Nu sätter jag igång vaken.se igen. Massa strul flera saker saknas.

Tur att jag hade tagit extra-backuper på sidan.

Alla fel kan postas i denna tråd. Jag betar av dom med tiden.

"Senaste inläggen" funkar inte , kommer typ medd. om att "du är ej behörig......"

ok

De IP's som wopsa lyckats spåra går till Afrika och Mellanöstern.

Backuperna skickades via FTP till en annan server varje fredag. Hur hackern lyckades komma in på denna server och ta bort backuperna är mycket lurigt.

Det kanske är ett inside job, man kan ju inte lita på ThePlanet. I framtiden får vi ha speglade servrar i olika världsdelar.

Det är lite strul här,...då jag klickar på "senaste inlägg", så kommer "senaste länkar" upp istället.

Ha det...

Quote:

samma här

min mail och ort visa ej i min profil fast att jag har markerat att det kan visas

Quote:

"senaste inläggen" funkar inte när man är inloggad , då blir det senaste länkar istället

Detta har wopsas admin skrivit på cpanel.net
Notera att det var redan den 15:e december.


#1 12-15-2006, 01:40 PM
jeroman8
Registered User Join Date: Mar 2003
Posts: 324


HELP! Hacker delete accounts +reseller priv root

--------------------------------------------------------------------------------

Hello!

Today 14 accounts on one server was deleted.
After checking this I found that it was a reseller account deleting them.
This reseller account had root priviligies.

The reseller account was setup by the "hacker".
It is not one of our clients so we have not installed this account.

After going over our servers I found one more account on another server
and the password it had was: hackedhost010.

I restore the deleted accounts and suspended the "hacker account".
I change root password, force cpanel upgrade.
chrootkit and rkhunter report nothing.


What else should I do ?
What has happened - how ??

Anyone, please give your thoughts on what I should do next!!




Logs/info:


root@gais [~]# grep arabserv /var/log/*


/var/log/secureec 15 14:59:14 gais groupadd[23494]: new group: name=arabserv, gid=32283
/var/log/secureec 15 14:59:14 gais useradd[23496]: new user: name=arabserv, uid=32282, gid=32283, home=/home/arabserv, shell=/bin/bash
/var/log/secureec 15 15:05:41 gais Cp-Wrap[30620]: Pushing "32282 RESELLERSUSERS arabserv " to '/usr/local/cpanel/bin/reselleradmin' for UID: 32282
/var/log/secureec 15 15:05:41 gais Cp-Wrap[30622]: Pushing "32282 GETDOMAINIP arabservers.com " to '/usr/local/cpanel/bin/apacheadmin' for UID: 32282


/var/log/exim_mainlog:2006-12-15 14:59:21 1GvDar-00068i-B7 <= root@zzzhostzz.com U=root P=local S=717 T="New account on zzzhostzz.com (arabservers.com)" from <root@gais.wopsa11.com> for hoss@zzzhostzz
/var/log/messagesec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: loaded serial 2006121501
/var/log/messagesec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: sending notifies (serial 2006121501)
/var/log/messagesec 15 14:59:18 gais named[1976]: received notify for zone 'arabservers.com'


Mail new account:

+===================================+
| New Account Info |
+===================================+
| Domain: serv2arab.com
| Ip: dd.dd.dd.dd (n)
| HasCgi: y
| UserName: serv2ara
| PassWord: 151213
| CpanelMod: x
| HomeRoot: /home
| Quota: 0 Meg
| NameServer: ns1.xxzzxx.com
| Contact Email:
+===================================+
Account was setup by: root (root)


jeroman8
View Public Profile
Send a private message to jeroman8
Find all posts by jeroman8
Add jeroman8 to Your Buddy List

#2 12-15-2006, 03:34 PM
ramprage
Registered User Join Date: Jul 2002
Location: Canada
Posts: 427


I'd hire someone to review your machine, if the attacker had root they could have placed some hidden backdoors and other nasties on your box,not to mention grab your shadow file and are cracking it right now for every account on the system...
__________________
Need Server Help? Hire an Expert
WebHostGear.com - Server Tutorials, Web Server Guides, Hosting Tutorials
As seen in Ping Zine Magazine - NEW Free Nobody Check Security Tool
Preventing Brute Force Attacks | APF Firewall Install Guide | Stop Outgoing Exim Phishing Emails


ramprage
View Public Profile
Send a private message to ramprage
Visit ramprage's homepage!
Find all posts by ramprage
Add ramprage to Your Buddy List

#3 12-15-2006, 07:42 PM
jeroman8
Registered User Join Date: Mar 2003
Posts: 324


God..I actually contacted you on your page with the contact form but
I did not write phone so it complained and when I pressed back button the messages was gone - it was a long, good message!!

