Portal Home > Knowledgebase > Articles Database > PLZ Help , LFD Report / afraid of Hack
PLZ Help , LFD Report / afraid of Hack
Posted by monitor2000com, 11-16-2009, 05:54 PM |
Hello ,
i`m using Centos/Cpanel server and Disabled shell access for all users
i have just received 2 emails from LFD ,
The accounts mentioned below are belong to different person and more sure that the owners of the websites have not tried to login , it means someone else has tried to login (who knows the Password of both websites)
================
lfd on server..........com: SSH login alert for user mehdieb from 62.x.x.x(GR/Greece/-)
Time: Mon Nov 16 21:06:55 2009 +0330
IP: 62.x.x.x (GR/Greece/-)
Account: Account1
Method: password authentication
---------
Time: Mon Nov 16 22:32:19 2009 +0330
IP: 62.x.x.x (GR/Greece/-)
Account: Account2
Method: password authentication
i have checked the ip in Firewall ,The ip has 95 Input and Output connections.
---------------------------------
Chain num pkts bytes target prot opt in out source destination
LOCALINPUT 95 0 0 DROP all -- !lo * 62.x.x.x 0.0.0.0/0
LOCALOUTPUT 93 0 0 DROP all -- * !lo 0.0.0.0/0 62.x.x.x
---------------------------------
Last edited by monitor2000com; 11-16-2009 at 05:58 PM.
|
Posted by @Matt, 11-16-2009, 06:12 PM |
I would recommend you change your port number.
|
Posted by monitor2000com, 11-16-2009, 06:12 PM |
Additional information :
i know that the Person couldn`t login to the SSH but please check the Notifications , i think he has the PW of the websites ,
|
Posted by monitor2000com, 11-16-2009, 06:15 PM |
I`ll do that , but i want to know what does it mean of CSF report
The ip has 95 input and output connection what does it mean of this connections ?
|
Posted by @Matt, 11-16-2009, 06:19 PM |
Someone has a total of 95 connections to that account which is indeed pretty high.
CSF Report == Config Server Firewall Report .
You sure ssh is disabled and how did you disable it? The alert your getting clearly shows that its a SSH alert.
I would do the following.
Change the CSF rules to high, change SSH port number, change passwords to both accounts, and then examine to see if anything looks suspicious.
|
Posted by SPaReK, 11-16-2009, 06:21 PM |
Could be someone logging in with SFTP. If the shell for a user is set to /usr/local/cpanel/bin/noshell then that user will still be able to connect with SFTP, just not SSH.
But I'm not really sure what the iptables output you posted means.
|
Posted by @Matt, 11-16-2009, 06:27 PM |
Make sure to also examine if anyone else besides you are logged into shell.
Just type the command "w" .
|
Posted by monitor2000com, 11-16-2009, 06:32 PM |
i`m not sure how he has pw of 2 accounts which are belongs to different person , i have checked one of the accounts and PW was just a number ( Eg : 12348 ) the hacker could scan the ip and find out the Password ,
but i want to know what does it mean of 95 connections ?
in fact i`m afraid of him , maybe he has login to different cpanel accounts
|
Posted by @Matt, 11-16-2009, 06:47 PM |
If a server has already been compromised then it wouldn't be to difficult.
|
Posted by monitor2000com, 11-16-2009, 06:58 PM |
Would you please let me know
1 ) how to Ban a range of ip (255 ip addresses)? as i know it`s 222.222.0.0/16 but not sure
2 ) how to specify some ip address for SSH ?
i mean enter my ISP ip Range and nobody can connected to the ssh from other ip
Thank you
|
Add to Favourites Print this Article
Also Read