The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Compromised Issue

Discussion in 'Security' started by xtronica, May 5, 2015.

  1. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Please help ...
    This hacker is giving me a lot of work to do:
    hacked my Server 3 times ... today by noon had everything ok .... and he hacked again now!
    I don't know what to do........ can anyone help?
    This is the site of the bastard!
    - Removed -
     
    #1 xtronica, May 5, 2015
    Last edited by a moderator: May 5, 2015
  2. LostNerd

    LostNerd Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    258
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Hastings, East Sussex, UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    What version of cPanel do you use? Are you staying up to date with cPanel security updates? Does anyone else know your password?

    There are a lot of things you can do to protect your server. These questions ask only 3 of 100's that could be.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You could start by using the "Security Advisor" option in Web Host Manager. This will complete a basic check of your server to ensure some of the more common vulnerabilities are addressed. However, you likely should consult with a qualified system administrator to help determine the source of the exploit if you are not comfortable doing this on your own. If your server was rooted, then nothing short of backing up your accounts to a remote destination and reinstalling the OS/cPanel will address the issue.

    Thank you.
     
  4. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm using the latest version of the Panel.
    Installation of OS and whm made this morning.
    Changed IP and server
    Installed everything again and passed two hours was hacked!
    Nobody knows the root pass, and even this changed today!
    On the old server the hacker created an account and put the note DON'T DELETE.
    I don't know what to do. .. I'm installing again on a new server and new IP.
    What can I do so that doesn't happen again?
    Please help!
     
  5. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    news that my server sent in the last moment
    -------------------------------
    Service:
    whostmgrd
    Local IP Address: My server......IP
    Local Port:
    2087
    Remote IP Address: 114.121.xxx.xxx
    Remote Port: 49661
    Authentication Database: system
    Username: root
    -----------------------------
     
    #5 xtronica, May 5, 2015
    Last edited by a moderator: May 5, 2015
  6. LostNerd

    LostNerd Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    258
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Hastings, East Sussex, UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    Are you installing any plugins that may not be "reputable" on your server?

    **EDIT**

    I ran a geolocate on the IP mentioned above. It appears to belong to the ISP, telkomsel.com/.

    You could always submit an abuse report to them and of course the authorities.
     
    #6 LostNerd, May 5, 2015
    Last edited by a moderator: May 5, 2015
  7. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    No, buddy!
    On my server I only have 10 websites for personal use and one is a forum.
    I have only installed the soft recommended of whm.

    I think the hacker simply don't like my name!
    The only thing I have is a site selling a script for IPTV and seeing 3 to 4 systems per day! But neither this content on the server, only the online shop, then the product is sent zipped by mail.
    Don't get even!
     
  8. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes I will do that!
    But now as I'm installing again.
    What is the best tip to protect me?
    How can I turn off all access via ssh to the server for a few days and then reactivate?
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Your best bet would be to hire a security expert to sort this out for you. cPanel cannot assist you with a compromised server.

    You mention you just reloaded the server, and also that you have 10 websites including at least one forum. I think I might be inclined to reload that server again from the top, and not restore any of the 10 accounts or forums until I've had a chance to lock down the server 100% security wise, and had a closer look at those 10 accounts for out of date scripts like a forum for example.

    Servers are not compromised by magic. With this much trouble, I think we could assume you've probably got something out of date - scripts wise, or, not enough security on that server.

    Whatever the case, waiting for a reply on these forums to fix things is waste of your time. You need to hire a professional to assist you with this. You might start by contacting your Hosting Provider and ask them for suggestions.
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  11. LostNerd

    LostNerd Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    258
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Hastings, East Sussex, UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    In regards to securing SSH, you can issue yourself an SSH key and disable password authentication. You can also edit /etc/ssh/sshd_config and change

    Code:
    #Port 20
    to
    Code:
    Port PORTNUMBER
    
    This of course is not a definitive answer and as @Infopro said, you're best hiring a security expert as it appears you are probably being personally targeted with not enough security in place.
     
