The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Someone hacked server, need to track this

Discussion in 'General Discussion' started by qrees, Jun 21, 2006.

  1. qrees

    qrees Member

    Joined:
    May 28, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Today someone hacked our server. Reseller password and root where changed and all accounts where suspened. Is there any way to see who (IP) and when changed root password? are there any cpanel/ehm logs? There are logs for apache, but they are useless...

    Please help

    PS: I got root password back.
     
  2. adamd84

    adamd84 Registered

    Joined:
    Apr 2, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    ssh in
    more /var/log/secure
     
  3. qrees

    qrees Member

    Joined:
    May 28, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I see A lot of "Failed password for root" <- someone was trying to brute force. But there is no "Accepted password" logs. These are only ssh logs ( I think) and I think someone hacked server using WHM.
     
  4. @home

    @home Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Maby a good idea to install BFD
     
  5. qrees

    qrees Member

    Joined:
    May 28, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Yeah, probably, but as i already said, i don't think that that was the problem. Problem is in WHM, how can I track who did what?
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The only logs you'll have for cPanel/WHM are in /usr/local/cpanel/logs/*

    If your root password was changed, it suggests a root compromise on the server. IF that's the case you should have the server OS wiped out and reinstalled and restore from backup as you cannot trust the server anymore as it could have backdoors installed - then have it secured against root compromise attacks.
     
  7. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Keeping on topic and catching Chirpy at the same time... your firewall and Login Failure Daemon modules... do they work against invalid WHM and Cpanel logins as well, or just standard httpd authentication, SSH, FTP and mail?
    Basically... if someone were trying to brute force a cpanel or WHM login on my server, would the LFD block them?
     
  8. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    hire an experienced administrator to review and lock down your server. if you're not sure how they got in or where to check you need to hire a professional to consult and correct the issue
     
  9. qrees

    qrees Member

    Joined:
    May 28, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I think i have found what was the problem and how did they change password (it's stupid, do i'm not going to post explanation here :P ).

    And about this brute force attack. APF doean't seem to work:
    Code:
    Unable to load iptables module (ip_tables), aborting.
    How can i solve this?

    -- EDIT:
    modprobe ip_tables results:
    Code:
    FATAL: Could not load /lib/modules/2.6..../modules.dep: No such file or directory
     
    #9 qrees, Jun 21, 2006
    Last edited: Jun 21, 2006
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No - ATM I haven't found a way to track them through SSL connections.
     
  11. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Seems like your installation of APF/BFD is broken. What version are you using? Have you tried reinstalling?
     
  12. qrees

    qrees Member

    Joined:
    May 28, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    The problem is iptables which doesn't work.

    modprobe ip_tables:
    Code:
    FATAL: Could not load /lib/modules/2.6.9-11.EL/modules.dep: No such file or directory
     
  13. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    reinstall iptables/upgrade kernel. should do it
     
  14. qrees

    qrees Member

    Joined:
    May 28, 2006
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Ok, rebooting the server helped. And that's why it's impossible to have 100% uptime :)
     
  15. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    2.6.9-11.EL

    That kernel is vulnerable to exploits.
     
  16. cooldude7273

    cooldude7273 Well-Known Member

    Joined:
    Jan 11, 2004
    Messages:
    363
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Roswell, GA
    With a Kernel that old, and probably using a close-to-current OS, I will assume you are using CentOS, a bad bad choice if you want to keep your Kernel's up to date from RPMs, which is the easiest way. I think you are vulnerable to well over a hundred security problems with that kernel.

    You should consider having someone compile a kernel from source for you, or migrating to a OS which takes better care of security updates (Fedora does a great job, Kernel is always up to date.)
     
Loading...

Share This Page