The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSH Logs

Discussion in 'General Discussion' started by webbhost, Jan 2, 2005.

  1. webbhost

    webbhost Well-Known Member

    Joined:
    Feb 4, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Hiya, Someone has recently violated my SSH access, and attacked another computer using it.

    Question is, CPANEL says logs are kept?

    Where can i find these logs because i need to track back the culprit that did the attack.

    Thanks for any info :rolleyes:
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    /root/.bash_history
     
  3. webbhost

    webbhost Well-Known Member

    Joined:
    Feb 4, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    ok, i have found logs... cant see anything suspicious through?

    i dont know how to find out who has been attacking computers, but this is the log if anyone can help? If it doesnt, how else could i find out who is doing this?


    Code:
    cd /home/
    ls
    mkdir cpins
    cd cpins/
    ls
    wget layer1.cpanel.net
    wget layer1.cpanel.net/latest
    ls
    rm index.html 
    sh latest 
    rm -rf installd/
    sh latest 
      
    shutdown -h now
    ls -l
    vi /etc/hosts
    vi /etc/sysconfig/network
    vi /etc/wwwacct.conf 
    shutdown -h now
    ls
    pwd
    mount -a
    ls
    cd home/
    ls
    cd ..
    ls
    df
    vi /etc/lilo.conf 
    cd /boot/
    ls
    cd ..
    ls
    cd /boot/
    ls
    cd grub/
    ls
    vi grub.conf 
    df
    ls
    grub-install 
    vi /etc/grub.conf 
    vi /etc/grub.conf 
    grub-install /dev/hdd
    grub-install /dev/hdd1
    df
    grub-install /dev/hda
    cd /boot/grub/
    ls
    vi stage1 
    ls
    cd ..
    vi grub/device.map 
    ls
    grub-install 
    vi /etc/grub.conf 
    vi /boot/grub/device.map 
    cd /boot/grub/
    grep hda *
    vi grub.conf
    grep hda *
    grub-install 
    grub-install /dev/hdd
    grub-install /dev/hdd1
    grub-install /dev/hda
    grub-install /dev/hda1
    grub-install /dev/hdd1
    grub-install /dev/hdd
    ls
    vi etc/fstab 
    vi etc/lilo.conf 
    shutdown -h now
    cd /etc/
    ls
    vi grub.conf 
    cd /boot/
    ls
    cd grub/
    ls
    vi grub.conf 
    vi device.map 
    vi /etc/fstab 
    ls
    vi device.map 
    grub-install 
    grub-install /dev/hda
    grub
    ls
    vi device.map 
    ls
    grub
    ls
    vi etc/lilo.conf 
    lilo -q
    ls
    passwd root
    logout
    C:
    cd/directory
    cd
    directory
    C/windos
    C/windows
    C\windows
    home
    cd/home
    /home/
    /cd/
    \cd\cd\home\webbhost\bin
    \cd/home
    \cd\home
    \cd/home
    cd
    cd/home
    cdhome
    cd\home
    cd
    home
    cd/home
    cd-home
    cd
    hine
    cd
    home
    cd home
    cd /home
     /webbhost
    home /webbhost
    cd
    cd /home /webbhost
    /home /webbhost
    cd /home webbhost
    sc_serv &
    cd /home/webbhost/bin
    ./sc_serv &
    chmod777*
    chmod 777 *
    chown webbhost *
    ./sc_serv &
    cd /home/webbhost
    sc_serv &
    sc_serv&
    sc_serv &
    chmod bin2 777 *
    /bin2
    cd /home/webbhost/bin2
    chmod 777 *
    sc_serv &
    cd /home/webbhost/bin
    sc_serv &
    cd /home/webbhost/bin2
    sc_serv &
    sc_serv2 &
    cd /home/webbhost/bin
    cs_serv %
    cs_serv &
    ./cs_serv %
    ./cs_serv &
    /scs_serv &
    cd /home/webbhost/bin
    ./ sc_serv &
    ./ sc_serv %
    ./ sc_serv*
    ./ sc_serv
    cd /home/webbhost/bin
    cs_serv &
    ./sc_serv &
    sc_serv &
    sc_serv &
    cs_serv &
    /dcs_serv &
    ./cs_serv &
    ./cs_serv & &
    ./cs_serv &
    cd /home/webbhost/bin2
    ./sc_serv &
    chmod 777 *
    ./sc_serv &
    cd /home/webbhost/bin
    ./sc_serv &
    ./sc_serv &
    ./sc_serv &
    kill 4578
    cd /homewebbhost/bin2
    cd /homewebbhost/bin1
    cd /home/webbhost/bin2
    ./sc_serv &
    kill 4474
    kill 4356
    kill 4474
    currprocesses
    cd /sbin
    ls
    cd
    cd /home/webbhost/bin
    ./sc_serv &
    cd /home/webbhost/bin2
    ./sc_serv &
    cd /home/webbhost/bin
    sc_serv &
    ./sc_serv &
    cd /home/webbhost/bin
    ./sc_serv &
    cd /home/webbhost/bin
    ./sc+serv &
    ./sv_serv &
    cd/webbhost/bin
    cd /home/webbhost/bin
    wget http://public.planetmirror.com/pub/lokigames/installers/ut/ut-server-436.tar.gz
    cd /home/webbhost/bin
    wget http://public.planetmirror.com/pub/lokigames/installers/ut/ut-server-436.tar.gz
    cd /home/webbhost/bin
    wget http://public.planetmirror.com/pub/lokigames/installers/ut/ut-server-436.tar.gz
    gunzip ut-server-436.tar.gz
    cd /home/webbhost/bin
    tar -xvf UT-SERVER-436.tar
    tar -xvf ut-server-436.tar
    exit
    shutdown -h now
    cd /home/webbhost/bin
    sc_serv &
    ./sc+serv &
    ./sc_serv &
    cd /home/webbhost/bin
    ./sc+serv &
    grep riskukw
    cd:
    cd
    locate httpd.conf
    cd /home/testing/public_html
    chown root.nobody .htaccess
    chown root.nobody .htaccess
    chown root.nobody .htaccess
    chown root.root .htaccess
    chown root.nobody .htaccess
    locate cgi-sys
    sbin/restart
    home/webbhost
    /cd/home/webbhost
    cd/home
    cd ¬
    cd
    home
    home/
    cd home
    cd - home
    cd - home/webbhost
    cd~
    cd~webbhost
    cd~/webbhost
    cd~
    cd
    #home
    /home
    cd ~
    cd~
    cd ~ /webbhost
    #bom
    /bin
    cd /home/webbhost
    /bin
    cd bin
    sc_Serv
    cd sc_serv
    ./sc_serv
    cd $imagemagick
    cd /imagemagick
    root@host [~]# cd $imagemagick
    root@host [~]# cd /imagemagick
    root@host [/imagemagick]#
    gzip -dc TimageMagick-alphaev6-unknown-linux-gnu.tar.gz
    gzip -dc imageMagick-alphaev6-unknown-linux-gnu.tar.g
    gzip -dc imageMagick-alphaev6-unknown-linux-gnu.tar.gz
    gzip -dc /imagemagick/imageMagick-alphaev6-unknown-linux-gnu.tar.gz
    /home/adz21c/extra/bin/link
    /home/adz21c/extra/bin/links
    vi /etc/nameserverips 
    ifconfig 
    vi /etc/nameserverips 
    service named status
    service bind status
    vi /etc/hosts
    cd /scripts/
    ./fixetchosts 
    vi /etc/hosts
    vi /etc/nameserverips 
    vi /etc/hosts
    ls
    cd /etc/hosts
    vi /etc/hosts
    ./fixetchosts 
    vi /etc/hosts
    ./fixndc 
    service cpanel restart
    w
    ./fixndc 
    service cpanel restart
    vi /etc/resolv.conf 
    ifconfig 
    vi /etc/resolv.conf 
    cat /etc/nameserverips 
    vi /etc/nameserverips 
    vi /etc/hosts
    ping google.com
    cd /
    ping google.com
    ping google.com
    vi /etc/resolv.conf 
    ls
    ls
    vi /etc/hosts
    vi /etc/resolv.conf 
    vi /etc/hosts
    cd scripts/
    ./fixetchosts 
    vi /etc/hosts
    ./fixndc 
    cat /etc/*release*
    service cpanel restart
    w
    ifconfig 
    vi /etc/hosts
    ping 66.79.166.20
    ssh 66.79.160.100 -lroot
    
