server hacked

Portal Home > Knowledgebase > Articles Database > server hacked

Posted by visio, 03-23-2010, 01:15 PM
one of my servers has just be hacked, the hacker entered through root, although the password is 20 digits and my computer is clean. the person entered, unsuspended one account deleted the firewall, disabled shell. how is this possible?
Posted by JohnCS, 03-23-2010, 01:57 PM
There must be a security hole in your servers, may be insecure PHP scripts etc.
Posted by visio, 03-23-2010, 02:12 PM
which hosting server doesnt have outdated php scripts, insecure, vulnerable sites?
Posted by whmcsguru, 03-23-2010, 03:21 PM
This is possible when things aren't updated or secured. It's also possible when you don't watch your stuff frequently, or just let the server go assuming cPanel/WHM will manage it for you. I'd advise contacting a security / management company and making sure all your backups are not compromised. Good luck!
Posted by visio, 03-23-2010, 03:29 PM
I use platinumservermanagement.com to manage the servers, yesterday I had them make a security reviw on this same server. they said everything was fine.
Posted by whmcsguru, 03-23-2010, 03:31 PM
Obviously it wasn't I'd get a second opinion and let go the individuals that said things were dandy.
Posted by visio, 03-23-2010, 03:33 PM
the problem is, who is there who you can trust?
Posted by bear, 03-23-2010, 03:34 PM
Either they missed something (or you've eliminated one possibility), or it's not insecure settings/scripts on the server that's to blame. It could also be a sniffed password, trojan, or any one of a thousand different things. There was also a relatively recent Cpanel issue where visiting a nefarious site while still logged into WHM/cPanel would allow the attacker to gain access to credentials on that server.
Posted by whmcsguru, 03-23-2010, 03:36 PM
Welcome to the server management game. Go to the wiki here, start contacting companies. Honestly, I'd look at how long the person representing the company has been here, if they're still active, if they provide help here, etc. When you're dealing with server management, it's just close to impossible to find the perfect one. You need to contact the ones you think will work for you and ask them real questions. Don't just go by the cheapest like most do, because, as you just found out, that's not completely accurate.
Posted by visio, 03-23-2010, 03:40 PM
I changed password of this server after the hacker login to root the first time, immediatly I also made a full scan on my personal computer to see if there was anything to worry about. the hacker from Saudia then 10 minutes later login again. disabled the firewall!!! unsuspended one of the account. then run a script which replaced all index.php and index.html on the server. I'm having the server reinstalled.
Posted by bear, 03-23-2010, 03:52 PM
If you used tools already on that computer, it might not produce a trustworthy result. There are viruses/trojans that disable various tools and make it look like they still work. I'd be looking carefully at that unsuspended account to see if there's anything in it like php shells. Also checking common points of entry like /tmp, and scanning logs (FTP, cpanel, apache) for that IP that connected.
Posted by VIPoint, 03-23-2010, 04:00 PM
I will suggest you not to re-install the server unless you find out how the hacker got into your server. First try to find out how the hacker got into your server and then go for reinstalling the server. Which fire do you use. I will recommend to use CSF firewall, get fortified setup done in the server, secure /tmp directory and disable shell access for all the users.
Posted by visio, 03-23-2010, 04:11 PM
We found the account used by the hacker to get through. and we use csf firewall. none of our customers has shell access , on that server only one with jail shell. tmp folder were cleaned yesterday by platinumservermanagement.com.
Posted by tandem, 03-23-2010, 04:21 PM
Have you changed the standard SSH port 22? That's the 1st thing I'd do with a new server.
Posted by VIPoint, 03-23-2010, 04:25 PM
You need secure /tmp than cleaning it. Follow these instructions to harden the /tmp directory /bin/cp /etc/fstab /etc/fstab.acu.bak Use df to check if a /tmp partition is already present. [if no /tmp partition present] cd /usr dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000 mke2fs -j /usr/tmpMnt cd / cp -R /tmp /tmp_backup mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp chmod 0777 /tmp /bin/cp -R /tmp_backup/* /tmp/ rm -rf /tmp_backup nano -w /etc/fstab At the very bottom add /usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0 [/ end no tmp partition present] [standard /tmp partition is already present] nano -w /etc/fstab change “defaults” to loop,noexec,nosuid,rw mount /tmp rm -rf /var/tmp ln -s /tmp /var/tmp If a symlink is not possible, then /var/tmp is most likely also a partition. In this case, /var/tmp must be hardened with loop,noexec,nosuid,rw in fstab as well. [/ end standard /tmp partition is already present] [cpanel /tmp partition is already present] IF /tmp is hardened by cpanel’s /scripts/securetmp. Remove the line from /etc/rc.d/rc.local and then reboot. It will come back without a /tmp partition and then you can follow the [no /tmp partition present] instructions above [/ end /tmp partition is already present] Other Directory Hardenings: nano -w /etc/fstab in /dev/shm line, change 'defaults' to noexec,nosuid add options “noexec,nosuid” to the /proc line after “defaults”. It should look like this: proc /proc proc defaults,noexec,nosuid 0 0 umount /dev/shm mount /dev/shm rm -rf /etc/httpd/proxy rm -rf /var/spool/vbox mount -o remount,noexec,nosuid /proc
Posted by VIPoint, 03-23-2010, 04:26 PM
Suspend the account that the hacker is using and see if he is able to access the server using any other account or not?
Posted by visio, 03-23-2010, 04:44 PM
we never use the port 22. Thank you VIPoint, your suggestions will be implemented.
Posted by visio, 03-23-2010, 04:46 PM
after I suspended the account and changed password again, the hacker was blocked, but left the script running which changed all the index pages on the server.
Posted by visio, 03-23-2010, 05:00 PM
VIPoint I just visited your site but the costs page is not loading, can you check?
Posted by khunj, 03-23-2010, 05:55 PM
What is your kernel version (type 'uname -a') ?
Posted by ServerManagement, 03-24-2010, 03:39 PM
Without investigating yourself or knowing what type of hack it was, it is absolutely impossible for anyone to conclude that the security review was insufficient. There was hardly any information even provided. Nobody knows how strong the passwords were, what types of scripts are being used, or even what type of users are on the server. I don't know what ticket you are referring to but these types of hacks are usually done through a user's insecure script, and not a server side hack. Please PM me your ticket number and will be more than glad to personally review it and provide you with more precise details. Additionally, further security suggestions such as changing the ssh port, disabling direcct root login, additional script security, etc., are all suggested to everyone during the intial hardening process. These are explained and suggested then done upon request only. If you would like them done, simply reply saying so. Thanks! Last edited by ServerManagement; 03-24-2010 at 03:45 PM.
Posted by whmcsguru, 03-24-2010, 03:53 PM
Which should still be covered under server security, not individual script security, especially if it's something that gives root level access. That's just a common sense thing there.

Add to Favourites Print this Article