The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

yesterday i was hacked

Discussion in 'Data Protection' started by hackobo, Nov 20, 2004.

  1. hackobo

    hackobo Registered

    Joined:
    Nov 20, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    yesterday i was hacked (23 sites) this guy changed my dns and my sites are redirecting to another sites... is this a dns problem?

    please check one of the sites

    EDITED

    is redirecting to EDITED

    i dont know how can i fix this problem,, can you help me?

    can i reset the dns numbers?

    sorry for english :)

    jacobo
     
    #1 hackobo, Nov 20, 2004
    Last edited: Nov 21, 2004
  2. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    I would think your first step is to figure out how your box was hacked...then how to fix it from never happening again. Then work on repairing the damage.

    Fixing things should be as easy as restoring things from your backup...shouldn't it?
     
  3. linux-image

    linux-image Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    1,192
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    Root Administrator
  4. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Is the dns info the only thing that got changed? Did any site files get changed/overwritten? Run a rootkit scanner, or several, and make sure there aren't any trojans lurking around... rootkit.nl and chkrootkit.org

    If your hacker got root access, you'll likely need to just reload your OS... that's the only way to be sure that there aren't still problems and the hacker still doesn't have access.

    And maybe you'll want to read up on securing DNS better for the future.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Sounds like you may have been caught out by the /etc/resolv.conf 127.0.0.1 issue. If so, you should do a search on the forums to prevent that in the future. As to fixing it - restoring /var/named/ and /etc/named.conf from backup would be a first step. However, if you've suffered a root compromise then you should OS reload your server and restore your user backups.
     
  6. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    dodgy

    Be carefull everybody the temphost domain redirects you to an automatic troyan download !! :mad:
     
    #6 gorilla, Nov 21, 2004
    Last edited: Nov 21, 2004
  7. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    Yeah, I figured when i saw it's the 1rst and only post.

    Notice the other spam coming around the boards?

    Double check your security...

    AND STOP POSTING YOUR DAMN IP ADDRESSES AND SYSTEM INFO IN THE FORUM
     
  8. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    I really think its very important that cPanel is a bit more stringent with who they give access to the forum, and it might be a good idea to have a few levels of access to the more advanced levels.
    People should only have access to this forum if they have gotten a cPanel license, either directly from cpanel or through data centers or dedicated server providers.
     
  9. hackobo

    hackobo Registered

    Joined:
    Nov 20, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Sorry,,, but this topic is called " New User Questions " and i think that this is the best place to put my question,,, everybody deserves a first time....

    my question is if i can reset the entire dns´s for the server. I am a rookie in this issue, my hosting account support wrote...

    "hackers obviously
    exploited a vulnerability in some software, used by our client (formmail). If
    you are using this also, please disable it and contact us."

    But i have some sites without the FormMail and are hacked too.

    i need your help,, my host support sucks and i am in charge of this sites... i am a web designer, not a programmer... you are the experts..

    thanks and sorry again...

    ps: i will edit my first topic
     
  10. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    You Might consider getting professional paid help , Chirpy is the right person to ask :D
     
  11. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Are companys that can help you with your server security.
     
  12. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    Fast Server Management ---

    I would suggest giving Ethan over @ Fast SErver Management a hollar.

    I had a server hacked and he had it restored within 40 minutes.

    Every file - every site, everyone was up and running -

    Cost was only $40

    I use his company to audit my boxes on a regular basis.

    Well worth the money.


    Tell him Glenn Sent you and I am sure he will make sure his techs treat you right.

    --- edited ---

    It of course took a bit longer to secure... but thats for another thread. :)
     
    #12 hostmedic, Nov 22, 2004
    Last edited: Nov 23, 2004
  13. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Sorry but i have to say it, if the server was rooted 40mins is not a very good job.
     
  14. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    Good point - but Sir - I think you to have misunderstood me - or I to have not explained the best... I had my clients back up --- running of course it took more time to get the box secure --- but having my customers up and running - being able to login to email, serve their sites... its a good feeling :)



    if this guy is offline - I thought it be nice to push him the way I went and was happy -

    I have used a few different companies - and this is the best - in my opinion.



    I also have each box checked for issues each m week as well - by a 3rd party.


    thanks :)
     
    #14 hostmedic, Nov 23, 2004
    Last edited: Nov 23, 2004
  15. hackobo

    hackobo Registered

    Joined:
    Nov 20, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Thanks guys for answers,,

    But another question about my problem..

    Is the Matt's Script Formmail insecure?

    thanks

    Jacobo
     
  16. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    No - its not secure ... but ...


    Is my formmail secure?
    If you are using Matt's formmail script, the chances are that are vulnerable by spammers using your webserver as an open relay. The problem is that the scripts in Matt's Script Archive aren't very good. The scripts are well known amongst the Perl community to be badly written, buggy and insecure. Anyone asking for support on Matt's scripts in any forum will be told in no uncertain terms that they shouldn't use his scripts. The additional spammer element to this equation makes replacing Matt's formmail script imperative.

    Matt's Script Archive has been on the web since 1995. It is a repository of CGI scripts written in Perl by a programmer called Matt Wright. He wrote these as a way of learning Perl, and for such reasons, the scripts weren't designed with security and safety in mind. Matt's Script Archive is probably the most popular repository of CGI scripts currently available on the internet.

    Matt has recently edited his website to recommend that others looking for a formmail script use the NMS scripts instead, so he is fully aware of the dangers of using his formmail script.

    The vulnerabilities
    The formmail vulnerability allows spammers to send anonymous email to anyone on their mailing list. Because the email was created using the formmail's configured sendmail, the email originates from the webserver. So the spammer is effectively annonymous, and difficult to stop. So by providing the spammers these anonymous open-relays, you are the victim, as well as a participant in a spam run. So it is in the website owner's benefit to plug these security holes.

    Still not convinced that your formmail script is vulnerable? Why not use a formmail tester script to find out? This script was written by Ronald F. Guilmette (the guy behind monkeys.com).


    The alternatives
    One script change that can make Matt's formmail safer is to hard-code the delivery email address into the script itself, rather than a hidden form field. A safer alternative is to remove Matt's version of the script entirely and use something a more security conscious.

    NMS is a set of CGI scripts that are intended as drop-in replacments for the scripts at Matt's Script Archive. They require the same set-up as Matt's originals, but are designed to be secure.

    Monkeys.com offers a more secure alternative version of formmail


    Addapted from: http://www.html-faq.com/cgi/?secureformmail :D
     
    #16 hostmedic, Nov 23, 2004
    Last edited: Nov 23, 2004
  17. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    It is extrememly unlikely your sites were hacked using Matts formmail. Matts formmail can be vulnerable to spammers but it's not vulnerable to hackers. You need to look elsewhere for the culprit.

    I've noticed a steady increase in people trying to hack into SSH and Proftpd. Make sure your clients are using non-dictionary passwords.

    There is also the current phpBB vulnerability. If you are running any phpBB you need to update it. See phpBB site.
     
  18. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    well put


    well put ...


    a few suggestions for you:


    visit : http://forums.cpanel.net/showthread.php?t=9887

    HOWTO: Cpanel & WHM Newbie Guide - what you need to get started!
    Unofficial Cpanel Newbie Guide:

    Update: 4-17-03

    I've been using Cpanel for a few months and learnt a few things along the way. <edited out >

    So I'm looking to RS forums as well for Cpanel support - there are lots of friendly people around here that know lots more than myself so if you would like to add anything to this HOWTO please let me know and I'll update it!

    Note: I'm not a Cpanel guru but I have my machine running well with it so I must be doing something right !

    I'm assuming you already have Cpanel installed......this is meant to be a breif overview of some important features - not a complete WHM guide - that should be the responsibility of DarkOrb - we all know their documentation needs work and updating though!

    Logins!
    You need to login to your box right well here are a few things to help you. SSL logins are highly recommended for security.




    WHM
    - Secure SSL https://sitename.com:2087
    - Regular http://sitename.com:2086

    Cpanel
    - Secure SSL https://sitename.com:2083
    - Regular http://sitename.com:2082

    Webmail
    - Secure SSL https://domain.com:2096
    - Regular http://domain.com:2095



    First off is updates with Cpanel:
    Do not use anything other than stable releases.
    Server Setup/Change Update Preferences:
    Cpanel/WHM Updates: Manual Updates Only (STABLE tree)
    - All set to manual updates. I prefer manual over automatic because I like to keep a better eye on what has been changed.
    If you select manual and you want to perform the update simply scroll down WHM and go to Cpanel 6 > Upgrade To Latest Version.

    This will update Exim, Perl, Apache and Cpanel if updates are available - it will only update to the Cpanel release type you selected previously.

