The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server attacked

Discussion in 'Security' started by Dennis84, Nov 27, 2013.

  1. Dennis84

    Dennis84 Registered

    Joined:
    Nov 27, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Last week someone used the nnwhm.php (Mannu,Mass WHM exploiter) script and defaced some websites. This person had root access. The code from the script can be found here [link redacted]

    What can we do to prevent this kind of hacking?

    Few things we did after hack on all servers:
    * Disable ssh root access
    * Only give access to WHM or SSH from specified ip addresses

    Before hack we had:
    * Cpanel/WHM is running latest version
    * CentOS 5.10 completely updated
     
    #1 Dennis84, Nov 27, 2013
    Last edited by a moderator: Nov 27, 2013
  2. Dennis84

    Dennis84 Registered

    Joined:
    Nov 27, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Second try to post this after first time failed (hopefully this won't become a double post)

    Last week someone used nnwhm.php (Mannu,Mass WHM exploiter) to get access on 1 of our servers. What can we do to prevent this kind of hacks?

    Source code can be found here: [link redacted]
     
    #2 Dennis84, Nov 27, 2013
    Last edited by a moderator: Nov 27, 2013
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    What kernel were you running at the time? uname -a will tell you.

    If your kernel was not up to date, then root privelege escalation from a web app hack may have been possible.

    Also, do you use WHMCS? There have been a lot of exploits targeting that lately.

    Otherwise, check all your local machines for any viruses or keyloggers that may have stolen your password(s). If you have not done so, you should re-image the server (re-install the OS and restore site content from known good backups).
     
  4. Dennis84

    Dennis84 Registered

    Joined:
    Nov 27, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Kernel version then: 2.6.18-448.16.1.el5.lve0.8.70PAE (cloudlinux)
    Kernel version now: 2.6.18-371.1.2.el5 (CentOS)

    We use WHMCS, but it's not installed on this server.

    We check our local machine for viruses frequently and nothing found. We have started a new check already to be sure.

    Thanks for helping
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    No problem. Those kernel versions look OK.

    Ensure you've kept up to date with the frenzy of WHMCS patches, there have been a lot recently. I've seen a lot of servers get rooted because of that, even when WHMCS is installed on a separate server. If the WHMCS install manages any accounts on the server in question, then it has access, and if it was compromised it could result in this issue.
     
  6. Dennis84

    Dennis84 Registered

    Joined:
    Nov 27, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We have updated WHMCS constantly when new patches came out. We will have a look into the WHMCS installation to see if we can find something wrong there.
     
  7. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I will suggest you install LMD/ClamAv on your server and scan your all user public_html directory.

    Also try with ConfigServer eXploit Scanner (cxs) scanner on your server.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Keep in mind that you should backup the accounts and reinstall the OS if the server was rooted. Also, the cPanel Security Advisor is helpful for providing you with some tips on settings that you can change for increased security.

    Thank you.
     
Loading...

Share This Page