The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Hacked, I am locked out.

Discussion in 'General Discussion' started by alphaonline, Dec 28, 2004.

  1. alphaonline

    alphaonline Member

    Joined:
    Apr 14, 2004
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Yesterday it seems my server was hacked. I can login to cpanel, and other reseller WHMs, but not into the root. I check the logwatch in my email and got this:
    Failed logins from these:
    root/password from 220.130.182.186: 369 Time(s)
    They must have got in, even though the password was secure. Is there anyway to get back in and change the password? Please help ASAP. Thanks so much...
     
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    How do you know it was hacked, what proof do you have ? Is the server pinging ? Can you get into WHM ? if so perhaps try restarting sshd ? It might have just been dos'd and failed out ( its happened ). You might be best getting someone at the datacenter plugging in a console and having them look around for you. Though if you know it was hacked, it might just be best to restore the OS, lock it down some, restore your accounts from backup and then continue locking down the box.
     
  3. alphaonline

    alphaonline Member

    Joined:
    Apr 14, 2004
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Like my titles says, I am locked out. I cant get into root WHM. I cant restart anything... Also, it seems that they haven't messed with anything, because all accounts are still functioning.
     
    #3 alphaonline, Dec 28, 2004
    Last edited: Dec 28, 2004
  4. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    If your locked out, your locked out. You could try requesting a reboot, but if indeed you are hacked, that might not be the best of ideas. However, if you really don't want to call the DC, a reboot is your only option.

    I'd also make sure to run /scripts/updatenow after its up to ensure that you weren't hit with the quota bug.
     
  5. alphaonline

    alphaonline Member

    Joined:
    Apr 14, 2004
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Even if I request a reboot, it seems the password has been changed, so that wouldn't help. Would it?
     
  6. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Well.. if your logging in to other accounts fine, i'd assume its possible it was hacked. In that case, call up the DC, have them boot into single user mode and change the password so you can have a look around. Could be corrupt password file, yet could be hacked.
     
  7. alphaonline

    alphaonline Member

    Joined:
    Apr 14, 2004
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, I have e-mailed them.
     
  8. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Just some comments... why weren't you using some sort of anti-brute forcing system, like BFD? Highly recommended that you set that up when you get your server back.

    How are you so sure that your password was secure? Was it less than about 10 characters? Was it composed of dictionary words (real words)?
     
  9. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    You would be suprised at the number of people that 1. don't have any active firewall rules and 2. believe that cpanel takes care of all aspects of their systems security. Now, that said, its not to say the thread starter fits into that category, but from his/her post it does sound like s/he may not take security & administration as serious as s/he should.

    Also BFD protection does come in handy, however for some with very active servers, it can be a royal pain in the rear end, and there are other factors which might make it less than a perfect solution for others. The fact of the matter is, we don't know if the hacker got in by brute force ( which usually takes at least a few days ) or through some other vulnerability.
     
  10. ntfx

    ntfx Member

    Joined:
    Sep 25, 2004
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    you should employ an admin who can take care of your security needs, i am always here if needed. Sadly i just lost my job.
     
  11. Myacen

    Myacen Well-Known Member

    Joined:
    Apr 6, 2002
    Messages:
    222
    Likes Received:
    0
    Trophy Points:
    16
    Beau are you telling me cpanel does not do all the system hardening and security? :confused:

    * Shit goes off and looks at the servers *
     
  12. espsoft

    espsoft Member

    Joined:
    Sep 1, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Just a real simple question, you indicate that you can't log into WHM as root, but can you SSH in?

    I have been *locked out* of WHM before, but could still get into the server via shell. Just a thought...
     
  13. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    I shoulda broke the news to you earlier mate, my bad :eek:

    From his post, it looks like he can't log into either, if he could log into root via SSH, im sure it'd be a simple fix up.
     
