Admin Can't Login

[tgo316]

Hello,
I was logged into my DA admin account some 12 hours ago and then, now when i try logging in, it says invalid credentials. Access denied.


I tried using SSH with the username : admin and password : ******

But it was still the same, all other accounts (reseller) and user accounts are functional.

I am not an SSH guru, actually i learn through every step. Now the problem is, i don't know how this has happened. No one's causing any harm to my sites or server so i don't think someone's hacked it.

How do i change the admin username and password?

Can anyone give me the exacts commands to use @ SSH for the same, i guess i'll also have to be logged in as the root account for the same.

Please Help!

 

[smtalk]

Hi, enter this in ssh:

passwd admin

Good luck

 

[tgo316]

hmm

after searching the forums, i found this command line but never tried it.

You mentioned it, i tried it, it worked

Hooray!

 

[tgo316]

God what's up?

I wasn't required to venture in the admin section for long, so i never realized this, but now every few hours the admin password keeps changing automatically.

And i gotta login to the root, change admin password and then login to my account

How do i stop this thing?

Best Regards
Amit

 

[nobaloney]

That won't happen on its own on a properly configured DA server. There's no software to do that.

Perhaps you've been hacked?

Look for a cronjob.

Jeff

 

[tgo316]

you may be right?

Actually, the server is facing a lot of memory leakages as well...

Every 8-10 days, i gotta keep restarting my apache to stop the server from not halting.

So i don't know what to do at this moment? The NAC support staff, i've paid them yet the solution only seems temporary.

They won't try to figure out the real problem, they will however find you quick fixes.

Guys in the US charge a helluva lot anyways for 30mins-1 hour of work

anyways, what did u mean by checking out the cronjobs? What should i look for there?

 

[tgo316]

okay i checked the cronjob

okay i checked with the cronjob log files, the last 50000 lines and nothing seems suspicious

However, guess what i found JTBOX i guess its a plugin created by one of the direct-admin users out here, it had more than 50000 cron pings in a day? whats going on

I've de-activated that plugin right away, is it some setting i must have altered in the options of jtbox or is this scary?

Other than that, there was nothing of suspect manner...so what should i do next?


Best Regards
Amit

 

[nobaloney]

Re: you may be right?

Guys in the US charge a helluva lot anyways for 30mins-1 hour of work

Yes we do . But if we fix the problem, then we're worth it. Remember that in most cases once you know the server has been hacked the only thing left to do is rebuild it from a bare-metal install.

okay i checked with the cronjob log files, the last 50000 lines and nothing seems suspicious

I'm not sure if that's logging all cronjobs or not.

I'd look through everything /var/spool/cron, and also in /etc/crontab, and in /etc/cron.d and in all the /etc/cron.* directories.

However, guess what i found JTBOX i guess its a plugin created by one of the direct-admin users out here, it had more than 50000 cron pings in a day?

search for jtbox in these forums to find the author, and ask him. He should be able to tell you why it creates so many entries.

Other than that, there was nothing of suspect manner...so what should i do next?

Install and run both chkrootkit and rkhunter.

Jeff

 

[tgo316]

Okay let me go step by step here

First i logged into the shell (ssh) with my root account, then i did the following

/var/spool/cron
cron is a file here right?
the result was, it was blank (vi cron is the command right?)


Next /etc/cron.d
Cron.d is a directory right
next inside the directory i had this one directadmin_cron, this one's a file too right?

so i did a vi directadmin_cron and here's what i found

* * * * * root /usr/local/directadmin/dataskq
2 0-23/6 * * * root echo 'action=vacation&value=all' >> /usr/local/directadmin/data/task.queue;
5 5 * * 0 root /sbin/quotaoff -a; /sbin/quotacheck -augm; /sbin/quotaon -a;
10 0 * * * root echo 'action=tally&value=all' >> /usr/local/directadmin/data/task.queue
20 4 1 * * root echo 'action=reset&value=all' >> /usr/local/directadmin/data/task.queue
0 4 * * * root echo 'action=check&value=license' >> /usr/local/directadmin/data/task.queue


Next /etc/crontab
this one's again a file right? again a vi crontab gave me the following

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly



Now i haven't looked into the other /etc/cron* directories, before which am i looking out right? what do i do with the one's above? i shall then look out for the same upon ur guidance

I don't see no log files out there as such, so it's leaving me confused.


