cPanel WHM and Linux Hacking!

mfwl

New member
We have had the logs through on several occasions from cPanel (logwatch) that tells us we have over 2000 'Unknown' failed logins.

Is someone attempting to hack our server? I shall post the worrying part of that email below and see if anyone here can let us know what to do about it or if we are worrying about nothing?

Regards

Matt :shaky::shaky::shaky:

--------------------- SSHD Begin ------------------------


Failed logins from:
60.220.218.88: 2750 times
203.114.112.99 (203-114-112-99.totisp.net): 32 times

Illegal users from:
60.220.218.88: 6470 times


Received disconnect:
11: Bye Bye : 9252 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user subhadeep : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user danna : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dchakrabarti : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user space : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user diablo : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user boris : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user paradise : 11 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webmaster : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cmcoperator : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user craig : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user usr : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sacvishal : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user magdalena : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user 123 : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jyotprasaddeka : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ihqmoddnom : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user hom : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user simbol : 10 time(s)


Cont.
 
Cont.

......................blah blah blah..

pam_succeed_if(sshd:auth): error retrieving information about user account : 150 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user invitado : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sitymoon : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ls : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user drcababu : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user pt : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user hrhatwar : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user fong : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user susanty : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user baluchandran : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user benliu : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user Terminator : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oscar : 20 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user doolph : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user xl : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user wirote : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user discovery : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user syamsankar : 20 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lol : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gomsluft : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user office : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user abcd : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user logic : 12 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user yearaj : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user abril : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user install : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gwaliormet : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user suprin : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user kcc : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user download : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vkdadhwal : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user spam : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user blmadhavan : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user porno : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user karmegam : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user word : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dwi : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bill : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ray : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sample : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ripals : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user pink : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user joao : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user megamax : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jvsubbarao : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user abby : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user selva : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user elaine : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sasha : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rameshkumar : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tarendra : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user flo : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user de : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rajasekharmeka : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sumitkumar : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user erin : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user helen : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vkgarg : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rksarangi : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user denis : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user radhika : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user venice : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user yakuza : 10 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user manager01 : 20 time(s)

---------------------- SSHD End -------------------------

I left out over 2/3 of the entries!
 
It does seem like someone is bruteforcing to the server, if you have BFD installed, it should have tried to block the ip. In case you can get hold of the ip in this case, may be you should add the same to your firewall to block.
 
It does seem like someone is bruteforcing to the server, if you have BFD installed, it should have tried to block the ip. In case you can get hold of the ip in this case, may be you should add the same to your firewall to block.

I have added the IP it is in china!

I have also created authentication keys for ssh and removed the password option!

Low and behold today the logwatch states a reduction in attempts with all attempts by the said IP being failed!

NICE! I wish people hacking like this would just crawl away somewhere quiet and die!
 
Good thing to hear you are on top of it!

Hacking attempts are sadly becoming common and these threads are always a good reminder to keep a close eye on your servers. A server is only secure at it's weakest link.
 
If you're using WHM and cPanel, load up CSF rather than APF and BFD - it's a MUCH better program!

As for the logs, it looks like someone is trying to hit your site hard, however the bigger concern is the usernames in that list, are they the usernames from your server? If so, how did they get a complete list of your users on the server? Would seem like your passwd file or group file has been exposed somewhere.
 
If you're using WHM and cPanel, load up CSF rather than APF and BFD - it's a MUCH better program!

As for the logs, it looks like someone is trying to hit your site hard, however the bigger concern is the usernames in that list, are they the usernames from your server? If so, how did they get a complete list of your users on the server? Would seem like your passwd file or group file has been exposed somewhere.

No it was a form of brute force I dont have any of those users on my server - they are random names ...
 
I am pretty sure you can have BFD block failed POP3 logins as well. It can be configured to block failed logins from nearly every service that logs it.

But unless they are logging in from a different IP every time, BFD should pretty much stop brute forcing in its tracks.
 
dump APF and BFD - these are outdated scripts.

Download CSF from www.configserver.com. You can ratelimit the number of connections allowed etc. We stand by this script on hundreds of our servers.

We set our limits at 5 seccessive login failures, and it then temporarily blocks the IP number for 15 minutes (long enough for most Bruteforce attempts to move to a new server). If they get temporary blocked 4 times in a row, it permanently blocks the IP from further accesses to the server in question.
 
CSF is a strong recommendation for server firewall, actually the APF, BFD and CSF all installed together would be the best choice.
 
You CAN NOT run APF and BFD in conjunction with CSF. When you install CSF it will prompt you to uninstall APF & BFD. If you do not, you can end up with a highly crippled machine (if it will even function).

Have you ever tried to run all 3 together? It doesn't work :)
 
This kind of brute force attempt is pretty normal to expect. The best method is to change the ssh port entirely and install CSF. If you install csf however, be sure to go through each and every setting. Leaving it as-is will probably lead to locking yourself out of the server. If you really want to go secure, allow ssh access only from certain ips or using ssh keys only.

When it comes to other services such as email, hackers will use random emails and passwords also. Again, this is expected from a site that becomes popular on the internet. CSF does a good job of monitoring the logs under /var/log for any invalid attempts and blocking as necessary.
 
Back
Top