The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Urgent please (probably hacked)

Discussion in 'General Discussion' started by SebastianC, Jan 21, 2004.

  1. SebastianC

    SebastianC Active Member

    Joined:
    Nov 25, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    some strange things are in my RH 9 with Cpanel.

    In user list I have a user with name "vadmin"... this user is normal in CPanel or RedHat? (it isn't a user created by me)

    Thanks for your help,

    Sebastian
     
    #1 SebastianC, Jan 21, 2004
    Last edited: Jan 21, 2004
  2. SebastianC

    SebastianC Active Member

    Joined:
    Nov 25, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, vadmin isn't a user created by redhat or cpanel. I have deleted it.
     
  3. efeito

    efeito Well-Known Member
    PartnerNOC

    Joined:
    Jul 24, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    .pt
    Better try to check how it was added...
     
  4. pguy

    pguy Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Download chkrookit from www.chkrootkit.org and run it on your system to check for any trojans
     
  5. SebastianC

    SebastianC Active Member

    Joined:
    Nov 25, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Ok pguy. The server is compromised:

    Checking `ifconfig'... INFECTED
    Checking `login'... INFECTED
    Checking `pstree'... INFECTED
    Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
    Searching for Showtee... Warning: Possible Showtee Rootkit installed
    Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
    Checking `lkm'... You have 3 process hidden for ps command
    Warning: Possible LKM Trojan installed

    Is there any way to fix it, without restore (and lost all the info, and the downtime expected) ?

    Thanks in advance for any help....

    Sebastian
     
  6. pguy

    pguy Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Depends on what you have on the server, the backups if any etc. Best bet would be a restore of the OS and other data and then getting the backup accounts into the system. Tell me you had a 2nd backup drive plz ! :)
     
  7. SebastianC

    SebastianC Active Member

    Joined:
    Nov 25, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    No, I don't have a second drive :( but I have other servers, I can make backups and transfer it to another server then restore the data later....

    But the problem is with one big site, more than 5Gb just in MySQL data.... and configurations...

    when a machine is compromised, nothing can solve the problem without restore the OS ?
     
  8. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    It is a very good idea to cron run chkrootkit, we run ours every 12 hours on each server we own. This is aggressive, but so have the hack attempts we have seen in the last 6 months. Also, make sure you run /scripts/securetmp as this is an excellent defense mechanism for blocking some hack attempts. If you havent already make sure the new server has APF on it.
     
  9. pguy

    pguy Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Dear Sebastian,

    Most of the time the data can be salvaged. However it depends on the intensity and depth of the intrusion. We have had our servers hacked before and we now have level 3 techs working with us just for securing servers.

    Drop me a PM. I may be able to help in the salvaging of data.
     
  10. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
    once you are back, make sure all your software is up to date. Although up2date is going away, there is also
    http://freshrpms.net/
     
Loading...

Share This Page