The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

May Be Hacked - Is This Real?

Discussion in 'General Discussion' started by stocosoft, Dec 28, 2003.

  1. stocosoft

    stocosoft Active Member

    Joined:
    Nov 14, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    I got the following message today and am curious if this is real or not. I have read many thread on servers being hacked, but I am not seeing any tail - tail signs that the hack is real.

    But, here is all the info:

    Last night, my server memory usage went through the roof. Server had to be rebooted. Again this morning, the mem usage was through the roof.

    At 5:15 this am, I got these emails:

    Trojan Horses Detected by (WHM) on genesis.xxxxx.biz
    Hidden Pid detected! [pid 10]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/sbin/init]

    [hackcheck] net-tools failed checksum test
    IMPORTANT: Do not ignore this email.
    This message is to inform you that the rpm
    package net-tools did not match the expected checksum. This could mean that
    your system was compromised (OwN3D). The offending files have been removed
    and replaced with the OS default. To be safe you should verify that your
    system has not be compromised.

    Modified Files:
    S.5..UG. /bin/netstat
    S.5..UG. /sbin/ifconfig

    [hackcheck] findutils failed checksum test
    Modified Files:
    S.5..UG. /usr/bin/find

    Modified Files:
    S.5..UG. /bin/ls
    S.5..UG. /usr/bin/dir


    My datacenter team want a LOAD of money to do a security check. I don't want to pay it unless this is a real threat. How can I determine if the hack is real and is there a way to circumvent it quickly?

    Box Stats
    WHM 8.5.4 cPanel 8.5.5-R20
    RedHat 7.3 - WHM X v2.1.1

    I am very new to all this, so details don't hurt me ;) I am trying to come up the learning curve as quickly as possible.
     
  2. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    Yes, it's probably real. What kernal are you running?

    uname -r
     
  3. stocosoft

    stocosoft Active Member

    Joined:
    Nov 14, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    :eek: I was afraid of that.

    running 2.4.21

    --- Looking for next steps - I am lost on this one.

    I ran ckrootkit and found the following:
    dirname: INFECTED
    echo: INFECTED
    egrep: INFECTED
    fingerd: INFECTED
    ifconfig: INFECTED
    inetdconf: INFECTED
    login: INFECTED
    mingetty: INFECTED
    passwd: INFECTED
    rpcinfo: INFECTED
    rlogind: INFECTED
    tcpd: INFECTED
    telnetd: INFECTED
    w: INFECTED
    write: INFECTED

    AAAHHHHHHH
     
  4. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Restore is the next step. Download all logs first, so you can determine "How".
     
  5. stocosoft

    stocosoft Active Member

    Joined:
    Nov 14, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Okay - that is a great answer. I will get on that right away.

    One question, and pardon my ignorance.

    All is a pretty encompasing word. Where would I even begin to find a list of ALL the logs so that I may download them first?

    Thanks again for the help.
     
  6. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    A good hacker would edit the logs - so they may be no use.

    /var/log/
    is a good place to look!
     
  7. jphilipson

    jphilipson Well-Known Member

    Joined:
    Jan 8, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    You will need a restore... Here is the howto I posted over at ev1servers forums.. Put in a new drive, install redhat and cpanel... put the old drive in as slave, then mount the old drive as old

    # mkdir old

    # mount /dev/hdbx /old/
    (where x = the old / partition)

    next run chrootkit on the old drive to make sure you are not going to copy any infected files over

    setup the whm basic settings, then copy all the data from the old drive as follows...

    # rsync -vrplogDtH /old/usr/local/apache/conf /usr/local/apache
    # rsync -vrplogDtH /old/var/named /var
    # rsync -vrplogDtH /old/home/* /home
    # rsync -vrplogDtH /old/usr/local/cpanel /usr/local
    # rsync -vrplogDtH /old/var/lib/mysql /var/lib
    # rsync -vrplogDtH /old/var/cpanel /var
    # rsync -vrplogDtH /old/usr/share/ssl /usr/share
    # rsync -vrplogDtH /old/var/ssl /var
    # rsync -vrplogDtH /old/usr/local/cpanel/3rdparty/mailman /usr/local/cpanel/3rdparty
    # rsync -vrplogDtH /old/var/log/bandwidth /var/log
    # rsync -vrplogDtH /old/usr/local/frontpage /usr/local
    # rsync -vrplogDtH /old/var/spool/cron /var/spool
    # rsync -vrplogDtH /old/root/.my.cnf /root
    # rsync -vrplogDtH /old/etc/httpd/conf/httpd.conf /etc/httpd/conf

    then change to the old etc, and execute all on one line ...

