Security Guide for cPanel servers

gorilla-chimp

You must keep your box secure at all times, getting compromized could lead to dataloss, which means you loose clients which isnt a very good way to run your buisness. You dont have to be an expert, there are just simple instructions you have to follow, check your box daily for any unknown proccesses, cheak on your clients regularly to make sure they are not up to no good. The easiest of steps can make you that one bit more secure which helps.

Why do people attempt to “hack” me?

The most common reason is for them to run a bot which is called an xdcc bot(iroffer), what this does is allows them to “serve” files on an irc network, which will allow people to download “warez” from you. These files must be uploaded to you, which means they will have opened an extra ftp server on you aswell. These bots allow people to use your space and bandwidth, because the faster the box the more popular there irc channel becomes.

More reasons are,
they just flat out hate you.
they need some extra resources.
because they want too.

How to stop this?

There is no exact way to stop it, all you can do is take the steps provided, follow them regularly, and keep an eye out.

Ok lets move on

Lets start off by installing a bash script to check for irc related proccesses.

open up ssh
login as root
and create a new file (touch filename,nano filename,echo “” >> filename,etc)
and put this inside it


#!/usr/local/bin/bash

#Modded by HostGeekZ
PROCESS[1]=eggdrop:Eggdrop
PROCESS[2]=psybnc:psyBNC
PROCESS[3]=ezbounce:ezBounce
PROCESS[4]=ircd:IRCD
PROCESS[5]=iroffer:iroffer
NUMOF=”5″
output_proc () {
i=”1″
NUMOF=$[$NUMOF + 1]
echo “+————————————+”
echo “| Secure your box ~Scott |”
echo “+————————————+”
while [ “$i” -lt “$NUMOF” ];do
PROCESS=”`echo ${PROCESS[$i]}|tr : ” “|awk ‘{print $1}’`”
PROCESSOUT=”`echo ${PROCESS[$i]}|tr : ” “| awk ‘{print $2}’`”
echo “| “`ps -ax|grep -v “grep”|grep -wcn $PROCESS`” $PROCESSOUT processes running”
i=$[i + 1]
done
echo “+————————————+”
}

output_proc

Save this file as proccheck.
Once saved type
sh proccheck
And now you will see an output, if you do not run irc and see any output of these as not 0, then you must deal with them.
For the most of you that dont allow irc you should see

+————————————+
| Secure your box ~Scott |
+————————————+
| 0 Eggdrop processes running
| 0 psyBNC processes running
| 0 ezBounce processes running
| 0 IRCD processes running
| 0 iroffer processes running
+————————————+

If anyone recives anything other than 0 for iroffer, then you have probley been “hacked”

If this all returns 0, then you should be fine so skip these next tests.

If you get anything then firstly check who ran the proccess, so if it was an iroffer proccess you would type

ps -aux | grep iroffer
If its iroffer no doubt you will see somthing similar to

nobody 1469 0.0 0.1 1984 864 ? S Aug03 0:02 ./iroffer -b somthing.conf
if it doesnt say nobody, then suspend the user that ran it and speak to him, otherwise continue.

So if someone has attacked you how can you find out?

Start by getting the pid which in this instance is 1469 and type

cd /proc/1469
Now view the files and where it started by typing

ls -alF
You should see somthing similar to this

-r–r–r– 1 user user 0 Aug 5 07:43 cmdline
lrwxrwxrwx 1 user user 0 Aug 5 07:43 cwd -> /home/user/iroffer
-r——– 1 user user 0 Aug 5 07:43 environ
lrwxrwxrwx 1 user user 0 Aug 5 07:43 exe -> /home/user/iroffer/iroffer*
dr-x—— 2 user user 0 Aug 5 07:43 fd/

This tells us that its located in /home/user/iroffer

Because it was ran by nobody this means that its what we call a webshell, they used http to execute the commands, so go get the apache logs of the account and look at them , open them up and search for iroffer , ls, tar, search for simliar linux commands and your bound to found where they where executed from, and then you can deal with the script and ban the users ip and report him.

Now dealing with the bot.
kill -9 pid for the example i would use

kill -9 1469
Now remove the files in the example i would use

rm -rf /home/user/iroffer
And deal with the webshell, also there will be uploaded files, so you will have to read iroffer.conf before deleting it to find what dir they uploaded too.

Now install chkrootkit, follow steps below.

wget http://www.reznor.com/tools/chkrootkit.tar.gz
tar -zxvf chkrootkit.tar.gz
chkrootkit-0.43
make sense
./chkrootkit

Make sure you run chkrootkit as root, and run it every so often, its better safe than sorry.

For cpanel and whm users

A good firewall to use is apf