Server Compromised Issue
Please help ...
This hacker is giving me a lot of work to do:
hacked my Server 3 times ... today by noon had everything ok .... and he hacked again now!
I don't know what to do........ can anyone help?
This is the site of the bastard!
- Removed -
-
What version of cPanel do you use? Are you staying up to date with cPanel security updates? Does anyone else know your password? There are a lot of things you can do to protect your server. These questions ask only 3 of 100's that could be. 0 -
Hello, You could start by using the "Security Advisor" option in Web Host Manager. This will complete a basic check of your server to ensure some of the more common vulnerabilities are addressed. However, you likely should consult with a qualified system administrator to help determine the source of the exploit if you are not comfortable doing this on your own. If your server was rooted, then nothing short of backing up your accounts to a remote destination and reinstalling the OS/cPanel will address the issue. Thank you. 0 -
I'm using the latest version of the Panel. Installation of OS and whm made this morning. Changed IP and server Installed everything again and passed two hours was hacked! Nobody knows the root pass, and even this changed today! On the old server the hacker created an account and put the note DON'T DELETE. I don't know what to do. .. I'm installing again on a new server and new IP. What can I do so that doesn't happen again? Please help! 0 -
news that my server sent in the last moment ------------------------------- Service: whostmgrd Local IP Address: My server......IP Local Port: 2087 Remote IP Address: 114.121.xxx.xxx Remote Port: 49661 Authentication Database: system Username: root ----------------------------- 0 -
Are you installing any plugins that may not be "reputable" on your server? **EDIT** I ran a geolocate on the IP mentioned above. It appears to belong to the ISP, telkomsel.com/. You could always submit an abuse report to them and of course the authorities. 0 -
No, buddy! On my server I only have 10 websites for personal use and one is a forum. I have only installed the soft recommended of whm. I think the hacker simply don't like my name! The only thing I have is a site selling a script for IPTV and seeing 3 to 4 systems per day! But neither this content on the server, only the online shop, then the product is sent zipped by mail. Don't get even! 0 -
Yes I will do that! But now as I'm installing again. What is the best tip to protect me? How can I turn off all access via ssh to the server for a few days and then reactivate? 0 -
Your best bet would be to hire a security expert to sort this out for you. cPanel cannot assist you with a compromised server. You mention you just reloaded the server, and also that you have 10 websites including at least one forum. I think I might be inclined to reload that server again from the top, and not restore any of the 10 accounts or forums until I've had a chance to lock down the server 100% security wise, and had a closer look at those 10 accounts for out of date scripts like a forum for example. Servers are not compromised by magic. With this much trouble, I think we could assume you've probably got something out of date - scripts wise, or, not enough security on that server. Whatever the case, waiting for a reply on these forums to fix things is waste of your time. You need to hire a professional to assist you with this. You might start by contacting your Hosting Provider and ask them for suggestions. 0 -
Yes I will do that! But now as I'm installing again. What is the best tip to protect me? How can I turn off all access via ssh to the server for a few days and then reactivate?
This thread may be useful: [Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening)0 -
Yes I will do that! But now as I'm installing again. What is the best tip to protect me? How can I turn off all access via ssh to the server for a few days and then reactivate?
In regards to securing SSH, you can issue yourself an SSH key and disable password authentication. You can also edit /etc/ssh/sshd_config and change#Port 20
toPort PORTNUMBER
This of course is not a definitive answer and as @Infopro said, you're best hiring a security expert as it appears you are probably being personally targeted with not enough security in place.0 -
Your best bet would be to hire a security expert to sort this out for you. cPanel cannot assist you with a compromised server. You mention you just reloaded the server, and also that you have 10 websites including at least one forum. I think I might be inclined to reload that server again from the top, and not restore any of the 10 accounts or forums until I've had a chance to lock down the server 100% security wise, and had a closer look at those 10 accounts for out of date scripts like a forum for example. Servers are not compromised by magic. With this much trouble, I think we could assume you've probably got something out of date - scripts wise, or, not enough security on that server. Whatever the case, waiting for a reply on these forums to fix things is waste of your time. You need to hire a professional to assist you with this. You might start by contacting your Hosting Provider and ask them for suggestions.
