Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

passwords have all changed.

Discussion in 'Security' started by Spork Schivago, Jun 10, 2017.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I cannot log into WHM anymore. I have keyboard authentication disabled for SSH and login via an authentication key, which I can still do for at least one non-privileged user. I try su'ing into the other non-privileged user (the one that hosts the website) and I cannot switch, invalid password.

    I try su'ing into root, and I cannot, invalid password. I try logging into webmail, invalid password (even though the password's saved in my browser and worked earlier). I try logging into WHM as root, same thing, invalid password now.

    What do I do? I think someone hacked into my server.

    Thanks!
     
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm renting a VPS from Linode, and I can use Lish to login as root and the other user, using the old passwords, but when I ssh into my server using Putty and try su'ing, invalid password.

    What was odd, I was able to reboot the server in putty using the non-superuser username. It just wanted the password to the non-superuser. This is what it said:
    Code:
    [spork@franklin ~]$ reboot
    ==== AUTHENTICATING FOR org.freedesktop.login1.reboot ===
    Authentication is required for rebooting the system.
    Authenticating as: spork
    Password:
    ==== AUTHENTICATION COMPLETE ===
    
    Where did org.freedesktop.login1.reboot come from?? I don't have X or anything like that installed on the server. Something odd is going on here....

    I noticed in the logs a LOT of connection attempts, on various ports, like someone was running a port scanner, but the IP address was changing every time. Not by one or two numbers either, like someone had a BOT network or something and was using it to try and get in. I didn't think there was much I could do to prevent that. I have CSF, ModSec, etc installed. Any thoughts?

    I logged in as root via Lish, which I was able to do with the old password. I typed passwd to change the root password. Went back to putty and tried su'ing to root, invalid password still. Something weird is going on.
     
    #2 Spork Schivago, Jun 10, 2017
    Last edited: Jun 10, 2017
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I logged via Lish as root, then rebooted the server as root. Now the passwords seem to work. I wonder what happened that broke it? I've never seen su not work properly before. Wonder if I should worry if someone got in or not....In WHM, when I couldn't login (and even now, when I can), I click on Reset password. It wants my e-mail address. It shows a hint:

    Hint: d—y@y—o.com

    I believe the @y--o.com is @yahoo.com. I do NOT have an e-mail address that starts with a d and ends with a y, especially at yahoo.com. Where is this hint stored, so I can see who the e-mail address belongs to?

    I checked in WHM >> List Accounts and cPanel >> Contact Info, and my gmail account is listed under both. Not sure where this d--y@y--o.com is coming from....

    There's also a csf user (with a password). Not sure if that's normal or not. I'm having a real hard time remembering stuff. My mind seems to be broken and I'm having a hard time concentrating.
     
    #3 Spork Schivago, Jun 10, 2017
    Last edited: Jun 10, 2017
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,768
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    No worse time to be working on your server...
     
    Spork Schivago likes this.
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    You're definitely right there, but if it's been hacked, time is of the essence, isn't it? I think what happened was software got updated and there were outdated binaries still running. I figured this by looking at the lfd.log file. Rebooting as being logged in as root from the "Lish" console seemed to have fixed this. Tomorrow, if I'm feeling better, I'll install and configure some rootkit detection software to see if anything shows up.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,768
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That's the very moment when you wish you had been a bit more rested.

    Backups are your best friends. They can give comfort in times of stress like this. Take good care of your backups and the rest is just steps to get back to normal, no matter what is going wrong.

    Keep calm and carry on.
     
    Spork Schivago likes this.
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Thank you.

    Have you ever seen anything like this before? I'm running CentOS 7. I see I have /bin/su and /usr/bin/su. /bin is a symbolic link that points to /usr/bin. ldd shows su was linked against libpam.

    Is it possible that PAM got updated (the library or something) and my system just needed restarting and that broke authentication? What was odd was I couldn't su when logged in with putty, but when logging in with Lish, I could su and change passwords just fine. With cPanel, I couldn't log into WHM, webmail, or cPanel. Authentications all failed. Lish is some program, I believe written by Linode, which is supposed to give me "console" access. It's kinda neat.

    When I'm logged in via Lish, I see messages on the console about connection attempts. They come every few seconds, but always a different port, different source IP address. I think someone is trying to use a distributed type attack, to maybe port scan my server, looking for ways in. I don't really know how to protect against something like that. I quickly read something about mod_evasive (an Apache module) and how it can help protect against DDoS and DoS's, but that's just for Apache, not the system. It'd be hard, I think, to block against something like this. Even if I setup CSF to block every IP that attempts to connect to a closed port, each time they try connecting, the source IP address changes.

    I do see the different IPs are attempting to connect to the same ports somethings, like port 1433 (TCP), port 22 (TCP), etc.