  14. bigj

    bigj Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Tucson,AZ
    Is there a link on BFD so I can do some reading on it? Thanks.

    bigj
     
  15. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    You need APF with BFD, also fix your server to notify you upon root logons

    http://www.webhostgear.com/60.html

    You will find how to do that as well as a lot of others. However, you should employ a pro to setup your server, the $80 you spend will save you hours of work, and tons of stress. Do yourself and your clients the favor
     
    #15 RandyO, Dec 29, 2004
    Last edited: Dec 29, 2004
  16. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    *chokes with laughter*

    Heh, not only does it not do any system 'hardening' or security stuff (Well, I don't count the little securetmp script (which to me didn't seem to do quite as good of a job as doing it manually) but it's actually a security risk in itself...

    *sigh* unfortunately, being around the cpanel forums for a while, I do believe that not everyone has firewall rules, and/or believes that they can do anything with cpanel/whm.


    Well, that's why I was asking what he thought a 'secure' password was... maybe he thinks that "p@ssw0rd" is a secure password. In which case, they might only go through a few hundred passwords before hitting it.

    For the OP, I would quite agree with paying someone who knows what they are doing to help admin your server... You can find lots of recommendations around here.
     
  17. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    I started hosting 4 years ago dumb as a box of rocks. I ran for almost 2 years without anything but cPanel/WHM. Talk about just plain dumb luck.

    I finally had a server compromised via a very poorly scripted image gallery program. Lucky for me I caught it immediately and had good backups.
    I had the server dumped and reloaded, restored all the backups AFTER having the server secured and hardend by a pro.

    Today I have a degree in IT (also MCSE with MS) and a full boat of Linux/UNIX certifications and I STILL rely on outside talent on my servers.

    I or my staff are fully capable of doing 99% of this work now but still prefer a 3rd party outsider to do audits and install some packages. (ask any banker why they would use outside help)

    Does it cost money? Yep,
    Do I sleep better? Yep,
    Are there good guys here? Yes and No

    if you can not maintain a good line of communication with whomever you had do your server work, well you might as well pull the plug on the thing because things do not always go right.
    Over aggressive settings can cause a boatload of problems and by the same token, :"Set and forget" is just as bad.

    My number 1 concern is my clients "Uptime" If you have trouble and a server is down, you do not have 4 to 8 hours go get help on the thing, you need it now.

    Talk with a couple guys before you decide. Send a message, time the thing for response time. (this will make a big difference if you should need help RIGHT NOW) Ask real questions that you have and see what kind of response you get. There is a big difference between "sales hype" and real information. Evasive answers about what is done should make you very wary of a person. They should be able to tell you exactly what is going to happen.

    Make sure you are comfy with this person as they will in fact have root access to your box. Also plan on having them recheck your boxes on some kind of schedule. This may be monthly or could be annual depending on your own ability.

    I have some complaints about what most call a "Security Audit" In my opinion this would/should include a documented check of the server. I do not know of any that do a good job of this. If I have a problem, I want to know what it is/was.

    Prices vary but $80 to $125 would most likely be a reasonable fee for most security/hardening services.

    I just consider it part of the cost of doing business and is an investment in your business just like any item of hardware.

    (Disclaimer: this is just my own belief and opinion, Your mileage may vary and I am also sure that there are many that would disagree with my ideas but it is my money and my clients)
     
  18. steel rat

    steel rat Active Member

    Joined:
    Dec 27, 2004
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Just installed APF and BFD. Can you direct me to a site where reputable pro's can be contacted?

    Thanks!
     
  19. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Well timing is everything, I will post my experience of the last 3 days here as soon as I can safely say the event is over. Some days a guy is just better off to stay in bed.......... :cool:
     
  20. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    MSN: support@serverwizards.com AIM: serverwizards

    I have used them on a couple servers that I have and to date, no unresolved problems. I did in fact get a written report on exactly what has been done also. I do not know if this is standard as I requested it. I suggest you document your work at any rate. I believe that this was about $90 and was a full hardening.

    Please let me know how they do for you if you use them.
     
Loading...

Share This Page