New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hacker changing my root password again and again
I have a cpanel server, and 2 days back received an email saying someone logged into WHM using root password. I tried sshing into the server, and sure enough, the password had been changed. So, I changed my root password to a new one. Checked all the WHM logs, the hacker had injected some SEO link in some websites. Reversed all those changes and went to bed.
Next day, again I received an email saying someone had logged into WHM using root, and again he changed my root password.
I performed virus scan on the server, nothing found.
Performed virus scan/rootkit etc scan on my laptop. Nothing found.
I always log into WHM using HTTPS/SSL.
Has this occurred to anyone in here? I can't imagine reformatting the server or my laptop.
Comments
There could be a lot of reasons why you keep getting hacked. They could've installed a backdoor, your pc may be compromised, etc. How long have you been in the hosting industry?
You should check web server, cpanel, and SSH logs to see how attacker gained initial entry. If your password wasn't randomly generated then maybe they brute forced it, the second time maybe they tampered with WHM installation; antivirus generally doesn't help with this stuff. In the end you're probably going to have to reinstall the server.
Did you check your own PC? Maybe there is a keylogger installed.
Re-install and restore from backups. Ensure that there are no potential security holes in the backups (offsite) and re-evaluate your setup. Also change all your passwords on all sites that share the same password as the one you tried to change it to. It sounds like your sshd has been backdoored and you've just sent your password to the cracker.
The hacker knew the password some how. Even after I changed it and he didn't bruteforce as per WHM access logs. He accessed the login page one time and then he was in.
Second time he just viewed the listaccts page and then logged out. Didn't change anything.
He did not SSH into the system. If that were the case I would have received an email from LFD. He logged into WHM and lfd sent me an email with his IP.
One thing that is quite surprising is how did he change the root password from WHM when there's no such thing reflected in the log. The url where one can change the password is "scripts/chrootpass". He has definitely changed the root password, but that URL is not reflected in the log.
Scanned my laptop with avira, malwarebytes, combofix, nothing suspicious came up.
+1 & don't forget to change SSH Port & Disable SSH root password authentication after adding your key
Is there a way to check for backdoored sshd? I used clamav scan, turned up nothing. Also, checked the Ebury trojan/backdoor, and mine didn't show any signs of being affected with it.
Did you check if he or she installed an SSH key?
Debian, right?
debsums ssh-serverNope, no SSH keys installed. He didn't even login via SSH. I logged in right now via SSH, and lfd sends me an email with my IP. I didn't receive any email alerts if he did.
He logged in via WHM, changed the password through WHM (Yet this does not show in the log).
cPanel (CentOS 5.9).
rpm -V openssh-serverI wonder if the hacker is using this
http://www.exploit-db.com/exploits/34262/
And running it on your box, perhaps an existing client?
Do you allow clients to have SSH access? This is a setting in WHM.
>
FYI that's just a random shellcode, not an exploit.
It's probably best to wipe everything? Otherwise can't be sure if it's fully removed..
As already said I would check what if any clients have shell access as it could be through that way, the fact they are doing nothing damaging suggests it may be a client, possibly unknowingly.
Did you read what it could potentially do?
Don't know why you're turning this into a WHM isn't secure thread, the word exploit shouldn't be used here, it's more than likely user error.
Do you even know what shellcode is? It's just a payload you inject via an exploit. Everyone can code a shellcode.
Without an exploit, you don't do anything with it.
Shellcode is just "run this, run that, run a shell", which you, for example inject via a vulnerability in WHM (example!), to get a shell with web server's permissions.
In VERY rare cases you actually get a root shell.
Not a single user besides root and my own user has shell access. Using SuPHP with open_basedir protection, symlinks, have blocked all shell commands in PHP, etc.
If he is a current user he could use one of these file managers to browse thru the whole Server and change the password that way.
Then login via WHM.
As per the emails lfd sent me, first he logged into WHM as root (I just changed the password 1 day back). Then after a minute, lfd again sent me an email saying the root password has been changed (Account Modification Alert).
So this means, this jobless guy knows my password somehow.
2 suggestions
check you PC/Laptop for malware/ key logger in SafeMode (or they can use ) boot from linux live cd and then change passwords
Did you login to WHM on 2087 SSL port or you use unsecured 2086
If nothing appeared then maybe your other passwords are compromised too (if he have your solusvm password and you are using open vz vps root password can be easily changed
check your mail log,maybe it's send your new password to the attcker
I always login on 2087 SSL, and I don't run SolusVM but hyperVM. I am certain that password or the node password is not compromised.
I checked my exim log file for the time where I changed my password or where I logged into WHM/SSH, there were not mail logs other than CSF sending me login alerts.
Wow isn't hyperVM dead project ?
rm -rf / && reinstall
Damn! I checked hyperVM and there it was. His IP in the logins list.
Hmm, need to get rid of this Hypervm.
Shame to say this, but lesson learnt. Never use dead projects for production/daily activities.
Can you suggest me a good control panel, that is free/affordable and SECURE. I just have two VMs to manage.
Get some cheap VPS and change port ssh and lock ssh only to IP of that VPS