Anyway - I'll do it again soon!

I just run chkrootkit again and rkhunter, check common places manually as well, nothing found. I really think they actually got hold of my server password!
Somehow !? - maybe when I logged in on 2086, but how do they sniff that if theres no script on server....

So I belive they logged in to WHM and created the accounts.
To bad there is no logs for this - cpanel logs is just recent hours it seems and there
is nothing in messages och secure - just root from my IP.


jeroman8
View Public Profile
Send a private message to jeroman8
Find all posts by jeroman8
Add jeroman8 to Your Buddy List

#4 12-15-2006, 07:48 PM
GCIS
Registered User Join Date: Dec 2006
Posts: 12


The machine should be considered comprimised, and should not be used. Back up all user files and settings, and perform a fresh install on the box. After the format, you'll need to re-load files, accounts, and settings by hand, to verify that no malicious software or settings remain.


GCIS
View Public Profile
Send a private message to GCIS
Find all posts by GCIS
Add GCIS to Your Buddy List

#5 12-16-2006, 01:35 AM
AndyReed
Registered User Join Date: May 2004
Location: Minneapolis, MN
Posts: 1,640



Quote:
Originally Posted by jeroman8
I just run chkrootkit again and rkhunter, check common places manually as well, nothing found. I really think they actually got hold of my server password!
Somehow !? - maybe when I logged in on 2086, but how do they sniff that if theres no script on server....

Speaking from my own experience; I can't count the number of times I've received that answer after informing a system administrator that their system was the source of an attack, and had probably been compromised. These system admins kept saying that the system couldn't possibly be compromised, even when there was a root shell bound to port 60000, accessible to anyone with a copy of telnet on their system.

How can it be that a system administrator can't tell that a system has been hacked? More importantly, what can you do to find out if a particular system has been compromised?

Sometimes, it is nearly impossible to be certain that a system hasn't been compromised; if the intruder was any good, it will be completely impossible to determine that a system has been hacked.

The best approach to proving that a rootkit has been installed on a particular system is to boot the system from a known secure operating system install, such as a rescue CD, and (using a known-safe copy of md5sum) compare the checksums of system binaries to checksums from the genuine article.

Recently, conventional rootkits have begun supplanting 'kernel module rootkits', which are much more difficult to detect. But on systems compromised with conventional rootkits, comparison is still the best approach -- one made easier with the help of several utilities.

Although, as I said above it is difficult to tell in some cases, but here are some symptoms of a server that has been compromised:

Applications that suddenly don't respond as expected.

Additional user accounts that you can't account for (these may be made to look like system accounts)

New files or directories with unusual names.

Additional network traffic that can't be traced to a particular process

Server running significantly slower.
__________________
Andy Reed
» Visit our Web site: ServerTune.com
» » Server Management, Security Hardening, and Dedicated Servers
» » Testimonials: http://forums.cpanel.net/showthread.php?t=32040


AndyReed
View Public Profile
Send a private message to AndyReed
Visit AndyReed's homepage!
Find all posts by AndyReed
Add AndyReed to Your Buddy List

#6 Yesterday, 11:50 PM
Website Rob
Now would be a good time Join Date: Mar 2002
Location: Alberta, Canada
Posts: 1,434



Top marks, jeroman8, for finding the hacker. Now you must move to the next step.

Question: "Should we nuke the Planet?"
Answer: "It's the only way to be sure."

Although it may seem painful, in a case like this, the only way to be sure that all hacker files have been removed is to reformat / reinstall. Once that has been done, make sure to setup ModSecurity (thru WHM) and setup Rules to prevent Users / Hackers from using certain functions.

