Urgent Help Required

[freakin'me]

- upgrade cpanel and the rest of your software to it's latest (stable) version.
- did you backup all your vital data?
- then try to figure out by log files which ip address (range) they use, and block this using your firewall, most probably iptables.
- try to make sure it wasn't one of your customers (assume it is about shared hosting0
- now try to find out by going through all your log files (make a backup of those either!) how the hack was performed. If you're lucky, the hacker didn't remove/fake these.

By the way: what was hacked exactly? if the hacker had access over SSH (shell), try to log in with SSH and try the commands 'last' and 'who' with these commands you can see the last 30 logins, and see who is logged in ATM.

 

[celliott]

Well it seems that what I considered to be a secure server, has now been hacked last night on new years eve. How sick can you possibly get.

The traces on the server I have found are for a hacking group/peron who likes to call themselves H@CK2PRiSON.

Now since I have never encounted a problem like this before, can anyone give me some pointers to try and cleanup any mess this bastard has done.

Thanks

 

[celliott]

Thanks for the tips.

Last and Who in SSH shows nothing except my IP address.

I am pretty sure its not one of the customers on the server.

They changed our website and corrupted our Billing database. The account the website and Billing DB is on, also has root access so if they edited those files, potentially anything could have been done.

Everything on the server is upto date.

 

[celliott]

On further inspection it seems they got in through an OpenSSL exploit as this machine was running 0.9.7a (the 4 year old one).

I have manually recompiled OpenSSL 0.98d and that should be it I hope.

 

[mctDarren]

If they acheived full root access you'll never know what they did. You should probably do a full system restore and start again. They might still have full control and you don't even know it.

 

[freakin'me]

if you do a complete reinstall, you might want to take a look at tripwire, in order to keep your system safe and secure.

 

[AndyReed]

I have manually recompiled OpenSSL 0.98d and that should be it I hope.

In addition, you need to scan your server for possible bad and insecure scripts, especially Php. These days there are two popular phishing tools: c99shell.php and r57shell. Although these Php scripts are not allowing direct access to the server, C99shell.php and r57shell pose serious security threat.