In the meanwhile, i shall run chkrootkit and rkhunter, what exactly do i need to check here to? just a run of the program will do?


Best Regards
Amit

 

[tgo316]

RHKHunter Results

These were the only things that caused errors, other than the old apache, old mysql version numbers warnings.

Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit

Checking inetd.conf Not Found




System Checks
/usr/local/etc/rc.local Not Found
/usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]



Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]



MD5
MD5 compared: 51
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 5

Scanning took 86 seconds



I shall go for chkrootkit next, let me know what u think so far

 

[tgo316]

chkrootkit results

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/mod_perl/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ****C Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 14 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted

Checking `lkm'... You have 14 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed


and these are those

PID 2879: not in ps output
PID 2880: not in ps output
PID 2881: not in ps output
PID 2882: not in ps output
PID 20766: not in ps output
PID 20767: not in ps output
PID 20772: not in ps output
PID 20773: not in ps output
PID 26973: not in ps output
PID 26974: not in ps output
PID 26975: not in ps output
PID 26976: not in ps output
PID 26977: not in ps output
PID 26978: not in ps output
You have 14 process hidden for ps command

So lkm could be possibly infected? if yes, what do i do? how do i check if it is?

 

[chatwizrd]

Matters what OS your running. chkrootkit can provide false positives sometimes. I used to get something like that on a freebsd server but nothing was infected. rkhunter is best for freebsd if that is what your using.

 

[tgo316]

am on

redhat linux 9.0

what further steps do i need to check on?

 

[nobaloney]

Okay let me go step by step here

First i logged into the shell (ssh) with my root account, then i did the following

/var/spool/cron
cron is a file here right?
the result was, it was blank (vi cron is the command right?)

/var/spool/cron is a directory. Inside it you'll find user level crontab files.

Next /etc/cron.d
Cron.d is a directory right

Right.

next inside the directory i had this one directadmin_cron, this one's a file too right?

Right

Jeff

 

[nobaloney]

Re: chkrootkit results

Checking `lkm'... You have 14 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

If you repeat chkrootkit over and over again and this number remains high then that's an indication you've been hacked.

and these are those

PID 2879: not in ps output
PID 2880: not in ps output
PID 2881: not in ps output
PID 2882: not in ps output
PID 20766: not in ps output
PID 20767: not in ps output
PID 20772: not in ps output
PID 20773: not in ps output
PID 26973: not in ps output
PID 26974: not in ps output
PID 26975: not in ps output
PID 26976: not in ps output
PID 26977: not in ps output
PID 26978: not in ps output
You have 14 process hidden for ps command

that's a fairly good indication you've been hacked.

If you've been hacked the only safe thing to do is a site backup and then a complete bare-metal reinstall.

Jeff

 

[chatwizrd]

Running redhat 9 I wouldnt doubt that it is true that he was hacked.

 

[tgo316]

okay let's say if am hacked,
what your suggesting is beyond my scope

I can take a backup ofcourse, but then that will take days, plus i don't think i know how to install an OS from shell commands and all

Seriously though, isn't there any other way around this? There has gotta be some defence right?

 

[jmstacey]

However, guess what i found JTBOX i guess its a plugin created by one of the direct-admin users out here, it had more than 50000 cron pings in a day? whats going on

I must apologize for bringing this thread back from the dead. I did not notice it until just now when I sumbled upon it looking for more information on a different but similar problem. I will be searching the forums for other missed threads.

JTbox has a cronjob that is by default scheduled to run every minute. This leads to quite a few log entries during the course of a day. You can of course change the default cronjob in /etc/crontab to any frequency you prefer, just keep in mind that any jobs you queue will not be run until the cronjob is executed.

If you have any further questions, please contact us at [email protected]
These forums are not one of our official support options ;-)