The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restore to same server using cPanel backups after Op Sys Reload - Ebury fallout

Discussion in 'Data Protection' started by securecomptech, Mar 12, 2014.

  1. securecomptech

    Joined:
    Mar 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yep, another one hit with Ebury fun.

    Have been running full cPanel backups.
    Tar'd up the packages and easy apache directory.
    Have Full Backup via cPanel (system, files, accounts, yada yada)

    Even have my migration stuff from when I ferried from Plesk 6 months ago.

    New Hard Drive installed
    Reloading Op/Sys now.
    Reprovisioned system will have WHM and CPANEL loaded.
    Old hard drive will be mounted and available to copy whatever is needed.

    Then what?

    I've reviewed the docs on transferring to another server but I am going to be on the same (reloaded) server using the same IP address. The old hard drive will be mounted and accessible.

    What are the steps to get my Apache, Tomcat, Packages, WHM and finally CPANEL stuff back online?
    (or links to instructions)

    Thanks for the help.
    flaming hot death to ebury...
     
  2. securecomptech

    Joined:
    Mar 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  3. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Configure backups on your new server via WHM, then copy all your backups into your backup folder. From there, you can use WHM to restore them.

    Backup Restoration
     
  4. securecomptech

    Joined:
    Mar 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I figured that would cover the Accounts but will it also handle the Apache configs, php settings, tomcat install, etc?
     
  5. securecomptech

    Joined:
    Mar 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I see how this will restore Accounts.

    Not seeing how Apache configs, Tomcat setup, packages, etc. would be restored.
     
  6. securecomptech

    Joined:
    Mar 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    When performing a restore of a "full backup" per Legacy Restore a Full Backup/cpmove File , do you have to copy the daily/monthly backup subdirectory out of /backup to one of the directories specified. (eg. /home /usr /root, etc. )

    The restore will not work using a backup in the default /backup location?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  8. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Any reason you can't just restore these manually? Some things don't have an easy button - do it yourself.
     
  9. securecomptech

    Joined:
    Mar 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    ok, heard back from Tech Support.

    CPANEL does not support "restoring" any of the system info such as Apache, Tomcat, Packages, PHP settings, Packages and more.
    CPANEL DOES backup many files/dirs with needed config info to help in a manual rebuilding process of the above elements.

    Will document steps taken to recover as much of the "system" info as possible.

    It should be noted that an image backup is of questionable value during an Ebury security breech.
    At least 2 items are critical to know;
    WHEN did the breech occur
    WHAT attack vector was originally used to breech the system

    If you do not know exactly WHEN the system was breeched, you cannot safely choose and image to restore with risking carrying the exploit forward.

    If you do not know exactly HOW the system was breeched, you cannot safely restore user accounts as you may restore the same website vulnerability that created the problem in the first place.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Right, it's a good idea to investigate and determine when/how the server was exploited so you can take steps to prevent it from happening again. You may want to consult with a qualified system administrator if you are unable to determine that information.

    Thank you.
     
  11. securecomptech

    Joined:
    Mar 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Nope, no reason, and diy is what I am doing right now.
    My hangup was the "system" description of CPANEL, being a new CPANEL customer (Plesk for 10+years, recent convert), I thought that backing up "system" stuff, meant that restore would restore "system" stuff. Not the case. But it does grab some of the good stuff so I can get at it.

    I know there is a "feature" in the works to address this.

    Honestly, was surprised not to find a step by step guide for full server recovery, or even primary functionality such as PHP, APACHE, etc.
    So yes, I am now the happy owner of a bunch of emails and links to;
    recover WHM config - which files to copy and when
    recover CPANEL config - which files to copy and when
    restore Accounts - CPANEL Restore Utility (which failed on queuing more than 3 accounts, so yeah I can use the CLI, but not unreasonable to expect GUI to handle it)
    recover Apache config - which files to copy and then re-run easy apache build
    recover PHP settings - copying php.ini to the right place
    recover MySQL settings - copying my.cnf to the right place

    Much of it not a big deal but would be nice to have a list that describes file locations and order of steps instead of just a link to CPANEL EASY Apache setup

    Most of it is so basic, why not have it wrapped in a shell script already? Just my 2 cents while working this particular server recovery.
     
  12. securecomptech

    Joined:
    Mar 12, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    "qualified" I like that...even "qualified" folks allow a security breech that compromises SSH keys for bunches of accounts, happens to the best of us, no?

    In my case, I believe the exploit was via a Joomla site using JomSocial with a now known security issue. Haven't finished digging. Still restoring server for all other accounts first.

    Info for the next poor unqualified administrator

    Ebury Info
    https://www.cert-bund.de/ebury-faq
    An In-depth Analysis of Linux/Ebury

    Testing for Ebury
    Determine Your System's Status
    https://www.hkcert.org/my_url/en/blog/13031201
    InfoSec Handlers Diary Blog - SSHD rootkit in the wild
    http://forums.cpanel.net/f185/sshd-rootkit-323962.html

    Backup links
    Backup Wizard

    Migrate / Restore
    Copy Multiple Accounts/Packages from Another Server
    How to Move all cPanel Accounts from One Server to Another
    https://documentation.cpanel.net/display/ALD/Pre-Installation+Advanced+Options
    https://documentation.cpanel.net/display/ALD/Pre-Installation+-+Configure+Apache
     
Loading...

Share This Page