Page 51 of 61 FirstFirst ... 4148495051525354 ... LastLast
Results 1,251 to 1,275 of 1523
  1. #1251
    Quote Originally Posted by Phil @ NodeDeploy View Post
    So.. the only recommended thing is to reinstall the entire operating system? Dang.
    Yep. It sucks, but you never know what someone else did with root on your server. You could spend a very long time looking for what they did and still miss something.

  2. #1252
    Join Date
    Apr 2008
    Location
    Romania
    Posts
    18
    @adebenc are hacked servers which have nothing to do with cPanel, using Pleks, Directadmins, some servers using no cpanels at all etc.

    But if I would be from Plesk or Directadmin, for sure I will start thinking that probably this was a large attack to all hosting-cpanels-providers... and probably RBN abused all of them, like they did with all major companies...

  3. #1253
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Quote Originally Posted by deriamis View Post
    Yep. It sucks, but you never know what someone else did with root on your server. You could spend a very long time looking for what they did and still miss something.
    Yes, it is faster formatting the disk and reinstall everything clean, than finding new problems every day and trying to fix them for days and weeks... Or even worse, having problems you have not found, with unknown results.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  4. #1254
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by tomfrog View Post
    Ask them for a ssh public key. In WHM, you can import and authorize it.
    very sound advice!

  5. #1255

    Thumbs up

    Quote Originally Posted by demil View Post
    @adebenc are hacked servers which have nothing to do with cPanel, using Pleks, Directadmins, some servers using no cpanels at all etc.

    But if I would be from Plesk or Directadmin, for sure I will start thinking that probably this was a large attack to all hosting-cpanels-providers... and probably RBN abused all of them, like they did with all major companies...


    Those cPanel computers were affected by a threat, surely this threat has infected other computers (desktops), however at least 80% of servers got compromised because of the cPanel technical team computers infection. Every time the cPanel team login to an server , the server got compromised imediatly (1-2hours) (this is proven).

    is already known that this thread was found to more desktops from people , and they probable login from their desktop to their server and got their server compromised (in the same way how cpanel technical team affected the servers).

    We should be happy that the CentOS platform is not the cause of the issues and CentOS operation system should not louse reputation in this situation , they have no fault.

    good luck

  6. #1256
    Join Date
    Mar 2005
    Location
    Maine, USA
    Posts
    311
    A good tip when contacting support of any type and they require login credentials:

    Change the password to something new before giving it to them, then after the issue is resolved, change it again to something new. Of if you can, create a temporary user account then disable or delete the account after the support issue is resolved.

  7. #1257
    Quote Originally Posted by jzukerman View Post
    A good tip when contacting support of any type and they require login credentials:

    Change the password to something new before giving it to them, then after the issue is resolved, change it again to something new. Of if you can, create a temporary user account then disable or delete the account after the support issue is resolved.
    yes , you are right

  8. #1258
    The question is, affects only the 1.9? I have a file with version 1.3 or directly 1.

    If I run the rpm, the message does not tell me, show me the version of libkeyutils.

    For example:

    [root @ xxx ~] # rpm-qf / lib64/libkeyutils.so.1.3
    Keyutils-libs-1.4-4.el6.x86_64

    I understand that in this case, is free from problems.

    That if, in Plesk, all in the chroot folder, there is a / var/www/vhosts/chroot/lib64/libkeyutils.so.1 if displays.

    example:

    root @ xxx ~] # rpm-qf / var/www/vhosts/chroot/lib64/libkeyutils.so.1
    the / var/www/vhosts/chroot/lib64/libkeyutils.so.1 not owned by any package

    But maybe it has nothing to do ... because as I say, with all plesk, different versions, one installed until yesterday.

  9. #1259
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Am I the only one who didn't get an email from Cpanel?
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  10. #1260
    Join Date
    May 2004
    Location
    World Wide Web
    Posts
    1,195
    If you did not raised any support ticket with them in last 6 months, you might not have recd. the mail
    RVH Cloud - Every day hosting solutions since 2003
    Shared Hosting Reseller Hosting VPS Dedicated Servers True 24 x 7 x 365 Support

  11. #1261
    Join Date
    Sep 2002
    Location
    Toronto, ON
    Posts
    3,446
    Quote Originally Posted by FastServ View Post
    Am I the only one who didn't get an email from Cpanel?
    Have you opened a ticket in the past 6 months? I doubt they're sending it to everyone.
    Jean-Pierre Abboud / I'm the TekGURU
    www.Gotekky.com / Managed hosting solutions / AS63447
    Web Hosting, VPS Hosting, Dedicated Servers

  12. #1262
    Quote Originally Posted by FastServ View Post
    Am I the only one who didn't get an email from Cpanel?
    This is a good thing. It probably means you may be safe, like me!

  13. #1263
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by FastServ View Post
    Am I the only one who didn't get an email from Cpanel?
    No, we've not seen one either, but after their support left a server inoperable after they investigated an issue a long time ago, we swore we would never allow them into a server again but only advise.

  14. #1264
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by GoTek-JP View Post
    Have you opened a ticket in the past 6 months? I doubt they're sending it to everyone.
    5 or 6 tickets. One last week in fact.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  15. #1265
    Hi all.
    Off topic:
    This night I've detected a distribuited attack against port 21 of a server of mine. Almost all probing come from dedicated server belonging to some small ad medium hosting company. I'm on the way to forward abuse reports to all.

  16. #1266
    Quote Originally Posted by cmarchena View Post
    root @ xxx ~] # rpm-qf / var/www/vhosts/chroot/lib64/libkeyutils.so.1
    the / var/www/vhosts/chroot/lib64/libkeyutils.so.1 not owned by any package
    The file name kept changing. Did you login from any cpanel server to this one?

    Paste the result of

    strings /var/www/vhosts/chroot/lib64/libkeyutils.so.1

  17. #1267
    Join Date
    Mar 2006
    Location
    Johannesburg,South Africa
    Posts
    601
    Quote Originally Posted by LeadDogGraphicStudio View Post
    Google auth has a Chrome plugin you can use.
    Can you recommend any such application which don't run through a 3rd party service like google, which could be compromised before the hacked try and hack into the victim's server?
    South African Web Hosting - http://www.SoftDux.co.za || SA WebHostingTalk - http://www.webhostingtalk.co.za

  18. #1268
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,410
    So we've still not figured out the cause and so no one has yet found a prevention.

    The infected workstation theory does not apply to us, as we use a LIVE CD with Linux to boot from, with no physical hard drive. Its a fresh & clean system upon every boot.

    ▲ ▲

    WoltLab Dev

  19. #1269
    Quote Originally Posted by tomfrog View Post
    The file name kept changing. Did you login from any cpanel server to this one?

    Paste the result of

    strings /var/www/vhosts/chroot/lib64/libkeyutils.so.1
    Hello,

    root@rs lib64]# strings /var/www/vhosts/chroot/lib64/libkeyutils.so.1
    @@2@:
    I P
    __gmon_start__
    _init
    _fini
    __cxa_finalize
    _Jv_RegisterClasses
    keyctl
    syscall
    keyctl_assume_authority
    keyctl_set_timeout
    keyctl_set_reqkey_keyring
    keyctl_negate
    keyctl_instantiate
    keyctl_read
    keyctl_read_alloc
    malloc
    realloc
    keyctl_search
    keyctl_unlink
    keyctl_link
    keyctl_clear
    keyctl_describe
    keyctl_describe_alloc
    keyctl_setperm
    keyctl_chown
    keyctl_revoke
    keyctl_update
    keyctl_join_session_keyring
    keyctl_get_keyring_ID
    request_key
    add_key
    libdl.so.2
    libc.so.6
    _edata
    __bss_start
    _end
    libkeyutils.so.1
    KEYUTILS_0.3
    KEYUTILS_1.0
    GLIBC_2.2.5
    t$(H
    T$0H
    D$ L
    t$ H
    t$ H

    Not in cpanel servers, but in Plesk.

    The Cpanel in theory I have them all without problems.

  20. #1270
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by TheVisitors View Post
    So we've still not figured out the cause and so no one has yet found a prevention.

    The infected workstation theory does not apply to us, as we use a LIVE CD with Linux to boot from, with no physical hard drive. Its a fresh & clean system upon every boot.
    Here's the thing,

    When you have 1000 people saying one thing and 1 person (you) saying something else... that's your problem. I say that in the politest way possible, but it's clear for a lot of people and a lot of companies that the point of compromise was infection through a workstation.

    You either have a super unique situation that none of us will ever figure out, or you're trolling to be different. Either way, good luck with that.