    # cd /old/etc

    # rsync -vrplogDtH secondarymx domainalias valiases vfilters exim* proftpd* pure-ftpd* passwd* group* *domain* *named* wwwacct.conf cpupdate.conf quota.conf shadow* *rndc* ips* ipaddrpool* ssl /etc

    well I hope I got everything... after you move all that stuff you will find yourself fixing up little things here and there....

    I recomend updating cpanel afterwards .. /scripts/upcp .. /scripts/updatenow .. /scripts/sysup .. /scripts/fixeverything

    update exim .. /scripts/exim4

    Once everything works.. make sure you don't get 0wn3d again...
    update apache .. /scripts/easyapache
    update kernel to latest (plenty of howto's on these forums)
    mount /tmp as noexec (and symlink /var/tmp to /tmp)
     
  8. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    It is easier to do a cpanel backup then just "restore multiple backups"...
     
  9. jphilipson

    jphilipson Well-Known Member

    Joined:
    Jan 8, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    The above is actually pretty fast with some prcatice and is quicker and more effective than restoring backups.. gets pretty much an exact duplicate of the old system prehack
     
  10. stocosoft

    stocosoft Active Member

    Joined:
    Nov 14, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Thanks everyone,
    the server rebuild is underway right now.

    My only question is this... is there a definitive checklist of things to make sure are updated/installed on a cPanel server to prevent this from happening?

    Is there anyone out there running a "Hey, do this update now you dummy or your gonna die" web site? Like, maybe a site that lists the latest trojans and the defense?

    I know its impossible to stay 100% secure, but there must be one central place that lists the threats and how to avoid them. It surely can't be as complex as monitoring 50 security websites can it?

    Thanks again for all your help.

    John
     
  11. jphilipson

    jphilipson Well-Known Member

    Joined:
    Jan 8, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    theres so many things you can do.. my best advise is keep good backups... an off server mirror is the best, but anything is better than nothing..

    keep the kernel and all other services up to date

    use a firewall, install tripwire

    mount your tempdirs as noexec.. check them for fishy things frequently

    thats a start, so much you can do
     
  12. stocosoft

    stocosoft Active Member

    Joined:
    Nov 14, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Now I'm Really Screwed

    Well,
    it gets even better. The NOC (Ventures Online) was restoring the server and they say they have run into troubles with the cPanel load.

    From my server support team...
    This is unreal. Is there anyone out there that can render assistance to my "team of professionals"? I can't sit around and wait for a CPanel ticket to get answered. These guys will just sit on their thumbs and watch the clock tick by.

    Oh, it gets better. They have stopped answering the phone, so I am sunk on this one.

    Looking for a good way out... Any ideas?
     
  13. stocosoft

    stocosoft Active Member

    Joined:
    Nov 14, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Heres an idea,
    If I get a new server At a new NOC, can I just FTP the cPanel backups over to the new server and use the restore from backup function to get everything going again?

    Will this work?
     
  14. jphilipson

    jphilipson Well-Known Member

    Joined:
    Jan 8, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    did they put in a new drive and the reinstall of cpanel to the new drive didn't work?
     
  15. jphilipson

    jphilipson Well-Known Member

    Joined:
    Jan 8, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    I am surprised, ventures online always had a good rep from what I know
     
  16. stocosoft

    stocosoft Active Member

    Joined:
    Nov 14, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Yup, that is exzactly what I am saying. Or at least what I am guessing is the case. They have not been good at communicating. Here is the thread they gave me:

    So, I am looking for any help I can get. The server has been down for over 12 hours now.
     
  17. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Is this what /scripts/securetmp essentially does?

     
  18. blaze64

    blaze64 Well-Known Member

    Joined:
    Feb 5, 2003
    Messages:
    159
    Likes Received:
    0
    Trophy Points:
    16
    Yes, and it does it well....
     
  19. nietzsche

    nietzsche Registered

    Joined:
    Feb 15, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    From what I can see, this has been taken care of ... but my $0.02, for what it's worth:

    1) This is true ... BUT I've seen crackers that left the obvious (history files for root!) even while trashing syslogs.
    2) Remote syslogs are a GREAT thing ... port 514, IIRC, and you'll build in some convolution for a would-be attacker ... granted, this will also eat up a lot of bandwidth, so maybe on a remotely-hosted box this isn't ideal.
    3) I'm running LIDS and friends at home ... it at *least* adds a layer of obfuscation to the system - not that you should strive for security through only this, but it will annoy and confuse someone unaware of LIDS.
    4) I run tripwire at home, too - it's useful for seeing if files are being changed.

    Maybe this was more like $0.92; sorry.
     
Loading...

Share This Page