freakin'me

Member
Jul 8, 2005
23
0
151
- upgrade cpanel and the rest of your software to it's latest (stable) version.
- did you backup all your vital data?
- then try to figure out by log files which ip address (range) they use, and block this using your firewall, most probably iptables.
- try to make sure it wasn't one of your customers (assume it is about shared hosting0
- now try to find out by going through all your log files (make a backup of those either!) how the hack was performed. If you're lucky, the hacker didn't remove/fake these.

By the way: what was hacked exactly? if the hacker had access over SSH (shell), try to log in with SSH and try the commands 'last' and 'who' with these commands you can see the last 30 logins, and see who is logged in ATM.
 

celliott

Well-Known Member
Jan 2, 2006
459
0
166
United Kingdom
Well it seems that what I considered to be a secure server, has now been hacked last night on new years eve. How sick can you possibly get.

The traces on the server I have found are for a hacking group/peron who likes to call themselves H@CK2PRiSON.

Now since I have never encounted a problem like this before, can anyone give me some pointers to try and cleanup any mess this bastard has done.

Thanks
 

celliott

Well-Known Member
Jan 2, 2006
459
0
166
United Kingdom
Thanks for the tips.

Last and Who in SSH shows nothing except my IP address.

I am pretty sure its not one of the customers on the server.

They changed our website and corrupted our Billing database. The account the website and Billing DB is on, also has root access so if they edited those files, potentially anything could have been done.

Everything on the server is upto date.
 

celliott

Well-Known Member
Jan 2, 2006
459
0
166
United Kingdom
On further inspection it seems they got in through an OpenSSL exploit as this machine was running 0.9.7a (the 4 year old one).

I have manually recompiled OpenSSL 0.98d and that should be it I hope.
 

mctDarren

Well-Known Member
Jan 6, 2004
665
9
168
New Jersey
cPanel Access Level
Root Administrator
If they acheived full root access you'll never know what they did. You should probably do a full system restore and start again. They might still have full control and you don't even know it. :(
 

freakin'me

Member
Jul 8, 2005
23
0
151
if you do a complete reinstall, you might want to take a look at tripwire, in order to keep your system safe and secure.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
I have manually recompiled OpenSSL 0.98d and that should be it I hope.
In addition, you need to scan your server for possible bad and insecure scripts, especially Php. These days there are two popular phishing tools: c99shell.php and r57shell. Although these Php scripts are not allowing direct access to the server, C99shell.php and r57shell pose serious security threat.