lfd on server WHM root access alert from

[monddia]

Hello!

I have a problem! 1 of my Server is hacked. But nut over ssh its over whm!

lfd on server1.: WHM root access alert from 36.69.78.252 (ID/Indonesia/-)

Time:    Fri Apr 11 14:46:33 2014 +0200
IP:      36.69.xx.xx (ID/Indonesia/-)

And then make a new account:

+===================================+
| New Account Info                  |
+===================================+
| Domain: somedomain.com
| Ip: ..... (n)
| HasCgi: y
| UserName: hoosting
| PassWord: ***HIDDEN***
| CpanelMod: x3
| HomeRoot: /home
| Quota: unlimited Meg
| Contact Email:
| Package: admin
| Feature List: admin
| Language: de
+===================================+
Account was setup by: root

I remove the account and block the ip adress! For 3 days the same issue! I change the root password.. but nothing..

but i have more server! But on the another servers i dont have the whm root hack problem! Just on the 1 here!

Is this maybe the Heartbleed Bug problem??

can me anybody help me?

 

[vlee]

re: lfd on server WHM root access alert from

If you not have already install the ConfigServer Security and Firewall so you block the hacker and make sure use very strong passwords for root.

 

[monddia]

re: lfd on server WHM root access alert from

If you not have already install the ConfigServer Security and Firewall so you block the hacker and make sure use very strong passwords for root.

Hello!

I use csf! On all my Server! And i have a very strong Password! But for 3 days a hacker have root access over whm!

I have change the root password!!

And now today the same issue again! root access from Indonesia!!

I dont know.. really! I have change the root password again and today root access over whm from Indonesia!!..

 

[vlee]

re: lfd on server WHM root access alert from

Hello!

I use csf! On all my Server! And i have a very strong Password! But for 3 days a hacker have root access over whm!

I have change the root password!!

And now today the same issue again! root access from Indonesia!!

I dont know.. really! I have change the root password again and today root access over whm from Indonesia!!..

Add the IP manually into csf to block it.

Then check your computer to make sure you not have key logger malware or virus.

Then change your root password using special characters.

Plus in csf use the Check Server Security - Perform a basic security, stability and settings check on the server and follow most of the of them but not all the items listed there because it will break the server.

Also change server settings to PCI compliant settings in WHM - Home »Service Configuration »Apache Configuration »Global Configuration

I hope this helps.

 

[cPanelMichael]

re: lfd on server WHM root access alert from

If your server has been exploited and root access has been obtained, then nothing short of reinstalling the OS/cPanel and restoring the accounts from backup archives is going to be a suitable method of cleaning the server. You may want to consult with a qualified security specialist to see if you can determine the source of the attack and to ensure the accounts you are backing up are not also vulnerable to an exploit or have not already been altered.

Thank you.

 

[waskme]

Hello!

I have a problem! 1 of my Server is hacked. But nut over ssh its over whm!

lfd on server1.: WHM root access alert from 36.69.78.252 (ID/Indonesia/-)

Time:    Fri Apr 11 14:46:33 2014 +0200
IP:      36.69.xx.xx (ID/Indonesia/-)

And then make a new account:

+===================================+
| New Account Info                  |
+===================================+
| Domain: somedomain.com
| Ip: ..... (n)
| HasCgi: y
| UserName: hoosting
| PassWord: ***HIDDEN***
| CpanelMod: x3
| HomeRoot: /home
| Quota: unlimited Meg
| Contact Email:
| Package: admin
| Feature List: admin
| Language: de
+===================================+
Account was setup by: root

I remove the account and block the ip adress! For 3 days the same issue! I change the root password.. but nothing..

but i have more server! But on the another servers i dont have the whm root hack problem! Just on the 1 here!

Is this maybe the Heartbleed Bug problem??

can me anybody help me?

