Server accessed, but how?

[kpmedia]

I'm using Host Access Control, for just 2 IPs and my local ISP range.

I'm using cPHulk, and got emails a few months ago that WHM was logged into. But I never saw anything being tampered with, and my host said it was a false alert from cPHulk. ... until a few days ago. Somebody reset my cPanel packages. Yeah, I know, doesn't make much sense.

That day, in SSH, it appears that somebody installed sqlmap. The other shell commands were sloppy, errors, like the person didn't know what he was doing.

CSF is in use. My email address for alerts was removed, or never entered.

There was an unknown SSH key, but I'm not entirely sure it wasn't a key that was setup for cPanel to access it, at some point in years past. Would a key bypass Host Access Control? I didn't think a key could bypass HAC.

This is a VPS. Could the host node be compromised?

None of this makes sense to me.

 

[HostNoc]

HI

You should take some preventive meaure to secure your server from SSH Access

1. Avoid using default ssh port
2.disable root login
3. use ssh key instead of password

Regards

 

[kpmedia]

Not using default port.
Disabling root for SSH doesn't disable for WHM.
What's so special about key vs. password?

Thanks for the reply, but my original questions were not addressed. Namely if the key bypasses Host Access Control (aka IP lockdown).

 

[cPanelWilliam]

Hello!

Using an SSH key should not allow users to bypass Host Access Control rules. Can you let us know what operating system your server is using? We've had some reports of users with EL 8 servers, such as AlmaLinux 8, experiencing issues with Host Access Control rules being enforced. In those cases, we recommend users backup any custom firewall rules, then run /usr/local/cpanel/scripts/configure_firewall_for_cpanel , then re-create your Host Access Control rules.

Note that this script would clear out any custom firewall rules, which is why I would recommend making a backup before running it.

 

[kpmedia]

CentOS v7.9.2009 STANDARD kvm

Good to know about the key. Of course, it further narrows down possible issues. Could a compromised VPS node allow container/VPS root intrusion? I just don't know what else it could be. I'm not a newbie admin. It doesn't appear they cared about the sparse data on the server, but rather in using it to attack other servers.

The hacker seems to have scrubbed sessions, but missed one. See attached. But the above seems odd, almost newbie-like, some wrong commands, having to refer to the help file. And yet, somehow accessed the VPS?

I'm even starting to wonder if the host has a rogue support person, in which case I might have to move those assets elsewhere.

 

[cPRex]

Could a compromised VPS node allow container/VPS root intrusion?

Sure - if someone has access to the container, they could access any individual machine.