The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root send sensitive Email to hacker

Discussion in 'E-mail Discussions' started by nocser, Oct 26, 2006.

  1. nocser

    nocser Member

    Joined:
    Jan 13, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi friend

    I found 1 of my server automatic sending sensitive information (password and unsername) to hacker. Below is the Email in mail queue waiting for send. The body of the Email contain many URL, user name and password.

    Any idea how to remove the exploit. I have tried to many way none of it work.

    Thanks in advance

    =============================
    1161713089 0
    -ident root
    -received_protocol local
    -body_linecount 1424
    -auth_id root
    -auth_sender root@mydomainname.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    XX
    1
    slutswatch@yahoo.com

    152P Received: from root by server.mydomainname.com with local (Exim 4.52)
    id 1GcQdt-0006U7-To
    for slutswatch@yahoo.com; Wed, 25 Oct 2006 04:04:50 +1000
    025T To: slutswatch@yahoo.com
    035 Subject: server.mydomainname.com
    058I Message-Id:
    044F From: root
    038 Date: Wed, 25 Oct 2006 04:04:49 +1000
    ===============================



    Today exim_mainlog got this log entry
    ================================
    2006-10-26 04:03:16 1Gcn5v-0005PQ-Nd => slutswatch@yahoo.com R=lookuphost
    T=remote_smtp H=mx1.mail.yahoo.com [67.28.113.71]

    2006-10-26 04:03:16 1Gcn5v-0005PQ-Nd Completed
    ================================
     
  2. nocser

    nocser Member

    Joined:
    Jan 13, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi all Cpanel guy no one willing help?
     
  3. chilihost

    chilihost Well-Known Member

    Joined:
    Mar 1, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    have you scanned your server for rootkits? have you checked your sites for vulnerable php scripts? have you checked your tmp directories and secured them? it sounds like the hacker got access to your server and setup some automated tool, possibly a rootkit.
     
  4. nocser

    nocser Member

    Joined:
    Jan 13, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi Chilihost I am glad finally someone reply to this tread. All the action below was taken and still have the same Email sending out.

    RKhunter 1.2.8 updated yesterday scan seem all clear except /bin/kill
    It was MD5 fail, but I think it is bacause uf update problem.

    /scripts/tmp was run since the box out. Resecure it again yesterday.

    This scripts was also ran. All the suspected files in the exploit.txt was removed.
    =======================
    sh
    for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls
    -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web " |
    grep -E "^$|^/|/$|*$|.pl$" | tee exploits.txt; done; echo -e "nnPossible
    Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr
    -d ' '`" | tee -a exploits.txt
    exit
    =======================

    Any idea?
     
  5. nocser

    nocser Member

    Joined:
    Jan 13, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    The worst is, I am receiving complain telling me that this server is atempt to attack others host.
     
  6. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    do you know of a good rootkit scanner that works on Centos 3.8 ?

    Mickalo
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If someone has been able to modify the root accounts forwarder then you've likely had a root compromise and should backup all your user data and have the OS disk wiped clean and a new OS installed then restore all the cPanel accounts and the secure your server more effectively. You cannot realistically clean a server once you've suffered a root compromise - which is what appears to have happened here.
     
  8. nocser

    nocser Member

    Joined:
    Jan 13, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    If I were reimage the server and restore the backup that done by WHM in the second HDD secure? I mean will the backup file infected as well?
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It can't be infected in the sense of a windows virus, no. You might end up restoring the account that the hacker comrpomised, but that's why you need to better secure the server before restoring accounts. While hackers can often easily compromise end-user scripts you ought to be able to secure the server in most instances against root compromise.
     
Loading...

Share This Page