  12. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator

    Yes I am not an expert, so don't use the server for a resale or professional service!
    But I'm sure the "gateway" this in some error or bug of whm.

    I for about 15 years I used centos and free management Panel with the same web sites and products that I have now and I've never been hacked!

    A year ago I bought the license of whm and I migrated my services to the Panel.
    It's easier to run and manage everything, however does not pass one month that there will be no attempts at entry into my server, or even hacked, services
    Will be the changing times and I'm getting old?
    or do I have to go back to ancient times and the free and done everything there's hand?
    There is ..... and I this morning not restored the ancient sites with old scripts, installed everything again just recovered databases, and all of them were verified.
    There is one more thing ... all the ips that have been detected trying to enter the system without authorization were added to the black list!
    So for me the bug is in whm and this hacker found the door!
     
  13. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    * login only thru ssh keys
    * install a firewall like csf(and run a security check)
    * disable unwanted php functions in php.ini
    * keep all your scripts/themes/plugins updated
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This is highly unlikely. To clarify, are you using a hard to guess password with multiple characters/symbols? Is it a new password with the new installation of your OS and cPanel? Does the hack occur after installing cPanel/WHM or only after you have restored accounts from backup?

    Thank you.
     
  15. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes I'm using password hard, characters, uppercase and lowercase.
    the cut happened an hour after installing the whm.
    The bills had only restored 2 yet!
    New scripts, only was restored to BD.
    And by logins the hacker entered the port 2087 as root.
    He is magician or the password the more complex easier ...
     
  16. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Dear friends ... I need a magician!

    I just installed whm to 5 minutes, I haven't even finished the basic settings.
    And I got this message in my mail!
    Code:
    -----------------------------------------------------
    IP reached maximum auth failures
    Number of authentication failures: 5
    Maximum allowed authentication failures: 5
    
    
    Last authentication request
    ===========================
    Service: sshd
    Remote IP Address: 221.229.xxx.xx
    Authentication Database: system
    Username: root
    Origin Country: China (CN)
    
    Please use the following links to add to the black list:
    
    Single IP: https://host.domain.info:2087/scripts7/cphulk/blacklist?ip=221.229.xxx.xx
      /24: https://host.domain.info:2087/scripts7/cphulk/blacklist?ip=221.229.166.0/24
      /16: https://host.domain.info:2087/scripts7/cphulk/blacklist?ip=221.229.0.0/16
    
    
    Please use the following links to add to the white list:
    
    Single IP: https://host.domain.info:2087/scripts7/cphulk/whitelist?ip=221.229.xxx.x
      /24: https://host.domain.info:2087/scripts7/cphulk/whitelist?ip=221.229.166.0/24
      /16: https://host.domain.info:2087/scripts7/cphulk/whitelist?ip=221.229.0.0/16
    
    -----------------------------------------------------------------------------------------------------
    
    What to do? :mad::mad:
     
    #16 xtronica, May 5, 2015
    Last edited by a moderator: May 5, 2015
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The message in your last response does not indicate your server was accessed. It indicates a brute force "attempt", meaning an attempt to guess the root password was made by the IP address indicated in the message. You can use the URL in the message to blacklist the IP address, but you may also want to block that IP in your firewall.

    Thank you.
     
  18. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes I know that! But what this IP is already in the black list , of every five minutes
    I get a message with a different IP.
    Last week I received about 2000 thousand in one day!

    So there's no security to hold!
    I don't know what else to do with this problem!
    As all attempts or almost all are for sshd this service can be blocked? or restricted?
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  20. xtronica

    xtronica Member

    Joined:
    Jan 23, 2014
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    now the black list doesn't work!

    black.png
     
    #20 xtronica, May 5, 2015
    Last edited by a moderator: May 5, 2015
Loading...

Share This Page