Hmmm... server seems to be hacked.

TeknikL

• October 03, 2014 21:24

I have a centos 6.5 box which runs CPanel and it appears to be hacked... It's running bash 4.1.2 I can't login via ssh as root anymore even with the correct PW I can't SU to root when I ssh in as a different account I created as a safeguard iptraf showed some SSH logins initially but they are gone now after I started trying to lock things down. any help would be appreciated, I'm guessing it's likely time to backup wipe and reload since I only had one site in this box... is there an easy way to do this with CPanel? M

• 

  TeknikL

  • October 04, 2014 02:45

  I got in via console root session I left open (thank jesus, even though you're never supposed to do this) and used sudo via ssh to export the data via : for x in `ls /var/cpanel/users` ; do /scripts/pkgacct $x ; done I am reloading from scratch into a centos 7 box, but can I import this info after? how do I export the actual WHM config?

  0
• 

  MikeDVB

  • October 04, 2014 03:23

  I would personally advise you hire a competent server administrator to look into this for you. It's not possible for anybody to remotely confirm or deny your server has been hacked based upon what little information you've provided.

  0
• 

  TeknikL

  • October 04, 2014 04:21

  ]I would personally advise you hire a competent server administrator to look into this for you. It's not possible for anybody to remotely confirm or deny your server has been hacked based upon what little information you've provided.

  
  I am actually a qualified server administrator. I have nailed down the source IPs but not yet the method of intrustion. I was using the cPanel-CentOS-6.4-x86_64.iso so this may affect many more people than me, in light of the bash vulnerabilities. M

  0
• 

  quizknows

  • October 04, 2014 04:30

  Do you have console access or KVM access?

  0
• 

  MikeDVB

  • October 04, 2014 04:35

  I should have been more specific - I thought it but did not say it - but you should hire a server administrator that is familiar with intrusions/security/investigating intrusions. I know Steven from Rack911 is good at this sort of thing. Sorry for not being specific enough. I wasn't intending to criticize you.

  0
• 

  cPanelMichael

  • October 06, 2014 17:27

  Hello :) Yes, it's difficult to determine if/how your system was exploited because often times an attacker will cover their tracks. It's often a good idea to consult with a security specialist to help determine the cause/source. Thank you.

  0

Please sign in to leave a comment.