Fix Server After Compromise?

baiquni

• November 06, 2017 20:51

Helo, Recently our server has been compromised. How to check the hacker backdoor, backconnect, etc? I regularly scan the server using Clamav provided by cPanel plugins and nothing found suspicious files like virus or php backdooring. I have blocking port 2087 and 22 only for intranet access, so if I want to go as root users, I have using VPN if out intranet. I have enable ModSecurity Tools (OWASP) and cPHulk too. But hackers keep coming. Last, I check /etc/passwd and found this suspicious item like below. mailman:x:498:497:GNU Mailing List Manager:/usr/local/cpanel/3rdparty/mailman:/bin/bash dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin dovenull:x:497:496:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin mysql:x:496:495:MySQL server:/var/lib/mysql:/bin/bash Is it correct if mailman and mysql user have shell instead of nologin/noshell? Hope anybody can give me suggestion what I have to do.

• 

  24x7server

  • November 07, 2017 04:44

  Hi, I will suggest you scan you server using maldet to begin with. There are certain other tools that are helpful for you to scan, which includes CXS from Configserver.. You can use it to scan your complete server and get the information you want on backdoors..

  0
• 

  cPanelMichael

  • November 07, 2017 13:23

  Hello, The following document is a good place to start: Why can't I clean a hacked machine - cPanel Knowledge Base - cPanel Documentation Additionally, I recommend consulting with a system administrator if you'd like help attempting to determine the source of the attack: System Administration Services | cPanel Forums

  Is it correct if mailman and mysql user have shell instead of nologin/noshell?

  
  Yes, this is normal. Thank you.

  0

Please sign in to leave a comment.