68.50.70.187 is the attackers' IP. Leif Nixon wrote:
Adam Hubscher <offbeatadam@xxxxxxxxx> writes:These servers run cPanel and have been updated to the following specs: 2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386 GNU/LinuxThis seems vulnerable to CVE-2009-3547 and CVE-2009-2695. If SELinux is enabled, you can trivially get root on these machines if you can run commands as a logged in user. I would start by looking very hard at all successful ssh logins the hours before the known intrusion. It is very possible that some of them are performed using stolen ssh keys.I have logs from these servers, if you need other information to possibly help track this down that is possible. I'm having a hard time finding the vector for this attack though...If you could share the IP number of the attacking host, that could be useful. Does /root/.bash_history contain anything interesting? Is there anything suspicious in /dev/shm? (There won't be, if the machine has been rebooted after the intrusion.)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature