The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to track down hacker IP

Discussion in 'General Discussion' started by mambovince, Dec 21, 2006.

  1. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    Hi,
    One of my VPS servers was hacked.
    This person was able to:
    access my main cPanel account
    change my contact email to a Yahoo email
    change my server contact email to same Yahoo email
    create a new account owned by root user with another Yahoo email address

    I'm running WHM 10.8.0 cPanel 10.9.0-S80
    Fedora i686 - WHM X v3.1.0

    Have since changed my root password and the email addresses back, and deleted the new account.

    Asked my VPS provider if they could have a look around, and also track down the IP so we can block it.

    Amazingly, they said they cannot find the IP this person used.:confused:

    I am no expert in such matters, but find this a little difficult to swallow.
    Can anyone here help or know how?

    Lastly, any cPanel exploit know that let's this happen?
    Only thing I can think of is my password was 10 characters, and seem to remember cPanel had a problem with anything over 8?

    Appreciate any help.

    - Vince
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Username 8, passwords can be much longer. Have you dug thru the log files or were they removed?
     
  3. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    I am not capable to dig and identify which IP created the hacker account, that's why I asked my VPS provider.

    Thanks for reply,

    - Vince
     
  4. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    I would suggest asking them to reload a fresh template for you and get the vps
    secured.

    Provided someone obviously had access to the entire vps, you still may be
    compromised and a firewall against proxy or easily changeable addresses
    will stop no one.

    Its not surprising that address traces may not be found as they do have
    access to all your logs and the ability to edit at will.

    If your provider will not or refuses to reload your template to a fresh
    install, then seek another provider.
     
  5. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    jayh38,
    Thanks for your reply.
    Just to help me understand what you are suggesting, will the loading of a 'fresh template' affect existing data/accounts, so a bfull vps backup should be done beforehand?

    If you don't mind explaining, what exactly does this do?

    I was once told that a full backup was needed, and VPS rebuilt, then restore all the accounts. But surely, if the hacker has compromised and left scripts within any of the accounts, they would get in again and all was to no avail.

    Am I missing something?

    Many thanks,

    - Vince

    P.S. I forgot to mention that during the compromise the VPS was still using version 2.4.x kernel, but coincidently I was migrated to a VPS with 2.6.9-023stab033.9-enterprise just a few hours after. I believe this is a more secure kernel, and maybe due to migration I already have a 'fresh template' now anyway?
     
    #5 mambovince, Dec 21, 2006
    Last edited: Dec 21, 2006
Loading...

Share This Page