The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My entire server has been hacked

Discussion in 'General Discussion' started by black&white, Aug 1, 2006.

  1. black&white

    black&white Well-Known Member

    Joined:
    Aug 10, 2004
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    0
    Please help! My entire server has been hacked and i can't enter WHM and Cpanel anymore.

    Every index page has been changed and i don't know why.

    In which way i can resolve? I have unistall Cpanel?

    Please help

    Thanks
     
  2. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    You will most likely have to restore your entire OS, then restore the sites on your server. Usually your data center will give you a fresh installation and let you mount your current hard drive temporarily so you can transfer your data.

    You should consult a pro server admin and/or your data center for information on how to do this.
     
  3. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Even if you could access your server, you would need to consider it compromised and any number of backdoors installed.

    You will need to have the OS reinstalled and then secure the server when you are done. I would suggest you hire a third party to do this (I use a third party to verify and make changes even though I have in house staff and can do it myself)

    If you would like a personal recommendation for a third party, PM me and I will send you a link
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Before you do a OS reload, you need to assess the damage done on your server. Ask your data center to reset your password, SSH to the server, run rkhunter, chkrootkit and any other tools you might have, then check the log files. If your system is unstable and behaving weird, backup your data and ask your DC to do a OS reload ASAP.
     
    #4 AndyReed, Aug 1, 2006
    Last edited: Aug 2, 2006
  5. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    what if the data is infected ?
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What kernel version is/was the server running?
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If you are referring to clients' data, you'll have to clean up any hacking/spamming tools downloaded and installed on your clients' virtual servers. There are few good scripts that scan your files for vulnerability.
     
  8. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    if cleaning is possible, then why OS reload?
     
    #8 xml, Aug 2, 2006
    Last edited: Aug 2, 2006
  9. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    to be sure?
     
  10. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Cleaning is bad advice if the box was rooted. You could clean 90% of the files and still worry that other 10% is still compromised in some way. An OS reload assures you that the box is, in fact, clean and you can rebuild from there. This sounds more like a script kiddie got in, so a reload might be drastic. But better to be safe then sorry! GL to the OP.
     
  11. xml

    xml Well-Known Member

    Joined:
    Jan 15, 2004
    Messages:
    76
    Likes Received:
    1
    Trophy Points:
    8
    i was referring to clients' data files that should be backedup before OS reload

    if clients' data files can be cleaned then why OS reload ?

    if clients' data files can be cleaned by 90% and theres a chance of 10% the data still infected, then restoring the infected backup AFTER OS realod will not solve the problem

    correct me please if am wrong
     
  12. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    A server compromise means that malicious attackers can modify or even replace binary applications/packages, read and write to your files, or destroy the data on your server, rendering the system useless. Use your best judgement!

    An attacker with the right set of tools and ready-made exploits can bring down a vulnerable server in minutes. For this reason, it is crucial to always patch, secure and optimize your server and related software.
     
Loading...

Share This Page