Yes I am not an expert, so don't use the server for a resale or professional service! But I'm sure the "gateway" this in some error or bug of whm. I for about 15 years I used centos and free management Panel with the same web sites and products that I have now and I've never been hacked! A year ago I bought the license of whm and I migrated my services to the Panel. It's easier to run and manage everything, however does not pass one month that there will be no attempts at entry into my server, or even hacked, services Will be the changing times and I'm getting old? or do I have to go back to ancient times and the free and done everything there's hand? There is ..... and I this morning not restored the ancient sites with old scripts, installed everything again just recovered databases, and all of them were verified. There is one more thing ... all the ips that have been detected trying to enter the system without authorization were added to the black list! So for me the bug is in whm and this hacker found the door!0 -
* login only thru ssh keys * install a firewall like csf(and run a security check) * disable unwanted php functions in php.ini * keep all your scripts/themes/plugins updated 0 -
So for me the bug is in whm and this hacker found the door!
Hello, This is highly unlikely. To clarify, are you using a hard to guess password with multiple characters/symbols? Is it a new password with the new installation of your OS and cPanel? Does the hack occur after installing cPanel/WHM or only after you have restored accounts from backup? Thank you.0 -
Yes I'm using password hard, characters, uppercase and lowercase. the cut happened an hour after installing the whm. The bills had only restored 2 yet! New scripts, only was restored to BD. And by logins the hacker entered the port 2087 as root. He is magician or the password the more complex easier ... 0 -
Dear friends ... I need a magician! I just installed whm to 5 minutes, I haven't even finished the basic settings. And I got this message in my mail! ----------------------------------------------------- IP reached maximum auth failures Number of authentication failures: 5 Maximum allowed authentication failures: 5 Last authentication request =========================== Service: sshd Remote IP Address: 221.229.xxx.xx Authentication Database: system Username: root Origin Country: China (CN) Please use the following links to add to the black list: Single IP: https://host.domain.info:2087/scripts7/cphulk/blacklist?ip=221.229.xxx.xx /24: https://host.domain.info:2087/scripts7/cphulk/blacklist?ip=221.229.166.0/24 /16: https://host.domain.info:2087/scripts7/cphulk/blacklist?ip=221.229.0.0/16 Please use the following links to add to the white list: Single IP: https://host.domain.info:2087/scripts7/cphulk/whitelist?ip=221.229.xxx.x /24: https://host.domain.info:2087/scripts7/cphulk/whitelist?ip=221.229.166.0/24 /16: https://host.domain.info:2087/scripts7/cphulk/whitelist?ip=221.229.0.0/16 -----------------------------------------------------------------------------------------------------
What to do? :mad::mad:0 -
Hello, The message in your last response does not indicate your server was accessed. It indicates a brute force "attempt", meaning an attempt to guess the root password was made by the IP address indicated in the message. You can use the URL in the message to blacklist the IP address, but you may also want to block that IP in your firewall. Thank you. 0 -
Yes I know that! But what this IP is already in the black list, of every five minutes I get a message with a different IP. Last week I received about 2000 thousand in one day! So there's no security to hold! I don't know what else to do with this problem! As all attempts or almost all are for sshd this service can be blocked? or restricted? 0 -
now the black list doesn't work! 28411 0 -
Hello, You can try repairing the tables via the following commands: cd /var/lib/mysql/cphulkd/ myisamchk -r *.MYI
Thank you.0 -
For starters Do you have CSF installed. Also, do you have a static or dynamic IP address. ? Add your IP (or range of IP's to Host Access Control), and deny everything else. like this. ALL xxx.xxx.xxx.xxx (your IP) allow ALL ALL deny make sure the deny rule is the very last entry. If you have dynamic IP's then the allow would be slightly different. Lets assume your IP ranges are 123.44.xxx.xxx 123.45.xxx.xxx and 123.88.xxx.xxx You'd need to add three entries (or more) ALL 123.44.0.0/255.255.0.0 allow ALL 123.45.0.0/255.255.0.0 allow ALL 123.88.0.0/255.255.0.0 allow ALL ALL deny This is by no means entirely fool proof, but will narrow the allowed IP's down to a smaller group. 0
Please sign in to leave a comment.
Comments
21 comments