The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Host Access Control seems to fail ... and I believe I have a few ghosts ...

Discussion in 'Security' started by madamsplash, Jul 1, 2014.

  1. madamsplash

    madamsplash Member

    Joined:
    Mar 17, 2009
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    I have suspected I have had hacker ghosts through a Sierra Wireless (Air) usb port hub ... but that's another story, which happy to elaborate on when I get to the bottom of it ...

    However I discovered my ghosts quite by accident ... Cpanel notified me that strange i.p.'s were logging into the server as root ... when only 2 users have this permission ... I also realised they were logging in at the same time as I was.

    Before I knew the ghosts existed, I used the Host Access Control in an endeavor to block the IPs and their ranges using the (example) 1.133.0.0/255.255.255.0 - they are gradually making their way through all Australian, (all Telstra) IP addresses - ssh and whmanager ... (yes I've tracked them and keep a vigilant netstat -aon)

    I discovered they were making their way via my entry into cpanel, because I would be blocked too when I attempted to login in as root ... that was until I repaired the device to be Broadband only, re-enabled the hacked passwords and disabled the radio.

    I could now login to the server again and appeared to no longer have my ghosts ... but alas they showed up again, but this time from IP's that had supposedly been blocked in ssh and whmanager.

    I will replace the device tomorrow - and hand it over the police to handle this week with the history ... but

    Question 1.: Can I block ALL activities of these IP Blocks in the Host Access Control, but all administrators of the shared web resources, will not be blocked from their cpanels and Website Admin -

    Question 2: Is there any way to prevent the ghosting? One of my disgruntled ex tekkies who is smarter than I might have left a back door.

    Question 3: Any other suggestions

    I've managed this server for about 10 years

    Cheers:eek:
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can utilize "Host Access Control" to only allow access to one specific IP address and to then deny all other access attempts. If you are concerned that your server has been rooted, then reinstalling the OS and restoring the accounts from backups is the primary method used to clean the server.

    Thank you.
     
  3. madamsplash

    madamsplash Member

    Joined:
    Mar 17, 2009
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    Hi CP ...

    thanks for that suggestion, yes that was my first action, but it does seem to stop them ... is there any way Host Access Control can be tampered with,

    or perhaps I am using it wrong?

    I close off SSHD and WHMManager to a range of IP 1.134.0.0/255.255.255.0

    I have identified they are using ranges of portable telephone/wireless systems in Australia, NZ and now starting to broaden the range ... I am nervous to use ALL as I will lock out my customers on the server

    I do not have a static IP either ...
     
  4. madamsplash

    madamsplash Member

    Joined:
    Mar 17, 2009
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    Did I say I do not have a static IP - I am travelling cheers
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's likely a good idea to consult with a qualified security specialist if unauthorized users are accessing your system or services.

    Thank you.
     
Loading...

Share This Page