The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd on server WHM root access alert from

Discussion in 'Security' started by monddia, Apr 11, 2014.

  1. monddia

    monddia Member

    Joined:
    Sep 6, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hello!

    I have a problem! 1 of my Server is hacked. But nut over ssh its over whm!

    Code:
    lfd on server1.: WHM root access alert from 36.69.78.252 (ID/Indonesia/-)
    
    Time:    Fri Apr 11 14:46:33 2014 +0200
    IP:      36.69.xx.xx (ID/Indonesia/-)
    
    And then make a new account:
    
    +===================================+
    | New Account Info                  |
    +===================================+
    | Domain: somedomain.com
    | Ip: ..... (n)
    | HasCgi: y
    | UserName: hoosting
    | PassWord: ***HIDDEN***
    | CpanelMod: x3
    | HomeRoot: /home
    | Quota: unlimited Meg
    | Contact Email:
    | Package: admin
    | Feature List: admin
    | Language: de
    +===================================+
    Account was setup by: root 
    
    I remove the account and block the ip adress! For 3 days the same issue! I change the root password.. but nothing..

    but i have more server! But on the another servers i dont have the whm root hack problem! Just on the 1 here!

    Is this maybe the Heartbleed Bug problem??

    can me anybody help me?
     
  2. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    re: lfd on server WHM root access alert from

    If you not have already install the ConfigServer Security and Firewall so you block the hacker and make sure use very strong passwords for root.
     
  3. monddia

    monddia Member

    Joined:
    Sep 6, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    re: lfd on server WHM root access alert from

    Hello!

    I use csf! On all my Server! And i have a very strong Password! But for 3 days a hacker have root access over whm!

    I have change the root password!!

    And now today the same issue again! root access from Indonesia!!

    I dont know.. really! I have change the root password again and today root access over whm from Indonesia!!..
     
  4. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    re: lfd on server WHM root access alert from

    Add the IP manually into csf to block it.

    Then check your computer to make sure you not have key logger malware or virus.

    Then change your root password using special characters.

    Plus in csf use the Check Server Security - Perform a basic security, stability and settings check on the server and follow most of the of them but not all the items listed there because it will break the server.

    Also change server settings to PCI compliant settings in WHM - Home »Service Configuration »Apache Configuration »Global Configuration

    I hope this helps.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    re: lfd on server WHM root access alert from

    If your server has been exploited and root access has been obtained, then nothing short of reinstalling the OS/cPanel and restoring the accounts from backup archives is going to be a suitable method of cleaning the server. You may want to consult with a qualified security specialist to see if you can determine the source of the attack and to ensure the accounts you are backing up are not also vulnerable to an exploit or have not already been altered.

    Thank you.
     
    speckados likes this.
  6. waskme

    waskme Registered

    Joined:
    Jul 15, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is an active exploit. I thought this was unique to me and I am glad to find out it is not. Four servers were compromised this way from an IP address from Indonesia. From our logs, the hacker gains access via WHM using root password and then changes the root password. We tried resetting the passwords but he gained access again. He then adds security questions to WHM which would prevent anyone who has login access to the server. He then also disables SSH password login which prevented us from accessing the server via SSH even after getting our DC to change the root password. We tried blacklisting Indonesia using CSF but he simply gained access again. Our only solution was to block access to ports 2086 and 2087. We were unsure how he gained access but this post now confirms this is an exploit of WHM! He only gains access via WHM and we have very strong passwords which he could possibly never guess (with cphulk and CSF there to prevent such an option) and we only login via SSL and this cannot possibly be a heartbleed issue as our servers are immune to that bug.

    I wrote to cPanel and I was told that I cannot be assured that there would be no data loss while they investigate the matter which is unacceptable to me. Can anyone advise on this?
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    cPanelMichael has already provided the proper advice, just above you.

    There is no "active exploit" that I'm aware of that provides someone with the root users password in advance so he can login to your server without being blocked. You might want to check your own computer for issues as a good place to start though. You should also look into hiring a professional to assist you with your server if you're unsure of the path forward from there.
     
  8. waskme

    waskme Registered

    Joined:
    Jul 15, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I would have to disagree with you on this. As I have pointed out, this hacker gained access to 4 different servers with different logins from the same IP mentioned above. He still had access even after we changed the passwords. We have thought of all possible scenarios and have server admins check our servers and nothing seems amiss. Also, this person did not even attempt to try SSH. Just as a test scenario, we got our data center to reset the password of one of the servers and we did not even try logging in and, as expected, the hacker gained access

    ===================
    Subject: lfd on xx.xxx.xx: WHM/cPanel root access alert from 36.72.xxx.xx (ID/Indonesia/-)

    Time: Tue Jul 15 02:59:42 2014 -0500
    IP: 36.72.xxx.xx (ID/Indonesia/-)
    User: root
    ===================

    This is not a coincidence and we our servers are already hardened against all possible scenarios. We have also confirmed that the password was not reset before the hacker gained access to the server

    ===================
    Subject: lfd on xx.xxx.xx: Account modification alert

    Time: Tue Jul 15 02:59:30 2014 -0500

    Reported Modifications:

    Account [root] password has changed
    ===================

    So, here are my points

    - This hack seems to be from Indonesia
    - This hacker seems to gain access to the server with root password that could not have been guessed or stolen (we have run all possible scenarios and checked all logs to confirm this)
    - He only gains access via WHM and then changes the root password
    - He does not attempt to gain access to SSH even though he supposedly has the root password. This suggests to me he probably doesn't
    - Seems the only way to stop him is to block WHM access


    This looks like an exploit to me as there is no other explanation.


