0

I have a huge problem. In a nut shell, 2 days ago I noted a strange process going on with httpd, something I never saw before. That then led to me googling it, and OVH came up top with "Examples of a hacked server" So I freaked out, but didn't do anything as the rest of cpanel forums said it wasn't related to hacks.

And here we are, I'm unable to log in to root, as if my pass was changed. I have standard user accounts which have no root access but have SSH access. The server is running CentOS 6.2.

Ok, I booted to single user mode and was able to reset my password from there. Now I have root access back, but only for 5-10 mins as it gets changed again right after booting up. I scanned for rootkits and found nothing, and am doing a clamav scan which isnt bringing up much either. Luckily I connected to root SSH terminal right before it got changed, so I have no WHM access but I do have SSH root access until I disconnect.

I'm posting here requesting help and advice on what I should do here. Thanks, Kris

Kris
  • 1
  • 1
  • 2
  • 5
    Three words: "Nuke From Orbit". Hope you've got good backups. – Iszi Oct 10 '12 at 20:15
  • And hope those backups were readonly. – Stephen Touset Oct 10 '12 at 20:39
  • Can you share details about what the process was that you saw? If you are using CPanel there are some other things that could possibly be causing an issue. Is it a dedicated server? Is it a managed server? Could the root account have been locked out rather than password changed? – AJ Henderson Oct 10 '12 at 20:40
  • It's a VPS running on a OVH dedicated server which Xen. The process was.. /usr/local/apache/bin/httpd -k start -DSSL It brings up the HackedMachineExample on OVH when googled. – Kris Oct 10 '12 at 21:09
  • Oh, and it's not managed I was the one that setup everything. – Kris Oct 10 '12 at 21:10
  • That process is completely legitimate. You may have been compromised in another way. – Hammo Oct 11 '12 at 04:24
  • That's what is seems indeed. – Kris Oct 11 '12 at 08:36
  • Ok, I booted to single user mode and was able to reset my password from there. Now I have root access back, but only for 5-10 mins as it gets changed again right after booting up. I scanned for rootkits and found nothing, and am doing a clamav scan which isnt bringing up much either. Luckily I connected to root SSH terminal right before it got changed, so I have no WHM access but I do have SSH root access until I disconnect. – Kris Oct 11 '12 at 10:01

3 Answers3

4

You will never be able to gain complete confidence in your server again, you'll have to rebuild or restore from backups. If there are critical files you don't have backed up then boot to single-user mode, get your data, then wiperola. There are no tools, scanners, or methodologies that will enable you to be sure you're hack-free. Also, you could spend much more time trying to fix it than simply rebuilding.

GdD
  • 17,291
  • 2
  • 41
  • 63
0

If you ssh in as another user and su to root account does the password for root work? if it does then something is up with httpd ..restart?

Any log files you can look at?

Darkmatter
  • 31
  • 3
  • I SSHed in as another user and am unable to use su and sudo to gain any root access, "not in sudoers file". – Kris Oct 11 '12 at 08:14
0

You're the first person I remember saying this to here: it sounds like you're OK.

/usr/local/apache/bin/httpd

Normal Apache process, installed without using a package manager.

-k start

Normal command to start the process.

-DSSL

Using SSL.

I searched that same string in Google and found the same first page... and except for the fact that you're both running Apache, there's nothing special. The various things that are signs of compromise in that example are processes like x0x, c, psybnc, etc. Also note that Google handles a minus at the start of a world as "exclude". Go back to that first page and note that "DSSL" doesn't show up anywhere.

Unless there's something else odd going on... you're seeing two sets of Apache running, it's listening on odd ports, etc., then I see nothing that has indicated to me that you aren't compromised. I can't say you're safe, but I don't have any reason to suspect from what you've posted that something unusual has happened.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 1
    Thanks, though my root account password does not work, so something must of happened no? The other thing is, I did an account transfer from another server to this one only 2 days ago, and the other server was "taken over" in the sense that the email was changed to mine and nameservers swapped/changed. Might be some indicator might not. – Kris Oct 11 '12 at 08:13