Cpanel / WHM Access logs – Who has logged in from where

Assalamu alaykum

Today i had the unfortunate event of Witnessing one of the Reseller accounts on the Server Being Hacked into – it was a case of it being a Bad Password unfortunately.

What basically happened was this “Kiddy” This person is not worthy of being called Hacker because its not really hacking its just a bit of Kiddy Stuff trying to be Smart Aswell..but anyway

The Login using the Reseller account in WHM

Modified the Suspended Page with the usual “This page has been hacked along with the LOLZ, Dark Black Page, Animated Text and GIFs along with some awful taste of Music playing in the background” you know what i mean

Once this is modified they then went through this reseller account list and Suspended the accounts one by one!

Now when accounts are suspended they go to a custom Suspended Page which happened in this case! So when a user went to the Website they got the Suspended Page message which was infact the Page which this person created…got me for a while but i caught on in the End..so i went on the server hunt to track down what happened

First thing was to  analyse who has access to WHM / Cpanel

From SSH go to

/usr/local/cpanel/logs

The file you want to open is called

access_log

I normally do a

pico access_log via SSH

and then it will open up the log file takes a minute or so of everything single action logged via WHM / Cpanel

Quite useful for tracking down who has logged on, their IP address, their Browser and what they have run

Now Funny thing about this was on his “Modified page” he was stupid enough to leave a Pakistani Flag on there

Around the time this happened from the logs i noticed an IP address logged in using the reseller account lurking around the suspended Page and editing this then going on the “Suspend account Spree”

doing an IP lookup normally i use http://www.whois.sc this IP address resolved back to Pakistan! so that gave it away

Suffice to say that ISP has now got a blanket ban on our server

Hacking Incident i think not – but for him gloating about it being a hacking incident when it was down to bad password is laughable!

Anyway We move on and learn new things alhumdulillah all working and back to normal

[ipcheck] Problem with DNS setup – Fix email

One of our servers new one decided to really annoy us by sending us [ipcheck] Problem with DNS setup Emails!

The Email read as…

[ipcheck] Problem with DNS setup on hostname.domainname.com
IMPORTANT: Do not ignore this email.

Your hostname (hostname.domainname.com) could not be resolved to an IP
address. This means that /etc/hosts is not set up correctly, and/or
there is no dns entry for box.smwebserver.info. Please be sure that
the contents of /etc/hosts are configured correctly, and also that
there is a correct ‘A’ entry for the domain in the zone file.

Some or all of these problems can be caused by /etc/resolv.conf
being setup incorrectly. Please check that file if you believe
everything else is correct.

You may be able to automatically correct this problem by using the
‘Add an A entry for your hostname’ option under ‘Dns Functions’ in
your Web Host Manager.

After trying to figure what the problem was and why certain people around the world i’d say maybe 3% could not access our website the fix was the following (useful if anyone else is having the same problem)

Login to SSH

Type:
cd /etc
pico resolv.conf

Ensure that the contents of it is the following (obviously replace yourdomainane.ext with your own)

search yourdomainame.ext
domain yourdomainane.ext
nameserver 8.8.4.4
nameserver 8.8.8.8
nameserver 4.2.2.1
nameserver 4.2.2.2
nameserver 4.2.2.3
nameserver 4.2.2.4
Save this Ctrl + o

Then open your hosts file
pico hosts
(this should be in etc directory)

Ensure contents are like the following:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
xx.xx.xx.xx          hostname.domainanme host
xx - Enter your MAIN Server IP Here
Replace Hostname with hostname
for example
server.mpadc.com server

server being the host 
again save
then run /scripts/ipcheck

Hopefully you should not get any more error messages!

Been a While

Salams all

Been a While since we updated the box but anyway better late then never! here is what has been happening for the past few weeks

1) Alhumdulillah we have launched our new website http://www.mpadc.com Check it out new products and new services we are offering!

2) Another new Server added to our collection Codenamed “box” I know very boring name if you ask me but we ran out of ideas .. i guess we should start being a bit more creating with server names..this one is a whopping 16 GIG Memory RAM – just running a few large websites on there at the moment and handling it quite well!

3) Started our Newsletter which you can find here – hoping to make this a monthly thing! Looks better then the boring old Plain text email we send out thought make it a bit more jazzy and Graphical! You can view october newsletter here http://www.mpadc.com/newsletter/October2011/octobernews2011.htm

4) Last week our server got hammered by Google bots combination of that plus some rogue sites on the Server, Please to say these sites are now out and We had to temporarily ban google IP addresses till load went down but all ok now!

and thats about it i guess for now