This is an active exploit. I thought this was unique to me and I am glad to find out it is not. Four servers were compromised this way from an IP address from Indonesia. From our logs, the hacker gains access via WHM using root password and then changes the root password. We tried resetting the passwords but he gained access again. He then adds security questions to WHM which would prevent anyone who has login access to the server. He then also disables SSH password login which prevented us from accessing the server via SSH even after getting our DC to change the root password. We tried blacklisting Indonesia using CSF but he simply gained access again. Our only solution was to block access to ports 2086 and 2087. We were unsure how he gained access but this post now confirms this is an exploit of WHM! He only gains access via WHM and we have very strong passwords which he could possibly never guess (with cphulk and CSF there to prevent such an option) and we only login via SSL and this cannot possibly be a heartbleed issue as our servers are immune to that bug.

I wrote to cPanel and I was told that I cannot be assured that there would be no data loss while they investigate the matter which is unacceptable to me. Can anyone advise on this?

 

[Infopro]

cPanelMichael has already provided the proper advice, just above you.

There is no "active exploit" that I'm aware of that provides someone with the root users password in advance so he can login to your server without being blocked. You might want to check your own computer for issues as a good place to start though. You should also look into hiring a professional to assist you with your server if you're unsure of the path forward from there.

 

[waskme]

cPanelMichael has already provided the proper advice, just above you.

There is no "active exploit" that I'm aware of that provides someone with the root users password in advance so he can login to your server without being blocked. You might want to check your own computer for issues as a good place to start though. You should also look into hiring a professional to assist you with your server if you're unsure of the path forward from there.

Hello,

I would have to disagree with you on this. As I have pointed out, this hacker gained access to 4 different servers with different logins from the same IP mentioned above. He still had access even after we changed the passwords. We have thought of all possible scenarios and have server admins check our servers and nothing seems amiss. Also, this person did not even attempt to try SSH. Just as a test scenario, we got our data center to reset the password of one of the servers and we did not even try logging in and, as expected, the hacker gained access

===================
Subject: lfd on xx.xxx.xx: WHM/cPanel root access alert from 36.72.xxx.xx (ID/Indonesia/-)

Time: Tue Jul 15 02:59:42 2014 -0500
IP: 36.72.xxx.xx (ID/Indonesia/-)
User: root
===================

This is not a coincidence and we our servers are already hardened against all possible scenarios. We have also confirmed that the password was not reset before the hacker gained access to the server

===================
Subject: lfd on xx.xxx.xx: Account modification alert

Time: Tue Jul 15 02:59:30 2014 -0500

Reported Modifications:

Account [root] password has changed
===================

So, here are my points

- This hack seems to be from Indonesia
- This hacker seems to gain access to the server with root password that could not have been guessed or stolen (we have run all possible scenarios and checked all logs to confirm this)
- He only gains access via WHM and then changes the root password
- He does not attempt to gain access to SSH even though he supposedly has the root password. This suggests to me he probably doesn't
- Seems the only way to stop him is to block WHM access


This looks like an exploit to me as there is no other explanation.


Regards

 

[Infopro]

We have thought of all possible scenarios and have server admins check our servers and nothing seems amiss.

Other than he got access to 4 of your servers, that is. If nothing 'seems amiss' after that, I think I'd be even more concerned.

Your list doesn't say exploit to me. Proof of how he got the root password for 4 of your servers, or logged in without root password, might though.

 

[waskme]

Other than he got access to 4 of your servers, that is. If nothing 'seems amiss' after that, I think I'd be even more concerned.

Your list doesn't say exploit to me. Proof of how he got the root password for 4 of your servers, or logged in without root password, might though.

Also note that he still gained access even after changing the passwords. Our "control experiment" also proved this as the DC changed the password of the server but we did not even try logging in to see if he would gain access and he did after two days. He couldn't have possibly known that password! The password is not sent as a mail and the log on our DC portal does not show any suspicious access to our account. It is therefore safe to conclude that this is an exploit!


Kindly advise.

Regards

 

[Infopro]

Our "control experiment" also proved this as the DC changed the password of the server but we did not even try logging in to see if he would gain access and he did after two days.