  21. #1271
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,410
    Quote Originally Posted by Patrick View Post
    Here's the thing,

    When you have 1000 people saying one thing and 1 person (you) saying something else... that's your problem. I say that in the politest way possible, but it's clear for a lot of people and a lot of companies that the point of compromise was infection through a workstation.

    You either have a super unique situation that none of us will ever figure out, or you're trolling to be different. Either way, good luck with that.
    Actually, if you read the thread.... And I understand 80+ pages is a lot.....

    .... You'll notice not everyone agrees with the workstation theory either.

    In fact there are dozens of post where people said they scanned their workstation and found no infection. Some of those individuals even wiped out (formated) their workstation and their servers, but still got infected.

    So I guess that is "all" our problem?

    No disrespect, but people like you should not give support to anyone else.

    ▲ ▲

    WoltLab Dev

  22. #1272
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    991
    Quote Originally Posted by cmarchena View Post
    Hello,

    root@rs lib64]# strings /var/www/vhosts/chroot/lib64/libkeyutils.so.1
    @@2@:
    I P
    __gmon_start__
    _init
    _fini
    __cxa_finalize
    _Jv_RegisterClasses
    keyctl
    syscall
    keyctl_assume_authority
    keyctl_set_timeout
    keyctl_set_reqkey_keyring
    keyctl_negate
    keyctl_instantiate
    keyctl_read
    keyctl_read_alloc
    malloc
    realloc
    keyctl_search
    keyctl_unlink
    keyctl_link
    keyctl_clear
    keyctl_describe
    keyctl_describe_alloc
    keyctl_setperm
    keyctl_chown
    keyctl_revoke
    keyctl_update
    keyctl_join_session_keyring
    keyctl_get_keyring_ID
    request_key
    add_key
    libdl.so.2
    libc.so.6
    _edata
    __bss_start
    _end
    libkeyutils.so.1
    KEYUTILS_0.3
    KEYUTILS_1.0
    GLIBC_2.2.5
    t$(H
    T$0H
    D$ L
    t$ H
    t$ H

    Not in cpanel servers, but in Plesk.

    The Cpanel in theory I have them all without problems.
    Your file appears to be clean, the original libkeyutils file.

    It does not contain the strings of the infected libkeyutils files.
    NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
    Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
    Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland

  23. #1273
    Join Date
    Mar 2012
    Location
    United States
    Posts
    107
    I went into WinSCP and did not see the file. I am using cpanel with centos5.

  24. #1274
    Quote Originally Posted by NetworkPanda View Post
    Your file appears to be clean, the original libkeyutils file.

    It does not contain the strings of the infected libkeyutils files.
    Thanks!

    I can not find any infected file, can I tell where to see it? To buy it with others. For example, I have a 1.3 that I say this completely different:



    I P
    {?Nq
    __gmon_start__
    _init
    _fini
    __cxa_finalize
    _Jv_RegisterClasses
    keyctl
    syscall
    keyctl_session_to_parent
    keyctl_get_security
    keyctl_get_security_alloc
    malloc
    realloc
    keyctl_assume_authority
    keyctl_set_timeout
    keyctl_set_reqkey_keyring
    keyctl_negate
    keyctl_instantiate
    keyctl_read
    keyctl_read_alloc
    keyctl_search
    keyctl_unlink
    keyctl_link
    keyctl_clear
    keyctl_describe
    keyctl_describe_alloc
    keyctl_setperm
    keyctl_chown
    keyctl_revoke
    keyctl_update
    keyctl_join_session_keyring
    keyctl_get_keyring_ID
    request_key
    add_key
    libdl.so.2
    libc.so.6
    _edata
    __bss_start
    _end
    libkeyutils.so.1
    KEYUTILS_0.3
    KEYUTILS_1.0
    KEYUTILS_1.3
    GLIBC_2.2.5
    ATSubH
    D$`H
    D$ H
    L$8L
    D$@H
    T$(H
    fff.
    t$ H
    fffff.
    fff.
    t$ H
    fff.
    t$ H
    fffff.
    fff.
    ffffff.

  25. #1275
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by TheVisitors View Post
    The infected workstation theory does not apply to us, as we use a LIVE CD with Linux to boot from
    Playing devil's advocate, I'll mention that if you're using a live CD I can assure you are using out-dated software. Your theory is a nice one but it doesn't rule anything out. At this point I don't see anyone else STILL arguing the workstation theory except you.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

Page 51 of 61 FirstFirst ... 4148495051525354 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •