Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Anyone got hack before?

[albertg]

Hello everyone!

I think my server (running as a web host on Red Hat Linux 7.2 and cPanel) was hacked.

What is the best solutions. I am quite a newbie and started my web hosting bizness a couple months ago.

What are the steps i should do and can do to prevent such from happening again?

Someone is sending out alot SPAM MAILS from nobody@hostname
So i suppose it is internal ..It should not be a buggy mail script (cgi) because i have check that.

What should i do..any ideas...solutions..advise will be very very much appreciated.

Anyone of you got your server hacked before? What do you do to prevent it from happening again? How often this kinda things happen?
Thank You very very much!

Have a nice day! and thank you for your time.

[Webdude]

Maybe get rid of Cpanel for a better control panel?

Seriously though, first thing you need to do is command line to your server and do the following command..

locate -i formmail.pl

Chmod all the ones it finds to 000 and chown them to root ownership. Formmail.pl allows anyone to spam thru a client's account, and has been banned from most hosts. Spammers can scan domains to see if there is a formmail.pl on any of them, and abuse them when they find them.

[albertg]

Thank you for your input...any further advise will be very very very much appreciated..any advise....thanks...

[Andrew]

Or if you have a lot of clients who use formmail.pl and don't want to inconvenience the innocent ones, you can

pico formmail.pl

after you locate all of them and check the version number on each one to make sure it's the latest version.

[albertg]

Let say if the problem is not formmail...what can it be..I have check that and have ask my provider to check that...they also agree that most prob my server was hacked..and somehow..the hacker is able to send mail via my machine..using nobody account...

[albertg]

May i know....if you guys have much problem with security issue while u all are running a web hosting business? Ie: your server got hacked.....user sending out spam mail..and etc...thanks.

[Webdude]

No, we dont have that problem. We did once, it was an issue with formmail. On a server not running the Apache wrap, formmail operates as nobody. You dont have to hack a server to accomplish that. Look at one of the spam headers and it might show a UID in it. If it does, that is the UID of the account the spam was sent from. Feel free to post the headers here also if you dont understand what I mean.

[albertg]

Hello guys, this is the header of the mail

Received: from eguard1.maxhostings.net ([194.147.179.02]) by e-mail.ru ; Fri, 20 Sep 2002 07:11:32 3
Received: from nobody by eguard1.maxhostings.net with local (Exim 3.36 #1)
id 17sDtw-0003nn-00
for bookmaker@e-mail.ru; Thu, 19 Sep 2002 19:52:16 -0700
To: bookmaker@e-mail.ru
Subject:
From: journals-na@nm.ru
Subject: =?koi8-r?Q?=EF=E4=E9=EE_=EE=EF=ED=E5=F2_=EE=EF=F7=EF=E7=EF_=F6=F5=F2=EE=E1=EC=E1_=E2=E5=F3=F0=EC=E1=F4=EE=EF?=
Date: Fri, 20 Sep 2002 05:16:18 +0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C26043.52CE91E0"
Message-Id: <E17sDtw-0003nn-00@eguard1.maxhostings.net>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - eguard1.maxhostings.net
X-AntiAbuse: Original Domain - e-mail.ru
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [0 99]
X-AntiAbuse: Sender Address Domain - eguard1.maxhostings.net
Return-Path: <nobody@eguard1.maxhostings.net>
X-Rcpt-To: <bookmaker@e-mail.ru>
X-DPOP: Version number supressed
X-UIDL: 1032590015.62690
Status: U


Please help me if this header is able to tell u more.
I have change the host name --eguard1.maxhostings.net and IP--...I am sorry..jus trying to play it safe.

Thank you very very much

[albertg]

I have just notice this one...

is this helpful in anyway??

X-Authentication-Warning: relay2.mailru.com: Host [194.147.179.02] claimed to be eguard1.maxhostings.net

thanx again

[Webdude]

I'm sorry. I dont know Exim. I cant be much help to you other than the fact you have an open mail relay. This means domains that you dont can bounce their email (relay) through your server.

Here's the tricky part, since I dont know how Exim works, I dont know how to tell you to turn relaying off. Someone else will have to help you on that. Once you close that relay, you will be fine. I was hoping the header would tell what user, but it only showed "nobody" (which is 99). However, it also shows 0, which is root.

X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [0 99]

Usually people would jump and say you've been hacked, but that depends on if your mail prog under Exim ops as root.....or perhaps the root part is Exim itself...which is most likely the case. However, based on my experience with Linux/Apache, and other control panels......I am simply reading that you were relayed thru, not hacked.

[rusko]

albert,

your biggest problem is the redhat (aka roothat) install youve got. there are a number of security issues in the default redhat 7.2 install. the way to go is to go to the redhat website and locate the security-related errata and patch/upgrade all of the packages which are vulnerable (quite a lot, the default rh 7.2 install contained vuln apache, php, ssh and openssl ) also, go to the websites of vendors for all of your third-party packages and install their security fixes, if any.

if you suspect your server has been compromised, the only way to know for sure that its clean is to do a full reinstall. loadable kernel modules (called rootkits) installed by crackers on compromised servers are extremely hard to detect (several programs exist for that, but they cant detect the more sophisticated and less popular rootkits).

if you want to prevent this from happening again, i suggest you spend some time learning about security, preventive and remediation measures etc. the second option is to hire someone knowledgeable in this issues to provide managed security services for you - that usually includes updating all vulnerable software, hardening of you server and ongoing monitoring. it can be affordable or rather pricey depending on what you need, but its almost always worth the money considering the downtime caused by security breaches.

pm me if the above doesnt help =]

good luck,
paul

[albertg]

Quote:

Originally posted by Webdude
I'm sorry. I dont know Exim. I cant be much help to you other than the fact you have an open mail relay. This means domains that you dont can bounce their email (relay) through your server.

Here's the tricky part, since I dont know how Exim works, I dont know how to tell you to turn relaying off. Someone else will have to help you on that. Once you close that relay, you will be fine. I was hoping the header would tell what user, but it only showed "nobody" (which is 99). However, it also shows 0, which is root.

X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [0 99]

Usually people would jump and say you've been hacked, but that depends on if your mail prog under Exim ops as root.....or perhaps the root part is Exim itself...which is most likely the case. However, based on my experience with Linux/Apache, and other control panels......I am simply reading that you were relayed thru, not hacked.

I have check myself at http://www.abuse.net/relay.html and it says i am not a open relay...I hope the prob is jus a open relay