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /dev/shm "
SecFilterSelective THE_REQUEST "cd /var/tmp "
__________________
Helping people Host, Create, and Maintain their Web Site
Also providing Server Admin Services - setup / troubleshooting
http://potentproducts.com/


Website Rob
View Public Profile
Send a private message to Website Rob
Visit Website Rob's homepage!
Find all posts by Website Rob
Add Website Rob to Your Buddy List

#7 Today, 12:27 AM
markfrompf
Registered User Join Date: Mar 2006
Location: Linux-land, CA
Posts: 41


Definitely one of the worst parts of hosting...
__________________
- Mark Mutti
100% Server Uptime, 24/7 Tech. Support, 14-Day Money Back Guarantee!
PhireFast Shared Hosting - Sales: (818) 937-0327 x2


markfrompf
View Public Profile
Send a private message to markfrompf
Visit markfrompf's homepage!
Find all posts by markfrompf
Add markfrompf to Your Buddy List

#8 Today, 02:20 AM
Radio_Head
Registered User Join Date: Feb 2002
Location: Rome, Italy
Posts: 1,296



Quote:
Originally Posted by jeroman8
Hello!

Today 14 accounts on one server was deleted.
After checking this I found that it was a reseller account deleting them.
This reseller account had root priviligies.

The reseller account was setup by the "hacker".
It is not one of our clients so we have not installed this account.

After going over our servers I found one more account on another server
and the password it had was: hackedhost010.

I restore the deleted accounts and suspended the "hacker account".
I change root password, force cpanel upgrade.
chrootkit and rkhunter report nothing.


What else should I do ?
What has happened - how ??

Anyone, please give your thoughts on what I should do next!!




Logs/info:


root@gais [~]# grep arabserv /var/log/*


/var/log/secureec 15 14:59:14 gais groupadd[23494]: new group: name=arabserv, gid=32283
/var/log/secureec 15 14:59:14 gais useradd[23496]: new user: name=arabserv, uid=32282, gid=32283, home=/home/arabserv, shell=/bin/bash
/var/log/secureec 15 15:05:41 gais Cp-Wrap[30620]: Pushing "32282 RESELLERSUSERS arabserv " to '/usr/local/cpanel/bin/reselleradmin' for UID: 32282
/var/log/secureec 15 15:05:41 gais Cp-Wrap[30622]: Pushing "32282 GETDOMAINIP arabservers.com " to '/usr/local/cpanel/bin/apacheadmin' for UID: 32282


/var/log/exim_mainlog:2006-12-15 14:59:21 1GvDar-00068i-B7 <= root@zzzhostzz.com U=root P=local S=717 T="New account on zzzhostzz.com (arabservers.com)" from <root@gais.wopsa11.com> for hoss@zzzhostzz
/var/log/messagesec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: loaded serial 2006121501
/var/log/messagesec 15 14:59:18 gais named[1976]: zone arabservers.com/IN: sending notifies (serial 2006121501)
/var/log/messagesec 15 14:59:18 gais named[1976]: received notify for zone 'arabservers.com'


Mail new account:

+===================================+
| New Account Info |
+===================================+
| Domain: serv2arab.com
| Ip: dd.dd.dd.dd (n)
| HasCgi: y
| UserName: serv2ara
| PassWord: 151213
| CpanelMod: x
| HomeRoot: /home
| Quota: 0 Meg
| NameServer: ns1.xxzzxx.com
| Contact Email:
+===================================+
Account was setup by: root (root)

Hi ,


On your hacked server ...
were c compilers disabled ?
did you have php safe mode on, or phpsuexec ?
was kernel updated to latest ?

Thank you
__________________
Secure your server
http://www.modsecurity.org
http://www.gotroot.com/tiki-index.ph...security+rules
http://www.hardened-php.net/suhosin/index.html
Stop SPAM and VIRUS --> ASSP FOR CPANEL http://assp.bravehost.com/

Fan vad glatt att sidan är tillbaka igen, vart lite orolig där...

ja får detta felmeddelande när ja ska lada upp bild.. Failed opening directory with write permission: /home/vakense/public_html/uploads