    Regards
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Other than he got access to 4 of your servers, that is. If nothing 'seems amiss' after that, I think I'd be even more concerned.

    Your list doesn't say exploit to me. Proof of how he got the root password for 4 of your servers, or logged in without root password, might though.
     
  10. waskme

    waskme Registered

    Joined:
    Jul 15, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Also note that he still gained access even after changing the passwords. Our "control experiment" also proved this as the DC changed the password of the server but we did not even try logging in to see if he would gain access and he did after two days. He couldn't have possibly known that password! The password is not sent as a mail and the log on our DC portal does not show any suspicious access to our account. It is therefore safe to conclude that this is an exploit!


    Kindly advise.

    Regards
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you would please, have your Hosting Provider open up a ticket to cPanel Technical Support to discuss those findings.

    Thanks!
     
  12. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Your servers probably have a rootkit, such as ebury, on them. Once a server is compromised on a root level, changing the password is pointless; the hacker could easily leave backdoors that either provide them the new password or an alternate means to login to the server(s).

    Other than a rootkit, if you use anything like WHMCS it can allow these exploits if left out-of-date. Or, if your kernels were not up-to-date and the servers were not recently rebooted into the new kernels, a single hacked site could allow privilege escalation to root.

    As stated previously, you need to migrate your accounts to clean servers with clean, freshly installed, operating systems. You should also thoroughly scan your own computers for viruses (any computers you use to access WHM or SSH).
     
  13. JamieD

    JamieD Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    We have had exactly the same issue as described here, exploit via WHM from Indonesia. We DO use a security company and we DO keep our server secured and up to date. We contacted our security company who were unable to determine how the attacker got in and advised to setup a brand new server. We did this and after a couple of days the new server had been hacked in exactly the same way.

    We contacted cPanel who investigated the server and concluded that they did not know how the hacker gained access. So thats one company specialising in server security and capable themselves that were unable to work out how the attackers gained access. This issue went right to the top of the security company and they had their most senior guys looking into the issue.

    We also went to the lengths of setting up a server where no one in our company ever had any authentication details aside from a single newly installed computer that was used in the setup of the server, this computer was not connected to the internet apart from one time when the server was being setup. That server then got hacked in exactly the same way, there is no way the hacker could have got access to this password.

    The only solution that has prevented the hackers access is to lock down the WHM ports so that only certain IP addresses can access the service. Now if the attacker knew the root password surely they would have simply gained access via ssh which was left open to access from any IP address. This never happened.

    Has anyone managed to figure out how the hackers gained access and how to prevent this? We are still, many months later, in a position where we dare not open access to port 2087 in fear of the hacker gaining access to the servers again.
     
  14. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Do you have any reseller accounts? I've seen servers get exploited due to resellers with extra privileges having their password compromised. The company kept restoring the server with a new OS and new root PW, but the reseller kept being restored with the same password and it had root privileges. One login to the reseller account and the server was owned again.

    or, do you use WHMCS by chance?
     
  15. JamieD

    JamieD Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Yes we have resellers but none have too many privileges. We do use WHMCS too, why do you ask?
     
  16. Mckenzielaa

    Mckenzielaa Member

    Joined:
    Jul 10, 2014
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    what about a compromised RPM? if that server was a new install, it stands to reason a compromised RPM used in the cPanel install process could give access like this.
     
  17. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Any compromised account on a sever with WHMCS can lead to root compromise from what I've seen, especially if the server is not using cagefs or other good cross-account symlink protection. It's hard for me to tell you anything concrete without access to the server and logs, but I do see a lot of root compromised boxes from customers who use WHMCS. At least that software has been audited a bit and is in better shape security-wise than a year or two ago.

    If there were actually a compromised RPM on a trusted repository we'd all be in a world of hurt. It never hurts to check the signatures on your installed RPMs (rpm -qi $packagename), but I strongly doubt that's what is going on. That said, check any servers or any other linux machines under your control thoroughly for the ebury rootkit. Also, double check all your resellers privileges! I've seen cases where hackers gave resellers full root privileges on compromised servers, and those privileges were restored by the people doing the server migration.
     
    #17 quizknows, Dec 7, 2014
    Last edited: Dec 7, 2014
  18. JamieD

    JamieD Well-Known Member

    Joined:
    Sep 3, 2003
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Our WHMCS runs on a different server hosting no user accounts, the WHMCS server was never hacked. I'm assuming the servers that got hacked were running WHMCS on the same server? We run cloudlinx/cageFS on all servers. I'll double check reseller permissions again.

    - - - Updated - - -

    Nope, all resellers have the expected privileges. Root kit checkers have been run many times and found nothing. As I said both a well known server support company and cPanel themselves have looks over the server several time and found nothing.
     
  19. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Glad you're wise enough to run WHMCS on its own server. You are right, most of the people I see who get royally "owned" are running it on a server with customer accounts.

    Wish I had more advice to offer for you.
     
Loading...

Share This Page