The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Hacked, question about mount

Discussion in 'General Discussion' started by ehsan, Dec 27, 2003.

  1. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Hi ya all,

    one of our servers got hacked, we had one hard drive mounted as /home

    now I have a new sever fresh os installed, I want to mount that drive in the new server as /home2.

    I don't want to take a risk and lose the data on old drive (/home). I really appreciate any idea on this.

    Thanks,
    Ehsan
     
  2. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Modify the /etc/fstab to inlude the drive and mountpoint of /home2. You might be better off mounting the second drive as /home if you didn't format the main drive to have a specific /home partition. Cpanel will load balance between /home and /home2 partitions which means you will have accounts on both partitions depending on which has more space available at account creation time.
     
  3. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    I just pulled the hard drive from the old server and put it in the new server.

    I already have /home on sda.

    as you said, I edited the

    and added this line /etc/fstab


    /dev/sdb /home2 ext3 defaults,usrquota 1 2


    dont I need to run any command to let the machine know about the new hdd?

    Thanks again,
    Ehsan
     
  4. markie

    markie BANNED

    Joined:
    Oct 5, 2003
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    0
    So many server getting hacked lately!:confused:
     
  5. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    and most of them are cpanel...... at my dedicated host, mostly everyone whose been hacked lately.. is using cpanel
     
  6. jphilipson

    jphilipson Well-Known Member

    Joined:
    Jan 8, 2003
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    Thats becuase its the least secure inherently.. .ensim uses completely jailed user environments, makes it much harder to use weak php exploits etc.. not to mention it is the most common
     
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    You need be very specific in what you post. ;)

    If you are wanting a 'backup' and using:

    /dev/sdb /home2 ext3 defaults,usrquota 1 2

    then (presuming the partition is the same name) you should change the 'fstab' to:

    LABEL=/backup2 /backup2 ext3 defaults 1 2


    You do not want the backup dir. to use "userquota" as that will basically double every accounts Web space used.

    And to make 'fstab' changes kick in immediately, after you are finished type: mount -a
     
  8. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    I wonder what cpanel has planned to correct this.... hopefully after they handle the RHE delima they will work more on the secruity...... cause the servers getting hacked is getting out of hand lol....... I've been lucky so far, but i really would like that piece of mind, that i'm using secure software, aside from my firewalls, and IDS' i have in place.
     
  9. ehsan

    ehsan Well-Known Member

    Joined:
    Dec 11, 2001
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    we can't assume it is cpanel's security issue.

    I had two of our servers getting hacked, both were running latest kernel of Dec 8th. but newer kernel was out in Dec 18th and they got hacked before we update kernels.

    I think the hackers which are in brazil, getting into the machins using a bug in the old kernel, from one of the ports that lets them login without password.

    in both servers there were no shell account not even jail shell.
    in one of them, just one script has done the replace for all index.* but in the other one, hacker has been inside with the root account.

    neither had firewall running. both had up2date backup :D

    and we got everyone up and back in less than few hours using this method:

    put the one-day old backup back on the infected server
    while doing that, we setup new fresh server with new kernel and cpanel.

    we pulled the backup hdd from old server, put it in new server.
    mounted as new hard drive by hand.
    (make sure dont use whm to mount! it will format your hard drive!)
    and from whm used multiple backup rollback feature.

    then we did adjustments for DIRS and resellers settings using the old backup hdd.

    Hope you don't need to go through this!
     
Loading...

Share This Page