    To see if new updates are available go to http://layer2.cpanel.net
    EG: Latest Builds:
    Cpanel-6.4.0-STABLE_16-Linux-i686-glibc-2.1 (Tue Apr 15 12:34:00 2003

    Read your WHM news page to see important release and news information!

    Cpanel and the kernel - use up2date
    Cpanel can update your system software - but won't upgrade your kernel for you, you have to do that with up2date
    Note: Don't upgrade Perl with up2date it will break your Cpanel Perl!

    Up2date information can be found here:
    http://forum.rackshack.net/showthre...ghlight=up2date
    Note: You need to use rhn_register before up2date will work!
    "You can use the RedHat Network for free by registering from your system (/usr/sbin/rhn_register) and running up2date from there. Then up2date -l will show the list of available updates"

    Tweak Settings:

    Anything not listed is up to you

    Things you to enable:



    Webalizer Stats

    Awstats Stats (Very nice stats program - recommended.

    Spamassassin

    Disk Space Usage Warnings

    The number of times users are allowed to check their mail using pop3 per hour: (60)

    The maximum each domain can send out per hour (0 is unlimited): (250) - This is SMTP only!

    Email users when they have reached 80% of their bandwidth



    Things you don't or shouldn't really enable:



    Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
    (This won't allow PHP scripts to send mail - EG formmail or anything else as they're sent using nobody)


    Keep log files at the end of the month (default is off as you can run out of disk space quickly)




    Backups

    Configure Backup under WHM:



    Backup Status: Enabled

    Backup Interval (Note: Selecting Daily Backup with give you monthly and weekly as well, Selecting Weekly backup will give you monthly as well.) Daily or weekly - up to you

    Days to run backup (explanitory)

    Remount/Unmount backup drive (requires a seperate drive/coda/nfs mount) - Disabled

    Bail out if the backup drive cannot be mounted (recommended if you have selected the above option) - Enabled

    Incremental backup (only backup what has changed. (**No Compression**) - Disabled

    Backup Accounts - Enabled

    Backup Config Files (not needed to restore specific accounts) - Enabled

    Sql Databases (at least per accounts is needed to use the restore feature) - Per account

    Backup Raw Access Logs - Enabled

    Backup Destination (this should be a dir/nfs/coda mount with at least twice the space of all your /home* partitions. Setting this to /home is a VERY BAD IDEA.): - /backup
    (Note: you need a second hard drive and should have it set to /backup in your fstab file)




    Service Status
    System Health and running services - eg Apache, Exim etc.
    Green = Good | Yellow = Warning | Red = Trouble
    Clients can see the service status through their own Cpanel as well.

    Things to pay attention to:
    - Server Load 0.12 (1 cpu) - the lower the better!
    - Memory Used


    Firewall
    http://forum.rackshack.net/showthre...&threadid=20209
    I have setup APF by Gpan (How-To section) and it works great! The only thing is you need to add 2095 and 2096 to the common ports list because those are your webmail and secure web mail ports!

    Logs
    No one tells you where they are but it's very important to know
    *Important!
    All users have their own seperate log files - every domain has their own logs - eg: sitename.com




    Exim: - /var/log/exim_mainlog -/var/log/maillog -/var/log/exim_paniclog

    Apache: -Error Log: /usr/local/apache/logs/error_log (404 not found errors, etc)
    - Access Log: /usr/local/apache/logs/access_log
    - Site Logs: /usr/local/apache/domlogs/sitename.com

    Logins: /var/log/secure /var/log/logins_log

    Messages: /var/log/messages

    Cpanel: /usr/local/cpanel/logs/access_log



    Other things to know:
    Restart Cpanel
    /etc/rc.d/init.d/cpanel3 restart


    Cpanel Manual Backup & Update - if backup doesn't work through WHM.
    cd /scripts/ then do ./cpbackup
    cd /scripts then do ./upcp


    Apache Config Test in SSH: -test httpd.conf file for errors!
    /usr/local/apache/bin/apachectl configtest
    - config is located in /usr/local/apache/conf/httpd.conf


    Manual Stop - Start of services in SSH: (start | stop | restart)
    # service httpd
    #service exim
    # service proftpd
    # service named
    # service mysql

    That's all I can think of for now! Overall Cpanel is easy to use and has some nice automated features but a control panel can only do so much, you need to get your hands dirty sometimes!

    Cheers




    I originally found this - believe on Rackshack - guy named rampage or rampag? something like that --- anyway good stuff .
     
  19. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
  20. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    awesome

    I wondered where his site was

    thanks
     
Loading...

Share This Page