The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Resolved] Server Compromise Question

Discussion in 'Security' started by nootkan, Feb 17, 2014.

  1. nootkan

    nootkan Well-Known Member

    Joined:
    Oct 25, 2006
    Messages:
    129
    Likes Received:
    2
    Trophy Points:
    18
    I've been trying to track down this exploit on my server now for sometime with no luck and was wondering if anyone here has seen something similar and could maybe point me in the right direction? So far I've looked though my logs but cannot find any info that would lead me to the culprit. I am now starting to suspend my accounts one at a time to see if the exploit ceases, to try and narrow down the exact location. As I only have 20 accounts on the server it shouldn't take me long. Is there a better way to do this without inconveniencing my clients? Because my firewall is catching and blocking the attempts to connect to the outside ip address I feel I have time to try and find the exploit before reformatting the os on my server (last resort). Not to mention learn more about managing my own server as I have little experience in this area. I have also downloaded and run Maldet with no issues found. Below is my server info and the actual log notification about the exploit.

    CENTOS 6.5 i686 standard
    WHM 11.40.1 (build 11)
    cPanel Version 11.40.1 (build 11)
    Apache version 2.2.25
    PHP version 5.3.27
    MySQL version 5.5.35-cll
    Perl version 5.10.1
    Kernel version 2.6.32-358.18.1.el6.
    Config Server Security & Firewall
    Config Server Exploit Scanner
    Config Server Mailscanner
    Mod Security
    Rootkit Hunter version 1.4.0
    Chkrootkit
    ClamAV
    Maldet

    Here is the log I see every hour of every day and my packet loss shows 600-1400 (From myip - 1440 packets to tcp(80)) on my ip address daily.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I don't think this is malicious. It's just an apache process trying to fetch something from an HTTP server.

    It looks like someone trying to update a wordpress theme, cyberchimps.com is the only site I see hosted on that IP.

    bing.com/search?q=ip%3A192.155.95.153
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The logs you provided don't show any direct evidence of an exploit running on your server, as mentioned in the previous post. Is there anything else or any additional logs that lead you to believe your server has been exploited? Check to see if you can reproduce the log entries you provided by updating the wordpress theme for the account mentioned in the previous response by quizknows.

    Thank you.
     
  4. nootkan

    nootkan Well-Known Member

    Joined:
    Oct 25, 2006
    Messages:
    129
    Likes Received:
    2
    Trophy Points:
    18
    Quizknows, thanks for your reply. Interesting when I checked whois I found the ip address info to be: United States Atlanta Linode there was no indication of cyberchimps what so ever. I happen to have an account with them as I purchase themes from them so I will definitely look into this further. I will also try your search string from now on when looking up an ip to determine the web site it is associated with. Many thanks.

    - - - Updated - - -

    cPanelMichael, thanks for your reply. No those were the only logs I could find and because I'm not that experienced yet with managing my server I was unable to fully understand what the logs were telling me. I made the assumption that a script was trying to connect with the dst ip and thought the worst. Relieved to hear it is not an exploit but probably a setting that got changed with an upgrade of a purchased theme by cyberchimps. I will start looking into this and check their forum also. Thanks again to both of you for helping me out. Much appreciated.
     
  5. nootkan

    nootkan Well-Known Member

    Joined:
    Oct 25, 2006
    Messages:
    129
    Likes Received:
    2
    Trophy Points:
    18
    Sorry for my tardiness in marking this resolved. It seems it was an issue with the Cyberchimps server trying to communicate through their upgrade process notification. The logs have now ceased. Thanks to all for helping me to understand what it was I was seeing in the logs.
     
Loading...

Share This Page