The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

httpd needed restart

Discussion in 'General Discussion' started by neiderlaander, Jun 9, 2009.

  1. neiderlaander

    neiderlaander Registered

    Joined:
    Jul 1, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lansing, MI
    Hey all, i'm fairly new to cpanel, but I just ran into some script kiddie who got into my server and put a redirect on one of my sites. Basically, i'm trying to find the log of what happened so I can destroy the security hole. What log would I have to pull to see that?
     
  2. chinmay

    chinmay Well-Known Member

    Joined:
    Jul 22, 2008
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    localhost
    If the redirect has been set from the cPanel you can check the cPanel access logs on the server for the domain. The cPanel access logs are located at "/usr/local/cpanel/logs/access_log".

    If you still have any issue do post as to how was the redirect set on the server.
     
  3. PlatinumServerM

    PlatinumServerM Well-Known Member
    PartnerNOC

    Joined:
    Jul 10, 2005
    Messages:
    397
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    New Jersey, USA
    cPanel Access Level:
    Root Administrator
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    In addition to what PlatinumServerM said, "/usr/local/apache/domlogs"
    which will give you the detailed logs for each account.

    If exploited by IP address or not an account specifically, the general access_log
    and error_log files at /usr/local/apache/logs may be revealing.

    It goes without saying to take a look at /usr/local/apache/conf/httpd.conf
    at the Virtualhost configuration for the account or domain compromised and
    also look at the individual files within that account as your first starting place.

    There is also the possibility that the compromise was done through some
    other avenue or service other than Cpanel or direct web attack.

    How strong are your passwords?
    Do you have any exploitable services?
    Do you have the latest updates and patches?
    Have you closed security holes and hardened the server?

    (Sorry but as good as Cpanel is as a general management system
    for a server, it downright sucks for lack of a better word when talking
    about real defensive security although it is improving slowly.
    ***no offense meant ***)

    Who has SSH access on your server? (check /etc/passwd)

    Speaking of the last question, you should also check the ".bash_history"
    files in each home directory where users have shell access which will
    often be listed as "/bin/jailshell" or "/bin/bash" in /etc/passwd

    (I personally don't recommend any shell access for users unless
    absolutely require and even then I would strongly curtail the idea)

    In your /var/log folder, I would review all logs but take the closest attention
    to your 'messages' and 'secure' files. There is also binary log data available
    but that is really beyond the scope of this help post.

    *** Note: most hackers that have any sense know to doctor the logs but
    but that often leads behind tattle tail signs of a different sort.

    It is also possible that the attack was made by obtaining access to a normal
    user's account via a weak or vulnerable script legitimately posted by the user
    (can help you with that) or by a weak guessable password and then found
    a way to escalate once inside (easier to do that way especially if a server
    isn't properly secured from the inside or between user accounts).

    Anyway, those are just some tips. Hope you can track down the issue
    but if you need any help closing down the problem or hardening your
    server so that this doesn't happen to you again, I'd be glad to give you
    a hand. I've actually got more than 30 years experience as a systems
    administrator myself and I know how most hackers think so don't feel
    like you are stuck alone if you can't figure out what is going on.
     
    #4 Spiral, Jun 10, 2009
    Last edited: Jun 10, 2009
Loading...

Share This Page