Someone hacked server, need to track this

qrees

Member
May 28, 2006
11
0
151
Today someone hacked our server. Reseller password and root where changed and all accounts where suspened. Is there any way to see who (IP) and when changed root password? are there any cpanel/ehm logs? There are logs for apache, but they are useless...

Please help

PS: I got root password back.
 

qrees

Member
May 28, 2006
11
0
151
adamd84 said:
ssh in
more /var/log/secure
I see A lot of "Failed password for root" <- someone was trying to brute force. But there is no "Accepted password" logs. These are only ssh logs ( I think) and I think someone hacked server using WHM.
 

@home

Well-Known Member
Nov 5, 2003
121
2
168
cPanel Access Level
Root Administrator
qrees said:
I see A lot of "Failed password for root" <- someone was trying to brute force. But there is no "Accepted password" logs. These are only ssh logs ( I think) and I think someone hacked server using WHM.
Maby a good idea to install BFD
 

qrees

Member
May 28, 2006
11
0
151
@home said:
Maby a good idea to install BFD
Yeah, probably, but as i already said, i don't think that that was the problem. Problem is in WHM, how can I track who did what?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
The only logs you'll have for cPanel/WHM are in /usr/local/cpanel/logs/*

If your root password was changed, it suggests a root compromise on the server. IF that's the case you should have the server OS wiped out and reinstalled and restore from backup as you cannot trust the server anymore as it could have backdoors installed - then have it secured against root compromise attacks.
 

NightStorm

Well-Known Member
Jul 28, 2003
286
4
168
cPanel Access Level
Root Administrator
Twitter
Keeping on topic and catching Chirpy at the same time... your firewall and Login Failure Daemon modules... do they work against invalid WHM and Cpanel logins as well, or just standard httpd authentication, SSH, FTP and mail?
Basically... if someone were trying to brute force a cpanel or WHM login on my server, would the LFD block them?
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
hire an experienced administrator to review and lock down your server. if you're not sure how they got in or where to check you need to hire a professional to consult and correct the issue
 

qrees

Member
May 28, 2006
11
0
151
ramprage said:
hire an experienced administrator to review and lock down your server. if you're not sure how they got in or where to check you need to hire a professional to consult and correct the issue
I think i have found what was the problem and how did they change password (it's stupid, do i'm not going to post explanation here :P ).

And about this brute force attack. APF doean't seem to work:
Code:
Unable to load iptables module (ip_tables), aborting.
How can i solve this?

-- EDIT:
modprobe ip_tables results:
Code:
FATAL: Could not load /lib/modules/2.6..../modules.dep: No such file or directory
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
NightStorm said:
Keeping on topic and catching Chirpy at the same time... your firewall and Login Failure Daemon modules... do they work against invalid WHM and Cpanel logins as well, or just standard httpd authentication, SSH, FTP and mail?
Basically... if someone were trying to brute force a cpanel or WHM login on my server, would the LFD block them?
No - ATM I haven't found a way to track them through SSL connections.
 

qrees

Member
May 28, 2006
11
0
151
ramprage said:
Seems like your installation of APF/BFD is broken. What version are you using? Have you tried reinstalling?
The problem is iptables which doesn't work.

modprobe ip_tables:
Code:
FATAL: Could not load /lib/modules/2.6.9-11.EL/modules.dep: No such file or directory
 

StevenC

Well-Known Member
Jan 1, 2004
252
0
166
2.6.9-11.EL

That kernel is vulnerable to exploits.
 

cooldude7273

Well-Known Member
Jan 11, 2004
359
0
166
Roswell, GA
With a Kernel that old, and probably using a close-to-current OS, I will assume you are using CentOS, a bad bad choice if you want to keep your Kernel's up to date from RPMs, which is the easiest way. I think you are vulnerable to well over a hundred security problems with that kernel.

You should consider having someone compile a kernel from source for you, or migrating to a OS which takes better care of security updates (Fedora does a great job, Kernel is always up to date.)