server attacked

[Dennis84]

Last week someone used the nnwhm.php (Mannu,Mass WHM exploiter) script and defaced some websites. This person had root access. The code from the script can be found here [link redacted]

What can we do to prevent this kind of hacking?

Few things we did after hack on all servers:
* Disable ssh root access
* Only give access to WHM or SSH from specified ip addresses

Before hack we had:
* Cpanel/WHM is running latest version
* CentOS 5.10 completely updated

 

[Dennis84]

Second try to post this after first time failed (hopefully this won't become a double post)

Last week someone used nnwhm.php (Mannu,Mass WHM exploiter) to get access on 1 of our servers. What can we do to prevent this kind of hacks?

Source code can be found here: [link redacted]

 

[quizknows]

What kernel were you running at the time? uname -a will tell you.

If your kernel was not up to date, then root privelege escalation from a web app hack may have been possible.

Also, do you use WHMCS? There have been a lot of exploits targeting that lately.

Otherwise, check all your local machines for any viruses or keyloggers that may have stolen your password(s). If you have not done so, you should re-image the server (re-install the OS and restore site content from known good backups).

 

[Dennis84]

Kernel version then: 2.6.18-448.16.1.el5.lve0.8.70PAE (cloudlinux)
Kernel version now: 2.6.18-371.1.2.el5 (CentOS)

We use WHMCS, but it's not installed on this server.

We check our local machine for viruses frequently and nothing found. We have started a new check already to be sure.

Thanks for helping

 

[quizknows]

No problem. Those kernel versions look OK.

Ensure you've kept up to date with the frenzy of WHMCS patches, there have been a lot recently. I've seen a lot of servers get rooted because of that, even when WHMCS is installed on a separate server. If the WHMCS install manages any accounts on the server in question, then it has access, and if it was compromised it could result in this issue.

 

[Dennis84]

We have updated WHMCS constantly when new patches came out. We will have a look into the WHMCS installation to see if we can find something wrong there.

 

[24x7server]

Hello,

I will suggest you install LMD/ClamAv on your server and scan your all user public_html directory.

Also try with ConfigServer eXploit Scanner (cxs) scanner on your server.

 

[cPanelMichael]

Hello

Keep in mind that you should backup the accounts and reinstall the OS if the server was rooted. Also, the cPanel Security Advisor is helpful for providing you with some tips on settings that you can change for increased security.

Thank you.