Someone hacked server, need to track this

[qrees]

Today someone hacked our server. Reseller password and root where changed and all accounts where suspened. Is there any way to see who (IP) and when changed root password? are there any cpanel/ehm logs? There are logs for apache, but they are useless...

Please help

PS: I got root password back.

 

[adamd84]

ssh in
more /var/log/secure

 

[qrees]

ssh in
more /var/log/secure

I see A lot of "Failed password for root" <- someone was trying to brute force. But there is no "Accepted password" logs. These are only ssh logs ( I think) and I think someone hacked server using WHM.

 

[@home]

I see A lot of "Failed password for root" <- someone was trying to brute force. But there is no "Accepted password" logs. These are only ssh logs ( I think) and I think someone hacked server using WHM.

Maby a good idea to install BFD

 

[qrees]

Maby a good idea to install BFD

Yeah, probably, but as i already said, i don't think that that was the problem. Problem is in WHM, how can I track who did what?

 

[chirpy]

The only logs you'll have for cPanel/WHM are in /usr/local/cpanel/logs/*

If your root password was changed, it suggests a root compromise on the server. IF that's the case you should have the server OS wiped out and reinstalled and restore from backup as you cannot trust the server anymore as it could have backdoors installed - then have it secured against root compromise attacks.

 

[NightStorm]

Keeping on topic and catching Chirpy at the same time... your firewall and Login Failure Daemon modules... do they work against invalid WHM and Cpanel logins as well, or just standard httpd authentication, SSH, FTP and mail?
Basically... if someone were trying to brute force a cpanel or WHM login on my server, would the LFD block them?

 

[ramprage]

hire an experienced administrator to review and lock down your server. if you're not sure how they got in or where to check you need to hire a professional to consult and correct the issue

 

[qrees]

hire an experienced administrator to review and lock down your server. if you're not sure how they got in or where to check you need to hire a professional to consult and correct the issue

I think i have found what was the problem and how did they change password (it's stupid, do i'm not going to post explanation here :P ).

And about this brute force attack. APF doean't seem to work:

Unable to load iptables module (ip_tables), aborting.

How can i solve this?

-- EDIT:
modprobe ip_tables results:

FATAL: Could not load /lib/modules/2.6..../modules.dep: No such file or directory

 

[chirpy]

Keeping on topic and catching Chirpy at the same time... your firewall and Login Failure Daemon modules... do they work against invalid WHM and Cpanel logins as well, or just standard httpd authentication, SSH, FTP and mail?
Basically... if someone were trying to brute force a cpanel or WHM login on my server, would the LFD block them?

No - ATM I haven't found a way to track them through SSL connections.

 

[ramprage]

Seems like your installation of APF/BFD is broken. What version are you using? Have you tried reinstalling?

 

[qrees]

Seems like your installation of APF/BFD is broken. What version are you using? Have you tried reinstalling?

The problem is iptables which doesn't work.

modprobe ip_tables:

FATAL: Could not load /lib/modules/2.6.9-11.EL/modules.dep: No such file or directory

 

[katmai]

reinstall iptables/upgrade kernel. should do it

 

[qrees]

reinstall iptables/upgrade kernel. should do it

Ok, rebooting the server helped. And that's why it's impossible to have 100% uptime

 

[StevenC]

2.6.9-11.EL

That kernel is vulnerable to exploits.

 

[cooldude7273]

With a Kernel that old, and probably using a close-to-current OS, I will assume you are using CentOS, a bad bad choice if you want to keep your Kernel's up to date from RPMs, which is the easiest way. I think you are vulnerable to well over a hundred security problems with that kernel.

You should consider having someone compile a kernel from source for you, or migrating to a OS which takes better care of security updates (Fedora does a great job, Kernel is always up to date.)