passwords have all changed.
I cannot log into WHM anymore. I have keyboard authentication disabled for SSH and login via an authentication key, which I can still do for at least one non-privileged user. I try su'ing into the other non-privileged user (the one that hosts the website) and I cannot switch, invalid password.
I try su'ing into root, and I cannot, invalid password. I try logging into webmail, invalid password (even though the password's saved in my browser and worked earlier). I try logging into WHM as root, same thing, invalid password now.
What do I do? I think someone hacked into my server.
Thanks!
-
I'm renting a VPS from Linode, and I can use Lish to login as root and the other user, using the old passwords, but when I ssh into my server using Putty and try su'ing, invalid password. What was odd, I was able to reboot the server in putty using the non-superuser username. It just wanted the password to the non-superuser. This is what it said: [spork@franklin ~]$ reboot ==== AUTHENTICATING FOR org.freedesktop.login1.reboot === Authentication is required for rebooting the system. Authenticating as: spork Password: ==== AUTHENTICATION COMPLETE ===
Where did org.freedesktop.login1.reboot come from?? I don't have X or anything like that installed on the server. Something odd is going on here.... I noticed in the logs a LOT of connection attempts, on various ports, like someone was running a port scanner, but the IP address was changing every time. Not by one or two numbers either, like someone had a BOT network or something and was using it to try and get in. I didn't think there was much I could do to prevent that. I have CSF, ModSec, etc installed. Any thoughts? I logged in as root via Lish, which I was able to do with the old password. I typed passwd to change the root password. Went back to putty and tried su'ing to root, invalid password still. Something weird is going on.0 -
I logged via Lish as root, then rebooted the server as root. Now the passwords seem to work. I wonder what happened that broke it? I've never seen su not work properly before. Wonder if I should worry if someone got in or not....In WHM, when I couldn't login (and even now, when I can), I click on Reset password. It wants my e-mail address. It shows a hint: Hint: d"y@y"o.com I believe the @y--o.com is @yahoo.com. I do NOT have an e-mail address that starts with a d and ends with a y, especially at yahoo.com. Where is this hint stored, so I can see who the e-mail address belongs to? I checked in WHM >> List Accounts and cPanel >> Contact Info, and my gmail account is listed under both. Not sure where this d--y@y--o.com is coming from.... There's also a csf user (with a password). Not sure if that's normal or not. I'm having a real hard time remembering stuff. My mind seems to be broken and I'm having a hard time concentrating. 0 -
My mind seems to be broken and I'm having a hard time concentrating.
No worse time to be working on your server...0 -
No worse time to be working on your server...
You're definitely right there, but if it's been hacked, time is of the essence, isn't it? I think what happened was software got updated and there were outdated binaries still running. I figured this by looking at the lfd.log file. Rebooting as being logged in as root from the "Lish" console seemed to have fixed this. Tomorrow, if I'm feeling better, I'll install and configure some rootkit detection software to see if anything shows up.0 -
if it's been hacked, time is of the essence, isn't it?
That's the very moment when you wish you had been a bit more rested. Backups are your best friends. They can give comfort in times of stress like this. Take good care of your backups and the rest is just steps to get back to normal, no matter what is going wrong. Keep calm and carry on.0 -
That's the very moment when you wish you had been a bit more rested. Backups are your best friends. They can give comfort in times of stress like this. Take good care of your backups and the rest is just steps to get back to normal, no matter what is going wrong. Keep calm and carry on.
