I think my server is hacking other servers...

aboleth

Well-Known Member
Sep 8, 2005
50
0
156
Hey, my cPanel server keeps making FTP connections to other servers and brute forcing passwords... I've gotten a few complaints. Right now un netstat it shows several ftp data streams going to other servers. how can I check to see where these originate from? I dont see anyone logged in doing it, and I'm not falling victim to a rootkit (according to rkhunter). Any suggestions?

Thanks!

Nick
 

MiCR0

Registered
Jan 22, 2008
3
0
51
PHP could be script doing it.

2 ways i can think of tracing it.

1.) turn off remote FTP connection in php.ini and check error logs see who spamming.

2.) check top and see what domains are using the most CPU Time and then check them accounts and there code.
 

mtindor

Well-Known Member
Sep 14, 2004
1,378
69
178
inside a catfish
cPanel Access Level
Root Administrator
If you have a firewall running on that server, block OUTBOUND TCP 21 so that your server can't contact other FTP servers on their default port. That will stop the reports.

But that is in no way a fix to your problem. You've obviously got a script on there somewhere that is doing this - It could be a localized exploit of a user account or it could be a full root server compromise. But you have to stop the activity from affecting others first.

If you have console access to the server, you should take it off the network and start looking into logs, running processes, etc - and don't reboot it before you get a chance to look, because any useful evidence of a hack that may be useful could disappear after a reboot and other things.

As root: lsof -n|grep TCP|grep ftp

You should be able to see what process is running that is connecting to remote FTP servers.

Mike
 

aboleth

Well-Known Member
Sep 8, 2005
50
0
156
Stopping php from being able to send ftp commands stopped it, so now I just have to track down the offender.