The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Hacked, please help

Discussion in 'General Discussion' started by encryption, Feb 17, 2008.

  1. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    I got a strange email this morning from CPanel and running a search on here yields no results. The email states

    Moreover, running a "top" yields the following result

    top - 07:53:40 up 4 days, 22:03, 2 users, load average: 2.23, 2.24, 2.19
    Tasks: 149 total, 3 running, 146 sleeping, 0 stopped, 0 zombie
    Cpu(s): 99.3% us, 0.3% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.2% hi, 0.2% si
    Mem: 2073820k total, 1963448k used, 110372k free, 118008k buffers
    Swap: 2096472k total, 648k used, 2095824k free, 1279696k cached

    What is "john"
     
  2. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
  3. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    I got to the bottom of it, this guy installed a rootkit "shv5_rootkit" and is sending spam (the Bank of America Hack I imagine) I was able to get a list of commands executed and saw exactly where he got in from and what he has done.

    One of my clients seems to have installed an email list program and he gained access through the "temp" file on that program.
     
  4. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    wow thanks for that, I have killed the process, changed root ports and updated passwords. Going to have to reinstall this system but shit I'm so curious to nail this sucker right now. He even managed to delete all my firewall logs (I run CSF and surprised he got to that as well). Digging deeper.

    One of the commands he ran was

    root@tk [~]# cd /lib/ld-lsb.so.3/john-1.7.0.2/run

    but I cant even file that so.3 file at that location.
     
  5. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Start going crazy on security.

    Ensure you use something like suPHP (to run all PHP scripts as the user).

    Start using suExec - which makes cgi-bin scripts run as the user (like when a user accesses a perl script to send an email).

    Ensure that you use the WHM's compiler tweak - so that people who do actually get on your system, can't compile the tools to further hack the system.
     
  6. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for that, what would be the best way to migrate all the accounts from the server is SSH has been disabled and WHM from the new server is unable to establish a connection to the compromised server.

    How exactly would I setup backup to remote FTP ?
     
  7. dwykofka

    dwykofka Well-Known Member

    Joined:
    Aug 6, 2003
    Messages:
    394
    Likes Received:
    3
    Trophy Points:
    18
    You should have all of your clients change their passwords, John the ripper is typically used to decrypt user passwords. depending on length / complexity / Salted or unsalted he could have cracked the passwords live or downloaded a copy of the shadow file to offline processing. Once the passwords are uncovered he can use them to re-gain access to your server unless you change all of your users passwords.
     
  8. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for that, that is on my agenda to complete. Just cant believe the guy got in the way he did.......
     
  9. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Which was?

    Uploaded a file to your tmp directory - ran it?
     
  10. bsdjunk

    bsdjunk Member

    Joined:
    Jan 15, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    The most important thing to do is have cpanel update itself automatically, enable the hardened password thing cpanel provides. I have been admining servers for a long time and I have never paid much attention to uptime nor do I go with servers which have 400 day uptimes as I don't trust them. I rather have a low uptime server with all security updates than one which has good uptime. make sure all users use strong passwords. setting the password hardener to 75 or higher is recomended pisses users off but it's for there own good as much as your servers. as it isn't good for your bussiness if you've been hacked.
     
  11. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Also consider using a private key instead of password for ssh.
     
  12. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Not entirely sure, the techs at the datacenter state he may have exploited a recently discovered hole in FC4 kernel but when I check the bash_history, he suddenly appears in the system and starts executing commands referencing a clients mailer program folder. I think that folder is how he gained access to the system but its unclear to me how
     
    #12 encryption, Feb 19, 2008
    Last edited: Feb 19, 2008
  13. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    so I recompiled Apache 2.2 with the latest version of PHP and enabled Mod Security but now none of the sites are working.... I get the following error. Any clues ?

     
    #13 encryption, Feb 19, 2008
    Last edited: Feb 19, 2008
  14. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Sounds like you don't have usrdir enabled on your system.

    Try the following.

    Log into WHM -> Security Center -> mod_userdir ->

    Ensure that it's enabled on the default host - if you want to allow your customers to access their sites via their username (lots of discussion about that).
     
  15. encryption

    encryption Well-Known Member

    Joined:
    Jun 24, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    cheers darren, you've been mighty helpful all along, mod_security didnt have any rules configured so I chose the default configuration, is there anyplace you recommend I obtain a relatively well configured ruleset for use in WHM?

    also the default config breaks the use of .htaccess, how would I change that ?

    (I've searched on the forums a bit but not finding anything constructive)
     
  16. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    FC4 - Years out of date. There's no question how they got in, the system was out of date, or let go. That's like saying "Oh, I'm running redhat 7.3, but I'm just going to let it go".

    Every couple of years you need to have your system replaced and updated. When you do so, you should update the OS as well (ie: fc4 to fc8 now, etc). Hardware (even server hardware) degrades over time, and needs to be replaced. It happens, like I said, every couple years or so, you should be upgrading for better performance.

    John (aka JTR) is a password cracking system. So, not only have you been hacked, but your passwords have been compromised. Not just ONE password, but ALL of them are gone. You'd best mail your users or it will happen again!

    While you're at it, require ssh keys to login to the server, NOT just as root, but as any user. This will help solve issues.

    Mod_security is iffy, you're going to have problems there. Best result is use something like suhosin that doesn't go out of it's way to break functionality, yet provides at least a bit of security.
     
Loading...

Share This Page