Thank you. Have you ever seen anything like this before? I'm running CentOS 7. I see I have /bin/su and /usr/bin/su. /bin is a symbolic link that points to /usr/bin. ldd shows su was linked against libpam. Is it possible that PAM got updated (the library or something) and my system just needed restarting and that broke authentication? What was odd was I couldn't su when logged in with putty, but when logging in with Lish, I could su and change passwords just fine. With cPanel, I couldn't log into WHM, webmail, or cPanel. Authentications all failed. Lish is some program, I believe written by Linode, which is supposed to give me "console" access. It's kinda neat. When I'm logged in via Lish, I see messages on the console about connection attempts. They come every few seconds, but always a different port, different source IP address. I think someone is trying to use a distributed type attack, to maybe port scan my server, looking for ways in. I don't really know how to protect against something like that. I quickly read something about mod_evasive (an Apache module) and how it can help protect against DDoS and DoS's, but that's just for Apache, not the system. It'd be hard, I think, to block against something like this. Even if I setup CSF to block every IP that attempts to connect to a closed port, each time they try connecting, the source IP address changes. I do see the different IPs are attempting to connect to the same ports somethings, like port 1433 (TCP), port 22 (TCP), etc. This is what netstat shows:[root@franklin ~]# netstat -tuplen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 0 196413 10854/exim tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 0 196749 10900/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 0 196791 10900/dovecot tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 0 140926 31352/spamd-dormant tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 11083 1/init tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 199879 545/httpd tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 0 196411 10854/exim tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 0 19635 4389/pdns_server tcp 0 0 0.0.0.0:5784 0.0.0.0:* LISTEN 0 15957 3663/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 196415 10854/exim tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 199881 545/httpd tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 0 196793 10900/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 0 196751 10900/dovecot tcp 0 0 127.0.0.1:579 0.0.0.0:* LISTEN 0 18593 4244/cPhulkd - proc tcp6 0 0 ::1:3306 :::* LISTEN 993 19471 3939/mysqld tcp6 0 0 :::587 :::* LISTEN 0 196412 10854/exim tcp6 0 0 :::110 :::* LISTEN 0 196750 10900/dovecot tcp6 0 0 :::2095 :::* LISTEN 0 198320 10962/cpsrvd (SSL) tcp6 0 0 :::143 :::* LISTEN 0 196792 10900/dovecot tcp6 0 0 ::1:783 :::* LISTEN 0 140925 31352/spamd-dormant tcp6 0 0 :::111 :::* LISTEN 0 11082 1/init tcp6 0 0 :::2096 :::* LISTEN 0 198326 10962/cpsrvd (SSL) tcp6 0 0 127.0.0.1:7984 :::* LISTEN 987 19392 4999/java tcp6 0 0 :::80 :::* LISTEN 0 199880 545/httpd tcp6 0 0 :::465 :::* LISTEN 0 196410 10854/exim tcp6 0 0 :::53 :::* LISTEN 0 19636 4389/pdns_server tcp6 0 0 :::8887 :::* LISTEN 0 128131 28331/lfd HTTPS mes tcp6 0 0 :::8888 :::* LISTEN 0 128115 28332/lfd HTML mess tcp6 0 0 127.0.0.1:8984 :::* LISTEN 987 20543 4999/java tcp6 0 0 :::5784 :::* LISTEN 0 15966 3663/sshd tcp6 0 0 :::25 :::* LISTEN 0 196414 10854/exim tcp6 0 0 :::8889 :::* LISTEN 0 127253 28333/lfd TEXT mess tcp6 0 0 :::443 :::* LISTEN 0 199882 545/httpd tcp6 0 0 :::2077 :::* LISTEN 0 18074 4180/cpdavd - accep tcp6 0 0 :::2078 :::* LISTEN 0 18076 4180/cpdavd - accep tcp6 0 0 :::2079 :::* LISTEN 0 18078 4180/cpdavd - accep tcp6 0 0 :::2080 :::* LISTEN 0 18080 4180/cpdavd - accep tcp6 0 0 :::993 :::* LISTEN 0 196794 10900/dovecot tcp6 0 0 :::2082 :::* LISTEN 0 198316 10962/cpsrvd (SSL) tcp6 0 0 :::2083 :::* LISTEN 0 198322 10962/cpsrvd (SSL) tcp6 0 0 :::995 :::* LISTEN 0 196752 10900/dovecot tcp6 0 0 :::2086 :::* LISTEN 0 198318 10962/cpsrvd (SSL) tcp6 0 0 :::2087 :::* LISTEN 0 198324 10962/cpsrvd (SSL) udp 0 0 0.0.0.0:53 0.0.0.0:* 0 19633 4389/pdns_server udp 0 0 127.0.0.1:323 0.0.0.0:* 997 12529 3216/chronyd udp 0 0 0.0.0.0:10583 0.0.0.0:* 25 18785 4389/pdns_server udp6 0 0 :::11847 :::* 25 18786 4389/pdns_server udp6 0 0 :::53 :::* 0 19634 4389/pdns_server udp6 0 0 ::1:323 :::* 997 12530 3216/chronyd
To you guys, does that look correct? What I mean by that is do you see any programs that are accepting connections from the outside world that shouldn't be? I have MariaDB setup to listen and accept connections only on the local loopback. Chrony is an NTP client / server, I believe. I don't ever remember installing that. If cPanel doesn't require it, I'm going to uninstall it and install OpenNTPD instead. I think cPhulkd is supposed to be disabled, I remember reading something about that in CSF, I think. I'll double check. I'll install nmap and run that real quick, just to see if it sees anything.0 -
I see in /usr/local/cpanel/logs/cphulkd.log, cPhulkd blocked me the other day for a couple of hours. I checked /var/log/secure and see cphulkd was preventing me from su'ing and blocking me from webmail because of too many failed login attempts from my home IP address. I don't like how cPhulkd is temporary blocking bad people's IP addresses, that are trying to guess passwords for e-mail and stuff. I want CSF to block them, permanently. I'm going to see if cPhulkd is supposed to be enabled when CSF is installed. Anyway, I think I figured out what happened and now know why I couldn't login. Thanks! 0
Please sign in to leave a comment.
Comments
7 comments