    This is what netstat shows:
    Code:
    [root@franklin ~]# netstat -tuplen
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
    tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      0          196413     10854/exim
    tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      0          196749     10900/dovecot
    tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      0          196791     10900/dovecot
    tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      0          140926     31352/spamd-dormant
    tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          11083      1/init
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          199879     545/httpd
    tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      0          196411     10854/exim
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      0          19635      4389/pdns_server
    tcp        0      0 0.0.0.0:5784            0.0.0.0:*               LISTEN      0          15957      3663/sshd
    tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      0          196415     10854/exim
    tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          199881     545/httpd
    tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      0          196793     10900/dovecot
    tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      0          196751     10900/dovecot
    tcp        0      0 127.0.0.1:579           0.0.0.0:*               LISTEN      0          18593      4244/cPhulkd - proc
    tcp6       0      0 ::1:3306                :::*                    LISTEN      993        19471      3939/mysqld
    tcp6       0      0 :::587                  :::*                    LISTEN      0          196412     10854/exim
    tcp6       0      0 :::110                  :::*                    LISTEN      0          196750     10900/dovecot
    tcp6       0      0 :::2095                 :::*                    LISTEN      0          198320     10962/cpsrvd (SSL)
    tcp6       0      0 :::143                  :::*                    LISTEN      0          196792     10900/dovecot
    tcp6       0      0 ::1:783                 :::*                    LISTEN      0          140925     31352/spamd-dormant
    tcp6       0      0 :::111                  :::*                    LISTEN      0          11082      1/init
    tcp6       0      0 :::2096                 :::*                    LISTEN      0          198326     10962/cpsrvd (SSL)
    tcp6       0      0 127.0.0.1:7984          :::*                    LISTEN      987        19392      4999/java
    tcp6       0      0 :::80                   :::*                    LISTEN      0          199880     545/httpd
    tcp6       0      0 :::465                  :::*                    LISTEN      0          196410     10854/exim
    tcp6       0      0 :::53                   :::*                    LISTEN      0          19636      4389/pdns_server
    tcp6       0      0 :::8887                 :::*                    LISTEN      0          128131     28331/lfd HTTPS mes
    tcp6       0      0 :::8888                 :::*                    LISTEN      0          128115     28332/lfd HTML mess
    tcp6       0      0 127.0.0.1:8984          :::*                    LISTEN      987        20543      4999/java
    tcp6       0      0 :::5784                 :::*                    LISTEN      0          15966      3663/sshd
    tcp6       0      0 :::25                   :::*                    LISTEN      0          196414     10854/exim
    tcp6       0      0 :::8889                 :::*                    LISTEN      0          127253     28333/lfd TEXT mess
    tcp6       0      0 :::443                  :::*                    LISTEN      0          199882     545/httpd
    tcp6       0      0 :::2077                 :::*                    LISTEN      0          18074      4180/cpdavd - accep
    tcp6       0      0 :::2078                 :::*                    LISTEN      0          18076      4180/cpdavd - accep
    tcp6       0      0 :::2079                 :::*                    LISTEN      0          18078      4180/cpdavd - accep
    tcp6       0      0 :::2080                 :::*                    LISTEN      0          18080      4180/cpdavd - accep
    tcp6       0      0 :::993                  :::*                    LISTEN      0          196794     10900/dovecot
    tcp6       0      0 :::2082                 :::*                    LISTEN      0          198316     10962/cpsrvd (SSL)
    tcp6       0      0 :::2083                 :::*                    LISTEN      0          198322     10962/cpsrvd (SSL)
    tcp6       0      0 :::995                  :::*                    LISTEN      0          196752     10900/dovecot
    tcp6       0      0 :::2086                 :::*                    LISTEN      0          198318     10962/cpsrvd (SSL)
    tcp6       0      0 :::2087                 :::*                    LISTEN      0          198324     10962/cpsrvd (SSL)
    udp        0      0 0.0.0.0:53              0.0.0.0:*                           0          19633      4389/pdns_server
    udp        0      0 127.0.0.1:323           0.0.0.0:*                           997        12529      3216/chronyd
    udp        0      0 0.0.0.0:10583           0.0.0.0:*                           25         18785      4389/pdns_server
    udp6       0      0 :::11847                :::*                                25         18786      4389/pdns_server
    udp6       0      0 :::53                   :::*                                0          19634      4389/pdns_server
    udp6       0      0 ::1:323                 :::*                                997        12530      3216/chronyd
    
    To you guys, does that look correct? What I mean by that is do you see any programs that are accepting connections from the outside world that shouldn't be? I have MariaDB setup to listen and accept connections only on the local loopback. Chrony is an NTP client / server, I believe. I don't ever remember installing that. If cPanel doesn't require it, I'm going to uninstall it and install OpenNTPD instead. I think cPhulkd is supposed to be disabled, I remember reading something about that in CSF, I think. I'll double check. I'll install nmap and run that real quick, just to see if it sees anything.
     
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I see in /usr/local/cpanel/logs/cphulkd.log, cPhulkd blocked me the other day for a couple of hours. I checked /var/log/secure and see cphulkd was preventing me from su'ing and blocking me from webmail because of too many failed login attempts from my home IP address.

    I don't like how cPhulkd is temporary blocking bad people's IP addresses, that are trying to guess passwords for e-mail and stuff. I want CSF to block them, permanently. I'm going to see if cPhulkd is supposed to be enabled when CSF is installed.

    Anyway, I think I figured out what happened and now know why I couldn't login. Thanks!
     
    #8 Spork Schivago, Jun 12, 2017
    Last edited: Jun 12, 2017
Loading...

Share This Page