Host Access Control seems to fail ... and I believe I have a few ghosts ...

madamsplash

Member
Mar 17, 2009
5
1
53
I have suspected I have had hacker ghosts through a Sierra Wireless (Air) usb port hub ... but that's another story, which happy to elaborate on when I get to the bottom of it ...

However I discovered my ghosts quite by accident ... Cpanel notified me that strange i.p.'s were logging into the server as root ... when only 2 users have this permission ... I also realised they were logging in at the same time as I was.

Before I knew the ghosts existed, I used the Host Access Control in an endeavor to block the IPs and their ranges using the (example) 1.133.0.0/255.255.255.0 - they are gradually making their way through all Australian, (all Telstra) IP addresses - ssh and whmanager ... (yes I've tracked them and keep a vigilant netstat -aon)

I discovered they were making their way via my entry into cpanel, because I would be blocked too when I attempted to login in as root ... that was until I repaired the device to be Broadband only, re-enabled the hacked passwords and disabled the radio.

I could now login to the server again and appeared to no longer have my ghosts ... but alas they showed up again, but this time from IP's that had supposedly been blocked in ssh and whmanager.

I will replace the device tomorrow - and hand it over the police to handle this week with the history ... but

Question 1.: Can I block ALL activities of these IP Blocks in the Host Access Control, but all administrators of the shared web resources, will not be blocked from their cpanels and Website Admin -

Question 2: Is there any way to prevent the ghosting? One of my disgruntled ex tekkies who is smarter than I might have left a back door.

Question 3: Any other suggestions

I've managed this server for about 10 years

Cheers:eek:
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

You can utilize "Host Access Control" to only allow access to one specific IP address and to then deny all other access attempts. If you are concerned that your server has been rooted, then reinstalling the OS and restoring the accounts from backups is the primary method used to clean the server.

Thank you.
 

madamsplash

Member
Mar 17, 2009
5
1
53
Hi CP ...

thanks for that suggestion, yes that was my first action, but it does seem to stop them ... is there any way Host Access Control can be tampered with,

or perhaps I am using it wrong?

I close off SSHD and WHMManager to a range of IP 1.134.0.0/255.255.255.0

I have identified they are using ranges of portable telephone/wireless systems in Australia, NZ and now starting to broaden the range ... I am nervous to use ALL as I will lock out my customers on the server

I do not have a static IP either ...
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
It's likely a good idea to consult with a qualified security specialist if unauthorized users are accessing your system or services.

Thank you.