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    So 5 days since this happened? Running "last" from the prompt may give you some info. If your box was rooted then the tracks are easily covered. Since your post gives the impression that you don't have much experience being a sysadmin your best bet is to hire someone to help you out.
     
  5. webbhost

    webbhost Well-Known Member

    Joined:
    Feb 4, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    it happened again today..
     
  6. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Then you should take this box offline until you can fix the problem.
     
  7. webbhost

    webbhost Well-Known Member

    Joined:
    Feb 4, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    "this box?" as in that log?
     
  8. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Box is slang for server. You really should get a grip on this problem. If your server is being used to hack/crack then the issue could become much bigger (meaning legal ramifications) in a hurry.
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. You need to either have your datacenter or a server administrator check your server over incase you've suffered a root compromise. The very least you should do is reset your passwords and install the likes of rkhunter and chkrootkit to check the server. If you didn't do those commands in the .bash_history and you dont' know anyone who did, you could have very serious problems.
     
  10. jeremy_reliable

    jeremy_reliable Active Member
    PartnerNOC

    Joined:
    Mar 8, 2004
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Looks like someone setup shoutcast and unreal tournament servers on there.

    like people have said in previous posts, the content in that .bash_history file is pretty much useless in a real attack since the with root access the hacker could have just removed the lines with the evidence. At very least you should reset your root pass right away.
     
Loading...

Share This Page