The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server hacked....

Discussion in 'General Discussion' started by mitul, Jun 14, 2003.

  1. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Hello All,

    From last few days the server load is continuously running between 25% - 75%. Someone has hacked into the server sending mail. Is there some way we can tract this and shut them out.

    6166 root 0 3.2 0.5 sendmail
    6173 root 0 3.2 0.5 sendmail
    6175 root 0 3.0 0.5 sendmail
    6180 root 0 3.0 0.5 sendmail
    6187 root 0 3.0 0.5 sendmail
    6163 root 0 2.9 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55Q-0003AL-00
    6182 root 0 2.9 0.5 sendmail
    6190 root 0 2.9 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55R-0003AU-00
    6194 root 0 2.7 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55P-0003AE-00
    5595 nobody 0 2.5 3.8 httpd
    6155 root 0 2.5 0.5 sendmail
    6186 root 0 2.5 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55T-0003Al-00
    6158 root 0 2.3 1.0 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx2.mail.yahoo.com219R55S-0003AZ-00
    6160 root 0 2.3 0.5 sendmail
    6165 root 0 2.3 0.5 /usr/sbin/exim-MCS-MCP-MCremote_smtpmx1.mail.yahoo.com219R55V-0003At-00


    Thank you,

    cPanel.net Support Ticket Number:
     
  2. tekdns

    tekdns Well-Known Member

    Joined:
    Jun 9, 2002
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Did you upgrade your kernel to latest version?

    cPanel.net Support Ticket Number:
     
  3. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    I am using 2.4.18-27.7.x version of kernel.

    cPanel.net Support Ticket Number:
     
  4. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    This was upgraded long time back...

    cPanel.net Support Ticket Number:
     
  5. tekdns

    tekdns Well-Known Member

    Joined:
    Jun 9, 2002
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    You have lost your root pass posible.

    You must upgrade to latest kenel, becouse you have not latest kernel version.Your kernel version has a vulnerable.

    cPanel.net Support Ticket Number:
     
  6. tekdns

    tekdns Well-Known Member

    Joined:
    Jun 9, 2002
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Yýu can use this comand;
    up2date --nox -f kernel

    cPanel.net Support Ticket Number:
     
  7. tekdns

    tekdns Well-Known Member

    Joined:
    Jun 9, 2002
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
  8. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    Does this mean my server is been hacked.

    Is there any way to track who is sending mails from my server?

    Thank you,

    cPanel.net Support Ticket Number:
     
  9. NightHawk

    NightHawk Member

    Joined:
    Apr 17, 2003
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Re: Server Security Guide - Basic steps to server security

    nice link...I will put this in my list of links to give to new admins....

    cPanel.net Support Ticket Number:
     
  10. NightHawk

    NightHawk Member

    Joined:
    Apr 17, 2003
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    the information you have provided is not enough to show for certain that your server has been hacked, certainly if your server was hacked...they could then send that email...but, there are other options:
    1) insecure formmail.pl (or clones)
    2) compromised customer smtp password
    3) compromised customer webmail account
    4) open relay (I am guessing you have checked this already).
    5) there are others...but those are the ones I would check first).

    cPanel.net Support Ticket Number:
     
  11. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    The server is been tested for open relay.

    The formmail.cgi bug was fixed few days ago by cpanel.

    If is about clients smtp or webmail password been compromised how do I trace that out.

    Please help me fast....

    Thank you,

    cPanel.net Support Ticket Number:
     
  12. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    I got my server tested from ORDB.org for open relay and got confirmation from ORDB.org that my server does not permit open relay.

    How do I trace if its the local client on the server who is sending mails through script or using any other form?

    Please help I am loosing my server....

    Thank you,

    cPanel.net Support Ticket Number:
     
  13. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    What vulnerabilities does 2.4.18-27.7.x have?

    cPanel.net Support Ticket Number:
     
  14. gncuster

    gncuster Registered

    Joined:
    May 24, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    2.4.18+ vuln

    IIRC anything <2.4.21 has a ptrace root whole open.

    cPanel.net Support Ticket Number:
     
  15. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    2.4.18-27.7.x is not vuln at all. Show me where it says that this kernel is vuln? So many people have had problems with the next kernel release that many have chosen to stay at 2.4.18-27.7.x. If he was hacked he should be looking at his other security admin abilities.

    cPanel.net Support Ticket Number:
     
  16. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
  17. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    What are the problems? You're scaring me, because I already upgraded. I thought it was best to upgrade kernels as soon as they were released. Oops...

    cPanel.net Support Ticket Number:
     
  18. zenpig66

    zenpig66 Active Member

    Joined:
    Nov 16, 2002
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Casey, if you've upgraded the kernel and have been able to reboot, you're more than likely good to go :) The main issues I've seen reported on the latest kernel releases have involved very specific hardware setups, most noteably the dual xeons offered at RackShack. Perhaps sexy-guy is referring to something of which is not common(or my limited) knowledge but per the link that Mike posted as well as numerous other resources available, 2.4.18-27.7.x is exploitable...it's a good bet that when RedHat says it's time to move on, that's who you should be listening to most :) For sanities sake, though, just don't remove the previous kernel until you are comfortable with your current one.

    Steve

    cPanel.net Support Ticket Number:
     
    #18 zenpig66, Jun 18, 2003
    Last edited: Jun 18, 2003
  19. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    The issues noted for kernels after the 18.7.x were quota problems with Ensim, cPanel boxes and problems with dual pentium boxes not waking up after the reboot.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page