Restore to same server using cPanel backups after Op Sys Reload - Ebury fallout

[securecomptech]

Yep, another one hit with Ebury fun.

Have been running full cPanel backups.
Tar'd up the packages and easy apache directory.
Have Full Backup via cPanel (system, files, accounts, yada yada)

Even have my migration stuff from when I ferried from Plesk 6 months ago.

New Hard Drive installed
Reloading Op/Sys now.
Reprovisioned system will have WHM and CPANEL loaded.
Old hard drive will be mounted and available to copy whatever is needed.

Then what?

I've reviewed the docs on transferring to another server but I am going to be on the same (reloaded) server using the same IP address. The old hard drive will be mounted and accessible.

What are the steps to get my Apache, Tomcat, Packages, WHM and finally CPANEL stuff back online?
(or links to instructions)

Thanks for the help.
flaming hot death to ebury...

 

[securecomptech]

I am following guidelines specified here;
http://forums.cpanel.net/f185/ebury-rootkit-backdoor-trojan-396081.html

Wipe system, restore.
Just a little fuzzy on the details of the restore process.
New to cpanel and all.

 

[vanessa]

Configure backups on your new server via WHM, then copy all your backups into your backup folder. From there, you can use WHM to restore them.

Backup Restoration

 

[securecomptech]

Configure backups on your new server via WHM, then copy all your backups into your backup folder. From there, you can use WHM to restore them.

Backup Restoration

I figured that would cover the Accounts but will it also handle the Apache configs, php settings, tomcat install, etc?

 

[securecomptech]

I see how this will restore Accounts.

Not seeing how Apache configs, Tomcat setup, packages, etc. would be restored.

 

[securecomptech]

When performing a restore of a "full backup" per Legacy Restore a Full Backup/cpmove File , do you have to copy the daily/monthly backup subdirectory out of /backup to one of the directories specified. (eg. /home /usr /root, etc. )

The restore will not work using a backup in the default /backup location?

 

[cPanelMichael]

Hello

You can copy the EasyApache build profile using the instructions here:

How to Distribute EasyApache Files Over Multiple Servers

Packages are stored in /var/cpanel/packages and can be transferred over manually.

Thank you.

 

[vanessa]

I see how this will restore Accounts.

Not seeing how Apache configs, Tomcat setup, packages, etc. would be restored.

Any reason you can't just restore these manually? Some things don't have an easy button - do it yourself.

 

[securecomptech]

ok, heard back from Tech Support.

CPANEL does not support "restoring" any of the system info such as Apache, Tomcat, Packages, PHP settings, Packages and more.
CPANEL DOES backup many files/dirs with needed config info to help in a manual rebuilding process of the above elements.

Will document steps taken to recover as much of the "system" info as possible.

It should be noted that an image backup is of questionable value during an Ebury security breech.
At least 2 items are critical to know;
WHEN did the breech occur
WHAT attack vector was originally used to breech the system

If you do not know exactly WHEN the system was breeched, you cannot safely choose and image to restore with risking carrying the exploit forward.

If you do not know exactly HOW the system was breeched, you cannot safely restore user accounts as you may restore the same website vulnerability that created the problem in the first place.

 

[cPanelMichael]

Right, it's a good idea to investigate and determine when/how the server was exploited so you can take steps to prevent it from happening again. You may want to consult with a qualified system administrator if you are unable to determine that information.

Thank you.

 

[securecomptech]

Any reason you can't just restore these manually? Some things don't have an easy button - do it yourself.

Nope, no reason, and diy is what I am doing right now.
My hangup was the "system" description of CPANEL, being a new CPANEL customer (Plesk for 10+years, recent convert), I thought that backing up "system" stuff, meant that restore would restore "system" stuff. Not the case. But it does grab some of the good stuff so I can get at it.

I know there is a "feature" in the works to address this.

Honestly, was surprised not to find a step by step guide for full server recovery, or even primary functionality such as PHP, APACHE, etc.
So yes, I am now the happy owner of a bunch of emails and links to;
recover WHM config - which files to copy and when
recover CPANEL config - which files to copy and when
restore Accounts - CPANEL Restore Utility (which failed on queuing more than 3 accounts, so yeah I can use the CLI, but not unreasonable to expect GUI to handle it)
recover Apache config - which files to copy and then re-run easy apache build
recover PHP settings - copying php.ini to the right place
recover MySQL settings - copying my.cnf to the right place

Much of it not a big deal but would be nice to have a list that describes file locations and order of steps instead of just a link to CPANEL EASY Apache setup

Most of it is so basic, why not have it wrapped in a shell script already? Just my 2 cents while working this particular server recovery.

 

[securecomptech]

Right, it's a good idea to investigate and determine when/how the server was exploited so you can take steps to prevent it from happening again. You may want to consult with a qualified system administrator if you are unable to determine that information.

Thank you.

"qualified" I like that...even "qualified" folks allow a security breech that compromises SSH keys for bunches of accounts, happens to the best of us, no?

In my case, I believe the exploit was via a Joomla site using JomSocial with a now known security issue. Haven't finished digging. Still restoring server for all other accounts first.

Info for the next poor unqualified administrator

Ebury Info
https://www.cert-bund.de/ebury-faq
An In-depth Analysis of Linux/Ebury

Testing for Ebury
Determine Your System's Status
https://www.hkcert.org/my_url/en/blog/13031201
InfoSec Handlers Diary Blog - SSHD rootkit in the wild
http://forums.cpanel.net/f185/sshd-rootkit-323962.html

Backup links
Backup Wizard

Migrate / Restore
Copy Multiple Accounts/Packages from Another Server
How to Move all cPanel Accounts from One Server to Another
https://documentation.cpanel.net/display/ALD/Pre-Installation+Advanced+Options
https://documentation.cpanel.net/display/ALD/Pre-Installation+-+Configure+Apache