Server accessed, but how?

kpmedia

Well-Known Member
Feb 13, 2011
90
1
58
USA, Europe
cPanel Access Level
Root Administrator
I'm using Host Access Control, for just 2 IPs and my local ISP range.

I'm using cPHulk, and got emails a few months ago that WHM was logged into. But I never saw anything being tampered with, and my host said it was a false alert from cPHulk. ... until a few days ago. Somebody reset my cPanel packages. Yeah, I know, doesn't make much sense.

That day, in SSH, it appears that somebody installed sqlmap. The other shell commands were sloppy, errors, like the person didn't know what he was doing.

CSF is in use. My email address for alerts was removed, or never entered.

There was an unknown SSH key, but I'm not entirely sure it wasn't a key that was setup for cPanel to access it, at some point in years past. Would a key bypass Host Access Control? I didn't think a key could bypass HAC.

This is a VPS. Could the host node be compromised?

None of this makes sense to me.
 

HostNoc

Well-Known Member
Feb 20, 2020
155
38
28
Ontario
cPanel Access Level
Root Administrator
HI

You should take some preventive meaure to secure your server from SSH Access

1. Avoid using default ssh port
2.disable root login
3. use ssh key instead of password

Regards
 

cPanelWilliam

Administrator
Staff member
Mar 13, 2018
161
23
93
Houston
cPanel Access Level
Root Administrator
Hello!

Using an SSH key should not allow users to bypass Host Access Control rules. Can you let us know what operating system your server is using? We've had some reports of users with EL 8 servers, such as AlmaLinux 8, experiencing issues with Host Access Control rules being enforced. In those cases, we recommend users backup any custom firewall rules, then run /usr/local/cpanel/scripts/configure_firewall_for_cpanel , then re-create your Host Access Control rules.

Note that this script would clear out any custom firewall rules, which is why I would recommend making a backup before running it.
 

kpmedia

Well-Known Member
Feb 13, 2011
90
1
58
USA, Europe
cPanel Access Level
Root Administrator
CentOS v7.9.2009 STANDARD kvm

Good to know about the key. Of course, it further narrows down possible issues. Could a compromised VPS node allow container/VPS root intrusion? I just don't know what else it could be. I'm not a newbie admin. It doesn't appear they cared about the sparse data on the server, but rather in using it to attack other servers.

The hacker seems to have scrubbed sessions, but missed one. See attached. But the above seems odd, almost newbie-like, some wrong commands, having to refer to the help file. And yet, somehow accessed the VPS?

I'm even starting to wonder if the host has a rogue support person, in which case I might have to move those assets elsewhere.
 

Attachments

Last edited: