The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about security...

Discussion in 'Security' started by BLWS, Aug 3, 2002.

  1. BLWS

    BLWS Guest

    I have a customer whom I am going to have to terminate - non-payment of owed money - anyhow as a side note, he is also a black hacker. He has told me if I cancel his account to say goodbye to the server. What I would like to know is, does cpanel enforce enough security to keep hackers out, if any at all?

    Thanks
     
  2. ecoutez

    ecoutez Well-Known Member

    Joined:
    May 23, 2002
    Messages:
    152
    Likes Received:
    0
    Trophy Points:
    0
    Close port 111

    Save for having port 111 (SunRPC) open, you're doing okay (assuming this is the same server as your main website is on). Your software seems to be up-to-date and not vulnerable to a host of common exploits. Simple solution would be to block port 111 via firewall rules (IPChains is probably already running).

    People like that are difficult to deal with. You don't know if he really has the skills or not, or if he's really that upset to start with. If you have a real name/address, I would recommend forwarding any email exchange containing a threat to the FBI. They're surprisingly receptive these days.

    - Jason
     
  3. BLWS

    BLWS Guest

    Great!

    One problem.. how do I close port 111 or do whatever you said? :p
     
  4. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    OK! Let’s show you what you should do against this little hacker.

    1) Policy, Never count on what like these people say, because real hackers never tell anyone else what they want to do, they just DO. It seems your case is a hacker who thinks that he can do something, follow these instructions

    2) WHM -& Security -& Quick Security Scan
    You should see this:

    [b:612ab393b3]Note: You may see [FAILED] results below; These are normal as this means the service(s) were already shutdown. [/b:612ab393b3]
    Stopping portmapper: [FAILED]
    error reading information on service ntpd: No such file or directory
    Stopping identd: [FAILED]
    Stopping lpd: [FAILED]
    Shutting down APM daemon: [FAILED]
    Stopping atd: [FAILED]
    Shutting down console mouse services: [FAILED]
    error reading information on service innd: No such file or directory
    error reading information on service pcmcia: No such file or directory
    error reading information on service smb: No such file or directory
    Shutting down xfs: [FAILED]
    Shutting down NIS services: [FAILED]
    Stopping NFS statd: [FAILED]


    If you want to make sure that TCP port 111 filtering and attack alert are working try these via SSH session:

    cat /var/portsentry/portsentry.history

    These are blocked IPs
    There are other advanced methods but at this point you can make sure about that.

    3) Now you have to find what Cron Jobs that user is running, if you offered him SSH access your risks are higher.
    Investigate What Cron Jobs he is running, also what CGIs and PHPs he has in its directory, check out his bash history (if applicable)

    4) After finding what he has used, make sure your system is up-to-date, automatic update feature in Cpanel is set up, then use Cpanel Backup to save your critical data on your server
    5) Make a backup from that user too (hacker) then remove him from your system don’t forget to remove him by user account (do not suspend just terminate him)
    6) Now it’s time to change your ROOT password and main account (your domain) password immediately to a long mixed with capital and unread letters ( ][& ) and Graceful restart your server
    7) Monitor your server and make sure any attempts to the Port 111 is blocked and check for attempts to the SSH and FTP and focus on those failed attempts with more continues tries and put attackers IP in /etc/hosts.deny like this
    ALL : xxx.yyy.zzz

    8) modify /etc/porstentry/porstentry.conf
    to protect more port (read portsentry.conf it has enough help) -if it is necessary-

    Reporting hackers to FBI or other Authorities is a good idea but read our experience “If you don’t lose more than $5000 it’s not easy to prosecute”

    Run a DMZ with fronted firewall too. (if you could)
     
  5. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    [quote:7b1244b813][i:7b1244b813]Originally posted by itf[/i:7b1244b813][/quote:7b1244b813]


    AWESOME, AWESOME, AWESOME! Thank you for these great steps itf! Please make sure these steps make it in your book!
     
  6. MikeMc

    MikeMc Well-Known Member

    Joined:
    May 8, 2002
    Messages:
    161
    Likes Received:
    0
    Trophy Points:
    16
    itf's advices are great although you should know that whetever you'll do will never be enough, specially if that guy is a skilled hacker. Also note that the results of your fight against him will depend on how good you'll be to follow the steps indicated by itf and specially the steps 7 & 8.

    In any case I believe that peace is the best way. Give him and yourself a chance to find a solution.

    Another good idea would be to protect well also your computers with which you manage your servers. I mean home and/or office computers. You never know...so be careful.

    Also take the same measures for all your servers if you have others. If he knows your other servers it's possible that he decides to hit a server not related to his account.

    At the end, a good idea would be to hire a guy, who knows a lot on linux security. Just for a small period to check and iron your server and help you the first days after you terminate that guy's account.

    Collect all the data about him and send them to the authorities. If he has paid you once it will be easier if ofcourse he has paid you providing real data which I doubt.
     
Loading...

Share This Page