Symptoms
H-sphere is being attacked by Hackers.
Resolution
To minimize the possible threats to the CP server, we suggest to setup daily monitoring of the following activities:
- new user signups (HTTP requests to signup form + PostgreSQL table 'signup_record')
- account creation (see the PostgreSQL table 'accounts')
- account plan changes (see the table 'accounts')
- plan creation
- changes in plan settings (for example, enabling/disabling a plan, changes in billing settings)
- sign-ins of privilege users (resellers, admins)
- changes in profiles of privileged users (account emails, moderation settings, password reset/change)
SQL
Here is a list of SQL queries that may help searching for illegally signed up users.
List of IPs with high number (>111) of sign up attempts, by month:
hsphere=# select to_char(created, 'YYYY-MM') as ts, ip, count(*) as ct from signup_record group by ts,ip having (count(*) > 111) order by ts desc limit 22;
ts | ip | ct
---------+-----------------+------
2014-02 | 124.237.181.17 | 691
2014-02 | 124.237.245.92 | 163
2014-02 | 211.162.34.1 | 3716
2014-02 | 27.186.93.115 | 134
2013-09 | 66.249.75.136 | 202
2013-09 | 66.249.75.14 | 152
2013-06 | 66.249.75.136 | 182
2013-05 | 66.249.76.136 | 114
2013-03 | 66.249.76.136 | 183
2013-01 | 112.169.241.23 | 120
2013-01 | 199.21.99.84 | 119
2012-12 | 199.21.99.84 | 223
2012-10 | 66.249.71.228 | 124
2012-09 | 112.169.241.15 | 124
2012-07 | 112.169.241.15 | 118
2012-06 | 199.21.99.84 | 161
2012-05 | 199.21.99.84 | 190
2011-10 | 67.195.112.23 | 297
2011-09 | 67.195.112.23 | 321
2011-08 | 211.103.160.179 | 929
2011-08 | 67.195.112.23 | 397
2011-07 | 211.103.160.179 | 950
(22 rows)
-->
211.162.34.1 China Guangdong Liaobu Beijing Guoxin Bilin Telecom Technology Co. Ltd
With the IP, search for other sign-ups from the same IP:
hsphere=# select created, ip, account_id from signup_record where ip = '66.229.86.48';
created | ip | account_id
----------------------------+--------------+------------
2013-09-17 13:30:03.11-04 | 66.229.86.48 | 1223259
2013-08-23 22:39:09.55-04 | 66.229.86.48 | 0
2013-08-23 22:39:42.815-04 | 66.229.86.48 | 0
2013-08-23 22:34:04.372-04 | 66.229.86.48 | 0
2013-08-23 22:39:07.051-04 | 66.229.86.48 | 0
[...]
(73 rows)
A sign-up record of a suspicious user with account ID 1173016:
hsphere=# select * from signup_record where account_id = 1173016;
-[ RECORD 1 ]----+---------------------------
signup_id | 114864
created | 2012-12-19 13:39:46.267-05
ip | 66.229.86.48
updated | 2012-12-19 13:42:31.464-05
state | 1
reseller_id | 1
user_id | 6322
msg |
request_complete | 1
account_id | 1173016
-->
66.229.86.48 United States Florida Pompano Beach Comcast Cable Communications Holdings Inc
List of users, which have some kind of admin rights:**
hsphere=# SELECT u.username, s.created as signed_up, a.id as acc_id, a.created as account_created, p.description as plan from accounts a JOIN plans p ON a.plan_id = p.id LEFT JOIN signup_record s ON a.id = s.account_id LEFT JOIN users u ON s.user_id=u.id JOIN plan_resource pr ON p.id=pr.plan_id AND pr.type_id IN (110) ORDER BY a.created DESC;
username | signed_up | acc_id | account_created | plan
----------+----------------------------+---------+-------------------------------+-------
| 2014-02-09 06:53:33.464-05 | 1249508 | 2014-02-09 06:57:40.859-05 | Admin
| | 1 | 2004-07-07 09:32:46.495657-04 | Admin
(2 rows)
-->
suspicious account 1249508, with Chinese IP:
123.183.115.223 China Hebei Shijiazhuang Chinanet Hebei Province Network
List of de-facto admin plans:
SELECT p.* as plan FROM plans p JOIN plan_resource pr ON p.id=pr.plan_id AND pr.type_id IN (110);
HTTPD logs
Control panel access logs are helpful when searching for a list of action performed from particular IP address. For example, to make a list of login attempts from a particular IP, run:
# zgrep '66.229.86.48.*login.sbm' /hsphere/local/home/cpanel/apache/logs/access_log*
How to monitor the security-related events
There are two sources of the data that is useful, when analyzing H-sphere installation for break-in attempts and other suspicious activities. First one is the control panel database, another - Apache access logs.
The event monitoring can be set up by means of database triggers and cron jobs. Some of the useful SQL queries are described in 'SQL' section above. Below is additional list of what to search for.
**Event** **What to watch**
User signed up A new record is added to the database table 'signup_record'
User is moderated A new record in the database table 'accounts'
User logged in: An HTTP request to 'login.sbm' is registered in /hsphere/local/home/cpanel/apache/logs/
Plan is enabled/disabled An HTTP request to 'submit/admin/plan_disable.sbm' in /hsphere/local/home/cpanel/apache/logs/
User password is changed Field 'password' in the table 'users' is updated
Account is unsuspended 'suspended' field in the table 'accounts' is set to NULL