Article ID: 120264, created on Feb 21, 2014, last review on May 9, 2014

  • Applies to:
  • H-Sphere 3.6.1

Symptoms

H-sphere is being attacked by Hackers.

Resolution

To minimize the possible threats to the CP server, we suggest to setup daily monitoring of the following activities:

  • new user signups (HTTP requests to signup form + PostgreSQL table 'signup_record')
  • account creation (see the PostgreSQL table 'accounts')
  • account plan changes (see the table 'accounts')
  • plan creation
  • changes in plan settings (for example, enabling/disabling a plan, changes in billing settings)
  • sign-ins of privilege users (resellers, admins)
  • changes in profiles of privileged users (account emails, moderation settings, password reset/change)

SQL

Here is a list of SQL queries that may help searching for illegally signed up users.
List of IPs with high number (>111) of sign up attempts, by month:

hsphere=# select to_char(created, 'YYYY-MM') as ts, ip, count(*) as ct from signup_record group by ts,ip having (count(*) > 111) order by ts desc limit 22;
   ts    |       ip        |  ct
---------+-----------------+------
 2014-02 | 124.237.181.17  |  691
 2014-02 | 124.237.245.92  |  163
 2014-02 | 211.162.34.1    | 3716
 2014-02 | 27.186.93.115   |  134
 2013-09 | 66.249.75.136   |  202
 2013-09 | 66.249.75.14    |  152
 2013-06 | 66.249.75.136   |  182
 2013-05 | 66.249.76.136   |  114
 2013-03 | 66.249.76.136   |  183
 2013-01 | 112.169.241.23  |  120
 2013-01 | 199.21.99.84    |  119
 2012-12 | 199.21.99.84    |  223
 2012-10 | 66.249.71.228   |  124
 2012-09 | 112.169.241.15  |  124
 2012-07 | 112.169.241.15  |  118
 2012-06 | 199.21.99.84    |  161
 2012-05 | 199.21.99.84    |  190
 2011-10 | 67.195.112.23   |  297
 2011-09 | 67.195.112.23   |  321
 2011-08 | 211.103.160.179 |  929
 2011-08 | 67.195.112.23   |  397
 2011-07 | 211.103.160.179 |  950
(22 rows)
--> 
211.162.34.1 China Guangdong Liaobu Beijing Guoxin Bilin Telecom Technology Co. Ltd 

With the IP, search for other sign-ups from the same IP:

hsphere=# select created, ip, account_id from signup_record where ip = '66.229.86.48';
          created           |      ip      | account_id
----------------------------+--------------+------------
 2013-09-17 13:30:03.11-04  | 66.229.86.48 |    1223259
 2013-08-23 22:39:09.55-04  | 66.229.86.48 |          0
 2013-08-23 22:39:42.815-04 | 66.229.86.48 |          0
 2013-08-23 22:34:04.372-04 | 66.229.86.48 |          0
 2013-08-23 22:39:07.051-04 | 66.229.86.48 |          0
[...]
(73 rows)

A sign-up record of a suspicious user with account ID 1173016:

hsphere=# select * from signup_record where account_id = 1173016;
-[ RECORD 1 ]----+---------------------------
signup_id        | 114864
created          | 2012-12-19 13:39:46.267-05
ip               | 66.229.86.48
updated          | 2012-12-19 13:42:31.464-05
state            | 1
reseller_id      | 1
user_id          | 6322
msg              |
request_complete | 1
account_id       | 1173016
-->
66.229.86.48 United States Florida Pompano Beach Comcast Cable Communications Holdings Inc

List of users, which have some kind of admin rights:**

hsphere=# SELECT u.username, s.created as signed_up, a.id as acc_id, a.created as account_created, p.description as plan from accounts a JOIN plans p ON a.plan_id = p.id LEFT JOIN signup_record s ON a.id = s.account_id LEFT JOIN users u ON s.user_id=u.id JOIN plan_resource pr ON p.id=pr.plan_id AND pr.type_id IN (110) ORDER BY a.created DESC;

 username |         signed_up          | acc_id  |        account_created        | plan
----------+----------------------------+---------+-------------------------------+-------
          | 2014-02-09 06:53:33.464-05 | 1249508 | 2014-02-09 06:57:40.859-05    | Admin
          |                            |       1 | 2004-07-07 09:32:46.495657-04 | Admin
(2 rows)
--> 
suspicious account 1249508, with Chinese IP:
123.183.115.223 China Hebei Shijiazhuang Chinanet Hebei Province Network

List of de-facto admin plans:

SELECT p.* as plan FROM plans p JOIN plan_resource pr ON p.id=pr.plan_id AND pr.type_id IN (110);

HTTPD logs

Control panel access logs are helpful when searching for a list of action performed from particular IP address. For example, to make a list of login attempts from a particular IP, run:

# zgrep '66.229.86.48.*login.sbm' /hsphere/local/home/cpanel/apache/logs/access_log*

How to monitor the security-related events

There are two sources of the data that is useful, when analyzing H-sphere installation for break-in attempts and other suspicious activities. First one is the control panel database, another - Apache access logs.

The event monitoring can be set up by means of database triggers and cron jobs. Some of the useful SQL queries are described in 'SQL' section above. Below is additional list of what to search for.

**Event**                              **What to watch**

User signed up                     A new record is added to the database table 'signup_record'

User is moderated                  A new record in the database table 'accounts'

User logged in:                    An HTTP request to 'login.sbm' is registered in /hsphere/local/home/cpanel/apache/logs/

Plan is enabled/disabled       An HTTP request to 'submit/admin/plan_disable.sbm'  in /hsphere/local/home/cpanel/apache/logs/

User password is changed       Field 'password' in the table 'users' is updated

Account is unsuspended             'suspended' field in the table 'accounts' is set to NULL

1a2ef5d5f346a43e1324533020837760 6311ae17c1ee52b36e68aaf4ad066387 f213b9fa8759d57bee5d547445806fe7 2e39a5e5b1423cc126cf735bac076008

Email subscription for changes to this article
Save as PDF