Root Compromise

phpAddict

Active Member
Looks like it's a one time cost of $125. Looks like they just check to make sure your server is hardened. If it's not, they suggest to you what needs to be done. Seems they only check your cpanel for issues, so if there are back doors installed by your hacker on your accounts they may not even look for those.

Naushad, imo, if you haven't already done so you should begin migrating to a new VPS. Get it going, then like you said earlier, start migrating accounts one at a time and see what happens. You're no worse off by begining the migration.
 

Naushad

Member
@phpAddict you are very right. I second to your suggestion once again. I am only waiting to get all wordpress and joomla installations and their plugins updated by clients to have major portion of websites migrating. My plan also includes to migrate websites in phases. I have found one good plug in "wordfence" https://wordpress.org/plugins/wordfence/ this appears to be a good option to examine wordpress websites at first.
Just waiting for some more things to be done. I will start this on some weekend to save downtime while migrations take place. also have to consult different clients before migrating as their website are 24/7 being accessed due to accounting software etc.
But this is for sure, I am following the suggestion you and other worthy forum colleagues have endorsed :)
 

Dave G

Member
@Dave G thanks . I am not a tech guy and would probably wont' be :( I read the link but not sure if they manage it on my behalf or not. What is your experience of this thing? It is 'a bit' costly to have. I will have to raise little price of my products.
Hi Naushad
Yes it is a one time charge they are very nice people and will answer any of your questions I have had 2 VPS's and have had there full sweet of software installed cPanel Service Package + MailScanner the nice thing about mail scanner is you can manage ALL your customers mail needs from one control panel it will also report to you if when an account is send a mass mailing (spaming)

Some of the software they install can be set to auto update(some will need you to click a button) or you can update it manually with the click of a button from with in the software's control panel

If you read about the software they install, from the page I had posted you will see what it does for instance CXS:

"The active scanning of files can help prevent exploitation of an account by malware by deleting or moving suspicious files to quarantine before they become active. It can also prevent the uploading of PHP and perl shell scripts, commonly used to launch more malicious attacks and for sending spam."

There are also others scripts/software installed that looks after/protects your server/VPS.

I gain nothing from this recommendation other than knowing it may help you sleep a little better at night :)
 

Naushad

Member
I am definitely going to take a look at this service. I am almost ready to shift to a new server. I would rather go for a solution that helps me deal with security features for individual clients.
Thank you very much for guidance. I will keep this thread updated.
 

Naushad

Member
Here is an update;
I am monitoring the server for few days. I believe that WHMCS is somehow compromised. SSH is blocked for everyone. I had been noticing logins that I would never authorize. The root password was either known by KH support, me or WHMCS to connect with WHM to perform its function. But since I got this password changed and then did not update it in WHMCS no log in are made (for two days). I wish to continue observing this. If this works fine then probably I am going to get WHMCS cleaned up / compared with original installation files.
Your suggestions would be good too.
 

Naushad

Member
Here is another update:
the following alert is received twice along with an alert that root password is changed.I am well aware that the root is compromised and that the password was only with KH support and me, which means whatever we do, it is known to hacker.
I am going to work on the new vps in a day or two. What wonders me is one thing, if the hacker has access to WHM why is he not enabling SSH entry for him? Besides what does he want? He is not doing anything but just logging in and out and checking logs of server load.!!!

Subject: lfd on host.********.net: WHM/cPanel root access alert from 117.199.107.87 (IN/India/-)
To: root@host.*********.net

Time: Sun May 25 14:31:16 2014 +0500
IP: 117.199.107.87 (IN/India/-)
User: root
 

Dave G

Member
If I had to guess from looking at the files that were changed/compromised I would say they are prepping your site for sending out spam. I have noted receiving spam from some unusual places/servers as of late.
I am assuming you have blocked the IP in your CS Firewall.

Have you checked/scanned you local computer for virus, key loggers, spyware?
Are you on a wireless network who's router may have been compromised?
 

Naushad

Member
Dave, I just got the log examined, the entry was made through compromised WHMCS installation using hash value. So I was right. I am narrowing down the investigation to learn exactly what helps the hacker to enter. I have removed the hash value from whmcs, changed access key in whm and also changed the password. now attempting to change the passwords for cpanels. I have requested support to help me do that. I don't know about ssh much.
My pc is secure, it has active, updated and licensed versions of virus and malware scanners. also the internet connection I use is dedicate for this computer only. So there are least chances that my system is infected.
 

Naushad

Member
Here is an update:
I have got a new vps2 provisioned. It is ready. now I would start shifting the accounts gradually. I need a little more assistance. Can anyone of my senior colleagues here guide me how to perform a scan on single website to check whether it has any broken sym links, outdated cms script, any other malicious content/injection, etc?
 

phpAddict

Active Member
As far as programs that will scan for issues, yes there are WP programs that scan for outdated and/or plugins that have security holes, but even doing that is not going to ensure your accounts are 100% secure. If your hacker programmed a backdoor no scanner is going to definitely find it as there's thousands of ways to create a backdoor.

I would...
1. Have a different (and very strong) root password than you've ever had on your old VPS.
2. Migrate accounts one at a time and separate each account migration by a day or two. That way if something begins to act funny it may be from the last account you migrated.
3. If you believe WHMCS is compromised, maybe stop using it temporarily and manage your server only through WHM. Once everything has migrated and appears secure, then if you want to take the risk of using WHMCS again, that's up to you.

Your new VPS is going to be secure initially, you'll only have access to it using the 1 root user account. As you add accounts, even if the account has been compromised, and even if they have backdoors, the programs and even the hackers that have access, will only have access to that account, they'll have no access to anything but the data in the account's home folder, nothing that the root account has access to. I'm telling you that because as you migrate accounts, if you at any point begin to have root issues, then you have a problem outside of your server, someone is sharing your password (or your password is too easily brute-forced by a backdoor program on your server).

That's what I would do, but I'm always open to better methods.
 

Naushad

Member
i have got another VPS and gradually shifting my accounts now after some scans. Could any of my seniors here guide if I should go for putting the accounts under a reseller instead of registering them directly under root? will it increase a bit of security?
 
Top