Hack Warning, Advise Request


I received this mail this morning:
From: cpanelxxserver.rootshosting.net
Sent: Monday, May 26, 2008 9:47:16 PM

"5 login failures attempts to account mysql (system) -- too many attempts from this ip"

I do not know how to inquire about this and I'm very worried because my system resources are abnormally high of about 10% compared to usual (and Im not sure if the standard 23% I see is normal or aleady reveals script exploitation)

What should I do when I receive a warning like this?

    Posted On: 26 May 2008 09:11 PM

This is okay.

What it means, is that an IP tried to get access, but failed.

The CPHulk feature did it's job, and blocked the IP.

Also, I blocked this IP via SSH:

iptables -I INPUT -s -j DROP


    Posted On: 26 May 2008 09:43 PM

thanks a lot Mr Michael for your explanation
but really there is a neat and constant increase of almost 10% of system resources usage.
I'm checking almost hourly on the resources report for the past month and I'm almost sure that a hack has been successful.

please put this ticket on hold and if system resources usage don't drop I'll contact you again in a couple of hours.

meanwhile I beg you to give me the list of urls or commands I need to access all report logs and useful tools... I really have to learn and reduce support usage each time I freak out.

    Posted On: 26 May 2008 09:45 PM

Okay, just let us know if loads increase.

As for commands:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

That one lists IP's by connection number.

iptables -I INPUT -s IP -j DROP

That one blocks a IP.

tail -f /var/log/secure

This can be used to see if someone is trying to brute force into your server.


Kind Regards,

    Posted On: 27 May 2008 12:08 AM

thanks a lot for the list of commands, very useful, please feel free to give me more or some critical logs urls to check

1. System resources still not going down... slowling going up maybe....
I noticed big script exploits on rayonghomeandland and am working on it on my side
but that's not new... there's got to have been something major happened in the past 15 hours and I can't figure out what...

2. we've recently installed mod_suphp and I noticed since then that 644 files such as configuration.php in joomla are writable and need to be 444 to be secured
isnt' that the case for all files and folders? now i got every folder on 755, every files on 644 and config files on 444... is htat enough? should I reduce autorizations more htan that?


    Posted On: 27 May 2008 12:22 AM

I see that load on your VPS is 0.2, which is OK.
You can check all active Apache processes using this command:

service httpd fullstatus

That way you can see if some domain is getting too much traffic and using resources.

Those file and directory permissions you've set shuold be OK, you won't have to harden that more. Please notice that, if you have config files set with 444 permissions, you won't be able to do any configuration via web interface, you will have to edit config files manually from shell.

Best regards,
    Posted On: 27 May 2008 04:02 AM
actually there's a joomla option to update unwritable config.php... I just found that out so no problem, thanks

1. sorry to insist, problem is not with cpu usage but rather system resources
(System Usage:
Resource Capacity
System 35.25% <----- should be under 24%, always has been), I'm positive that this figure increasted average of 10% as a constant and increasing...
some of the usage is due to some security problem I have with a mail form on rayonghomeandland.com... I guess I need to install a captcha there, working on it. I just mention that to tell you that I've known about this problem for a while and it's NOT what is causing the 10% increase of system resources (I have actually put that account offline and system resources didnt' drop)

I looked at the server usage with the command you gave me but that doesnt' show me she system resources

2. just for info, I also started receiving a many mails saying that
"eximstats failed Tue May 27 01:26:27 2008. A restart was attempted automagically."
I used to receive many mails like that and that stopped.
they resumed 3 hours ago, I think it's not related with the issue 1.