If you would please, have your Hosting Provider open up a ticket to cPanel Technical Support to discuss those findings.

Thanks!

 

[quizknows]

Your servers probably have a rootkit, such as ebury, on them. Once a server is compromised on a root level, changing the password is pointless; the hacker could easily leave backdoors that either provide them the new password or an alternate means to login to the server(s).

Other than a rootkit, if you use anything like WHMCS it can allow these exploits if left out-of-date. Or, if your kernels were not up-to-date and the servers were not recently rebooted into the new kernels, a single hacked site could allow privilege escalation to root.

As stated previously, you need to migrate your accounts to clean servers with clean, freshly installed, operating systems. You should also thoroughly scan your own computers for viruses (any computers you use to access WHM or SSH).

 

[JamieD]

We have had exactly the same issue as described here, exploit via WHM from Indonesia. We DO use a security company and we DO keep our server secured and up to date. We contacted our security company who were unable to determine how the attacker got in and advised to setup a brand new server. We did this and after a couple of days the new server had been hacked in exactly the same way.

We contacted cPanel who investigated the server and concluded that they did not know how the hacker gained access. So thats one company specialising in server security and capable themselves that were unable to work out how the attackers gained access. This issue went right to the top of the security company and they had their most senior guys looking into the issue.

We also went to the lengths of setting up a server where no one in our company ever had any authentication details aside from a single newly installed computer that was used in the setup of the server, this computer was not connected to the internet apart from one time when the server was being setup. That server then got hacked in exactly the same way, there is no way the hacker could have got access to this password.

The only solution that has prevented the hackers access is to lock down the WHM ports so that only certain IP addresses can access the service. Now if the attacker knew the root password surely they would have simply gained access via ssh which was left open to access from any IP address. This never happened.

Has anyone managed to figure out how the hackers gained access and how to prevent this? We are still, many months later, in a position where we dare not open access to port 2087 in fear of the hacker gaining access to the servers again.

 

[quizknows]

Do you have any reseller accounts? I've seen servers get exploited due to resellers with extra privileges having their password compromised. The company kept restoring the server with a new OS and new root PW, but the reseller kept being restored with the same password and it had root privileges. One login to the reseller account and the server was owned again.

or, do you use WHMCS by chance?

 

[JamieD]

Yes we have resellers but none have too many privileges. We do use WHMCS too, why do you ask?

 

[Mckenzielaa]

what about a compromised RPM? if that server was a new install, it stands to reason a compromised RPM used in the cPanel install process could give access like this.

 

[quizknows]

Yes we have resellers but none have too many privileges. We do use WHMCS too, why do you ask?

Any compromised account on a sever with WHMCS can lead to root compromise from what I've seen, especially if the server is not using cagefs or other good cross-account symlink protection. It's hard for me to tell you anything concrete without access to the server and logs, but I do see a lot of root compromised boxes from customers who use WHMCS. At least that software has been audited a bit and is in better shape security-wise than a year or two ago.

If there were actually a compromised RPM on a trusted repository we'd all be in a world of hurt. It never hurts to check the signatures on your installed RPMs (rpm -qi $packagename), but I strongly doubt that's what is going on. That said, check any servers or any other linux machines under your control thoroughly for the ebury rootkit. Also, double check all your resellers privileges! I've seen cases where hackers gave resellers full root privileges on compromised servers, and those privileges were restored by the people doing the server migration.

 

[JamieD]

Our WHMCS runs on a different server hosting no user accounts, the WHMCS server was never hacked. I'm assuming the servers that got hacked were running WHMCS on the same server? We run cloudlinx/cageFS on all servers. I'll double check reseller permissions again.

- - - Updated - - -

Nope, all resellers have the expected privileges. Root kit checkers have been run many times and found nothing. As I said both a well known server support company and cPanel themselves have looks over the server several time and found nothing.

 

[quizknows]

Glad you're wise enough to run WHMCS on its own server. You are right, most of the people I see who get royally "owned" are running it on a server with customer accounts.

Wish I had more advice to offer for you.