The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I think my server is hacking other servers...

Discussion in 'General Discussion' started by aboleth, Apr 30, 2009.

  1. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Hey, my cPanel server keeps making FTP connections to other servers and brute forcing passwords... I've gotten a few complaints. Right now un netstat it shows several ftp data streams going to other servers. how can I check to see where these originate from? I dont see anyone logged in doing it, and I'm not falling victim to a rootkit (according to rkhunter). Any suggestions?

    Thanks!

    Nick
     
  2. MiCR0

    MiCR0 Registered

    Joined:
    Jan 22, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    PHP could be script doing it.

    2 ways i can think of tracing it.

    1.) turn off remote FTP connection in php.ini and check error logs see who spamming.

    2.) check top and see what domains are using the most CPU Time and then check them accounts and there code.
     
  3. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    I will take a look, thanks!
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    If you have a firewall running on that server, block OUTBOUND TCP 21 so that your server can't contact other FTP servers on their default port. That will stop the reports.

    But that is in no way a fix to your problem. You've obviously got a script on there somewhere that is doing this - It could be a localized exploit of a user account or it could be a full root server compromise. But you have to stop the activity from affecting others first.

    If you have console access to the server, you should take it off the network and start looking into logs, running processes, etc - and don't reboot it before you get a chance to look, because any useful evidence of a hack that may be useful could disappear after a reboot and other things.

    As root: lsof -n|grep TCP|grep ftp

    You should be able to see what process is running that is connecting to remote FTP servers.

    Mike
     
  5. aboleth

    aboleth Well-Known Member

    Joined:
    Sep 8, 2005
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Stopping php from being able to send ftp commands stopped it, so now I just have to track down the offender.
     
Loading...

Share This Page