the radio.
I could now login to the server again and appeared to no longer have my ghosts ... but alas they showed up again, but this time from IP's that had supposedly been blocked in ssh and whmanager.
I will replace the device tomorrow - and hand it over the police to handle this week with the history ... but
Question 1.: Can I block ALL activities of these IP Blocks in the Host Access Control, but all administrators of the shared web resources, will not be blocked from their cpanels and Website Admin -
Question 2: Is there any way to prevent the ghosting? One of my disgruntled ex tekkies who is smarter than I might have left a back door.
Question 3: Any other suggestions
I've managed this server for about 10 years
Cheers
