DirectAdmin hacked by Reseller

[bahramsing]

Hello
Today we was created a reseller account
after some hours we found that all old accounts (also admin) is removed.
and after login and check logs, we see that new reseller is privilaged as administrator!

What can we do to prevent this issue in the future?

Note that we secure server with CSF tips

 

[bahramsing]

Admin-Level --> Create reseller


Directadmin version was 1.41

 

[nobaloney]

What can we do to prevent this issue in the future?

First, be sure to report the incident to DirectAdmin Support; they take security very seriously and will want to close any possible attack vectors in DirectAdmin.

I've always said that anything is possible, so I suppose it is that DirectAdmin has been compromised, but it's not a PHP script; it's written in either C or C++ (I forget which), so it's not an easy hack.

So I'd first run a root kit checker on your server. Both chkrootkit and Rootkit Hunter come to mind. The latter is considered a better choice but it's only reliable if it was run before the server was hacked, as a baseline configuration.

You write that

new reseller is privilaged as administrator[/i]. Where did you see that? What do DirectAdmin logs show? What about login logs for that user?

I and others would be willing to check your server for you, but I'd do it only after DirectAdmin staff had an opportunity to see if they could find anything.

Jeff

 

[DirectAdmin Support]

Hello,

As Jeff mentioned, there are ways to get into a box, if it's not properly secured.
The most common is a brute force attack:
http://help.directadmin.com/item.php?id=404

Any local account and perform such attacks quicker, which is why such system are important to be enabled.

In any case, it doesn't mean that's what happened.. and investigating how would be needed.


1) If they were logged into DA, check the DA logs to see from which IP:
/var/log/directadmin/2013-Jan-*.log

2) also check for brute force attacks on port 2222:
/var/log/directadmin/security.log

3) Double check that an Admin wasn't accidentally created, rather than a Reseller:
/var/log/directadmin/system.log
eg:

Reseller [B]resellername[/B] is being created by admin.
vs
Admin [B]resellername[/B] is being created by admin.

John

 

[bahramsing]

It seams I made mistake
Admin resellername is being created by admin.