The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Urgent Help Required

Discussion in 'General Discussion' started by freakin'me, Jan 1, 2007.

  1. freakin'me

    freakin'me Member

    Joined:
    Jul 8, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    - upgrade cpanel and the rest of your software to it's latest (stable) version.
    - did you backup all your vital data?
    - then try to figure out by log files which ip address (range) they use, and block this using your firewall, most probably iptables.
    - try to make sure it wasn't one of your customers (assume it is about shared hosting0
    - now try to find out by going through all your log files (make a backup of those either!) how the hack was performed. If you're lucky, the hacker didn't remove/fake these.

    By the way: what was hacked exactly? if the hacker had access over SSH (shell), try to log in with SSH and try the commands 'last' and 'who' with these commands you can see the last 30 logins, and see who is logged in ATM.
     
  2. celliott

    celliott Well-Known Member

    Joined:
    Jan 2, 2006
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Well it seems that what I considered to be a secure server, has now been hacked last night on new years eve. How sick can you possibly get.

    The traces on the server I have found are for a hacking group/peron who likes to call themselves H@CK2PRiSON.

    Now since I have never encounted a problem like this before, can anyone give me some pointers to try and cleanup any mess this bastard has done.

    Thanks
     
  3. celliott

    celliott Well-Known Member

    Joined:
    Jan 2, 2006
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Thanks for the tips.

    Last and Who in SSH shows nothing except my IP address.

    I am pretty sure its not one of the customers on the server.

    They changed our website and corrupted our Billing database. The account the website and Billing DB is on, also has root access so if they edited those files, potentially anything could have been done.

    Everything on the server is upto date.
     
  4. celliott

    celliott Well-Known Member

    Joined:
    Jan 2, 2006
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    On further inspection it seems they got in through an OpenSSL exploit as this machine was running 0.9.7a (the 4 year old one).

    I have manually recompiled OpenSSL 0.98d and that should be it I hope.
     
  5. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    If they acheived full root access you'll never know what they did. You should probably do a full system restore and start again. They might still have full control and you don't even know it. :(
     
  6. freakin'me

    freakin'me Member

    Joined:
    Jul 8, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    if you do a complete reinstall, you might want to take a look at tripwire, in order to keep your system safe and secure.
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    In addition, you need to scan your server for possible bad and insecure scripts, especially Php. These days there are two popular phishing tools: c99shell.php and r57shell. Although these Php scripts are not allowing direct access to the server, C99shell.php and r57shell pose serious security threat.
     
Loading...

Share This Page