The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HUGE security problem

Discussion in 'Security' started by silentcircuit, May 2, 2004.

  1. silentcircuit

    silentcircuit Active Member

    Joined:
    Nov 19, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    I kept my ssh window open today when I left to do something and when I came back there were about 20 of these broadcase messages.

    "Broadcast Message from nobody@host.mydomain.com
    (no tty) at 0:05 EDT...

    your box is owned via httpd. it was being used to attack servers. httpd is bein
    killed via crontab. please secure your machine "

    Anyone know what the problem here is and what I can do about this?

    THanks so much.
     
  2. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Seems like someone has taken control of your server. You would need to check things like to see if a rootkit was installed and start checking logs.


    http://www.chkrootkit.org
     
  3. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Sounds like a msg. from a Tech at your DC. Contact them to make sure, although, they should have sent you an eMail msg. as well, if it was the DC.
     
  4. silentcircuit

    silentcircuit Active Member

    Joined:
    Nov 19, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    gonna ask my colo to see if it is an auto message from a router or what, I dont know what it is but it is definately worrysome
     
  5. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Do any websites show up at all? If it was from the DC it would be from root instead of nobody@host.domain.com. That seems more like a PHP running in cron where someone has done a SU injection.
     
  6. silentcircuit

    silentcircuit Active Member

    Joined:
    Nov 19, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    the wierd part is that the server is running completely fine. I dont know notice anything wrong other than this crappy broadcast. What would be the best way to check for someone running a script like this?

    I reinstalled apache and am still getting this message.

    I also checked the cronjobs and there is nothing out of the ordinary default cronjobs in there. No clue what is goin on.
     
    #6 silentcircuit, May 3, 2004
    Last edited: May 3, 2004
  7. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    Have you installed a firewall yet?
     
  8. silentcircuit

    silentcircuit Active Member

    Joined:
    Nov 19, 2002
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    no I havent, I basically use a modified version of the default cpanel install. What would you reccomend using?
     
  9. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Go to http://www.rfxnetworks.com and download APF. There are many guides here on which ports to leave open and how to configure it. He has a list on his forums also.

    Go to http://www.chkrootkit.org and download that to your server. Run tar xfvz chkrootkit-xxx.tar.gz then cd to chkrootkitxxx. Do make sense then ./chkrootkit. It will tell you which rootkit you have installed. Someone has broken into your server and they are being nice at this point. You need to get the kit out if possible and get a firewall installed asap.
     
Loading...

Share This Page