Find the answer to your Linux question:
Results 1 to 6 of 6
I have a huge problem. In a nut shell, 2 days ago I noted a strange process going on with httpd, something I never saw before. That then led to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2012
    Posts
    12

    WHM server hacked, lost root access


    I have a huge problem. In a nut shell, 2 days ago I noted a strange process going on with httpd, something I never saw before. That then led to me googling it, and OVH came up top with "Examples of a hacked server" So I freaked out, but didn't do anything as the rest of cpanel forums said it wasn't related to hacks.

    And here we are, I'm unable to log in to root, as if my pass was changed. I have standard user accounts which have no root access but have SSH access. The server is running CentOS 6.2.

    I'm posting here requesting help and advice on what I should do here.

    Thanks in advance
    Kris

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,346
    Contact your ISP, explain the situation and ask them to power down your box.

    Then ask for an out-of-band management access and boot e.g. a liveCD.
    Better management tools like ILO can do that via RemoteMedia.
    Another option would be, if your ISP has the option to boot a rescue system via PXE.

    Anyway, once the liveCD or rescue system runs:
    Decide, if you want to go for an forensic analysis for e.g. legal actions against the attacker.
    If yes: make images of all of your machines disks

    Then backup your data, config and logs from the machine.
    Scrape the data and config if you want to use it in a new system.
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Jun 2012
    Posts
    12
    Quote Originally Posted by Irithori View Post
    Contact your ISP, explain the situation and ask them to power down your box.

    Then ask for an out-of-band management access and boot e.g. a liveCD.
    Better management tools like ILO can do that via RemoteMedia.
    Another option would be, if your ISP has the option to boot a rescue system via PXE.

    Anyway, once the liveCD or rescue system runs:
    Decide, if you want to go for an forensic analysis for e.g. legal actions against the attacker.
    If yes: make images of all of your machines disks

    Then backup your data, config and logs from the machine.
    Scrape the data and config if you want to use it in a new system.
    Well it's a VPS running on my dedicated Xen server, so I'm not sure they have any method to do it? I'll ask them and see, otherwise I'm not sure what they can do since I was the one that setup everything.

  4. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,346
    Ok, even better.
    Then you can shutdown the VM yourself.
    You must always face the curtain with a bow.

  5. #5
    Just Joined!
    Join Date
    Jun 2012
    Posts
    12
    Quote Originally Posted by Irithori View Post
    Ok, even better.
    Then you can shutdown the VM yourself.
    Ok yes, I can shut it down myself, but then how do I do what I have to do next?.
    I'm a little new to this so, sorry for being stupid.

  6. #6
    Just Joined!
    Join Date
    Jun 2012
    Posts
    12
    Quote Originally Posted by linkandzelda View Post
    Ok yes, I can shut it down myself, but then how do I do what I have to do next?.
    I'm a little new to this so, sorry for being stupid.
    Ok, I booted to single user mode and was able to reset my password from there. Now I have root access back, but only for 5-10 mins as it gets changed again right after booting up. I scanned for rootkits and found nothing, and am doing a clamav scan which isnt bringing up much either. Luckily I connected to root SSH terminal right before it got changed, so I have no WHM access but I do have SSH root access until I disconnect.
    Last edited by linkandzelda; 10-11-2012 at 09:55 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •