The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

whm Cleanup after having been hacked

Discussion in 'Security' started by zombo, Oct 12, 2010.

  1. zombo

    zombo Active Member

    Joined:
    Jan 28, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Austria
    G'day to everyone,
    I have a Whm/CPanel VPS that has unfortunately been hacked and I have already hardened the server and think that the attack is stopped and blocked. The main thing that happened is, that cgi scripts did not work anymore and one new cpanel account has been created. I did rootkit-checking etc, deleted all changes that I have found and have currently no troubles left. My question is how to cope with some remainders of the attack.

    There are cpanel account files in located in var/cpanel/userdata/... whose meaning I am not sure of. they contain elements that are pobably used for building the http.conf entries but the syntax is slightly different to http.conf's. I compared all userdata files and found some strange entries there:
    (1) in some of the account files I find the line
    options: -ExecGI -Includes
    which I certainly do not want there. Can I safely delete this line or do I have to change it to
    options: +ExecGI +Includes

    (2) the 'hascgi' line that I guess should read 'hascgi: 1' has been changed to 'hascgi: 0'. Can I safely change it back to 1 ?

    (3) Some of the files have the following lines inside
    removehandler:
    -
    removehandler cgi-script .plx .ppl .perl
    Again, can I safely delete these lines or more important:

    At what time and when are these files used for?

    Is there a clean template anywhere?
    I did not find answers in any public documentation of whm/cpanel on that subject, therefore my request on this board.
     
  2. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    To be perfectly honest with you here, You need some professional server root management on this to dig through everything.

    If I was in your position, I would backup any clients I host, Then get a new VPS wtih the same provider and transfer them over, I say the same provider mainly for traffic reasons, Moving all data over will be quick as its local host traffic which will be extremely fast.

    Also do you know how you was hacked, Through the kernal or just unsecurity of the user login details.
     
  3. zombo

    zombo Active Member

    Joined:
    Jan 28, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Austria
    I am not so much worried about the hack. Since I do not have any php apps online, it was most likely a successful login but you never know, of course. The hack was detected very quickly. I found some backdoors that I could delete. A cPanel account was created for the domain www.dos02.com which is actually existing. I deleted all those things, hardened the firewall, changed all pwds, watch procs closely, etc. I have also a change to 2 (new) redundant servers on schedule which will be populated with safe cPanel account data later. But at I cannot do this immediately, that is why I am 'housecleaning'. As a side effect I learn little more about whm/cpanels insides.

    So my question remains ... thanks in advance for any answers to my initial posting.
     
    #3 zombo, Oct 12, 2010
    Last edited: Oct 12, 2010
Loading...

Share This Page