I hope you can help me find out

    Posted On: 27 May 2008 04:34 AM

User hotelato on your VPS is running some php scripts:
hotelato 14154 0.0 0.1 36072 20976 ? S May26 0:00 /usr/bin/php
hotelato 18010 0.0 0.1 33256 18268 ? S May26 0:00 /usr/bin/php
hotelato 19625 0.0 0.1 33252 18272 ? S May26 0:00 /usr/bin/php
hotelato 20274 0.0 0.1 33248 18260 ? S May26 0:00 /usr/bin/php
hotelato 20359 0.0 0.1 33248 18260 ? S May26 0:00 /usr/bin/php
hotelato 13560 0.0 0.1 33168 18172 ? S May26 0:00 /usr/bin/php
hotelato 13628 0.0 0.1 33168 18176 ? S May26 0:00 /usr/bin/php
hotelato 32452 0.0 0.1 33100 18092 ? S May26 0:00 /usr/bin/php
hotelato 32639 0.0 0.1 33100 18096 ? S May26 0:00 /usr/bin/php
hotelato 10198 0.0 0.1 32140 17144 ? S May26 0:00 /usr/bin/php
hotelato 11270 0.0 0.1 32140 17144 ? S May26 0:00 /usr/bin/php
hotelato 28211 0.0 0.1 32104 17052 ? S May26 0:00 /usr/bin/php
hotelato 29771 0.0 0.1 32104 17056 ? S May26 0:00 /usr/bin/php
hotelato 32395 0.0 0.0 31624 16556 ? S May26 0:00 /usr/bin/php
hotelato 25687 0.0 0.0 30660 15616 ? S May26 0:00 /usr/bin/php
hotelato 25825 0.0 0.0 30656 15612 ? S May26 0:00 /usr/bin/php
hotelato 25860 0.0 0.0 30656 15608 ? S May26 0:00 /usr/bin/php

Also, I see some catchall mail accounts:

-bash-3.00# grep '*:' /etc/valiases/* | egrep -v ':fail:'
/etc/valiases/bookhostelbook.com:*: reggae
/etc/valiases/heywakeupman.com:*: wakeupma
/etc/valiases/hongkong.bookhostelbook.com:*: reggae
/etc/valiases/hotel-montpaisible.ch:*: montpaisiblebluewin.ch
/etc/valiases/montpaisible.ch:*: infobluewin.ch

Turning those to fail could probably reduce some of the server loads. And if you provide your root password, we could also check if RBL protection is enabled. That may also decrease resource usage.

As for the percentage of resource usage, where did you get that info? As some WHM/VZPP displayings of system usage aren't correct and they're influenced by the status of the hardware VPS node, not just your VPS. For monitoring the VPS status try:
free -m (memory usage)
top (overall processor/memory usage)
ps auxf
mysqladmin processlist

The third thing is that there seems to be an incorrect disk quota set for your VPS, I'm forwarding the ticket to billing department to correct this. They'll return the ticket back to general support in case you have further questions.

Best regards,
    Posted On: 27 May 2008 04:40 AM

thanks for your help

the figures in % I'm looking at are from virtuozzo... i've been watching very regularly these figures and I'm positive that since last night some have increased of 50% (from 23% average to 34%)
for the disk quota I had actually seen that as well and thought that it was given additional space to host system files for free... so sad I was mistaken :)


    Posted On: 27 May 2008 05:33 AM

I'm sorry for the disk space, if you need more, you'll have to upgrade the VPS.

As for the Virtuozzo, those values are greatly influenced by the main hardware node, and they do not reflect the values on your VPS. Also, be careful when using VZPP, as there are options there that could break the VPS.

Let us know if you have further questions.

Best regards,
    Posted On: 27 May 2008 05:35 AM

thanks for VZPP advise
actually I use it extensively as file manager and nothing else
I make a backup here and there...
are these 2 things safe to use regularly?
    Posted On: 27 May 2008 05:47 AM

In general, you shouldn't have problems with that. But it is safer to upload data via FTP or cPanel's file manager.

And as for the backup, you can do really nice configurations in WHM -> Configure Backups.

Best regards,
    Posted On: 27 May 2008 08:03 AM
hi again,
This ticket is not urgent anymore

Thank you so much Mr Zlatko for your list of monitoring tools, most interesting

I have noticed these entries that make me wonder:
Cpu(s): 0.0% us, 0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 16610800k total, 16533160k used, 77640k free, 67816k buffers
Swap: 16771696k total, 1584836k used, 15186860k free, 6203856k cached

please note 100% id as well as memory usage very high
just wanted to ask you if I should worry and if yes where to inquire.

I cant' seem to be able to locate /etc/valiases/hongkong.bookhostelbook.com:*: reggae

Also you didnt' tell me about "check if RBL protection is enabled" (I'll look on google see what it is later for I'm overbusy now :(

I'll keep on looking myself into hotelato entries

and thanks again and again
Toni A.      
    Posted On: 27 May 2008 08:23 AM
Hi Matthieu,

1. That is nothing to be worried about, those are the VPS node statistics, and those are OK.
2. The file your are looking for is /etc/valiases/hongkong.bookhostelbook.com and in there you can find following text "*: reggae"
3. That is something you can find in your WHM, under "Exim Configuration Editor " search for "RBLS" section
4. That will be good.

Let us know if there is anything else that we can assist you with.

Best regards,
Toni A.
HostForWeb Support

This website uses Cookies