We highly recommend to all our customers to enable SpamAssassin on any cPanel account (server-wide).
SpamAssassin is a mail filter installed on a server to identify spam.
It checks for spam using many pre-set rules that check the header, body, and sender of all email messages sent to your domain mailbox.
SpamAssassin generates a score for each email. Score above the spam threshold and the mail is marked as spam.

There are a number of different actions related to reducing spam with SpamAssassin.

To enable SpamAssassin on your cPanel account do the following:

  1. Log into your cPanel account
  2. Click the Mail icon
  3. Click the Spam Assassin link (towards the bottom)
  4. Click Enable Spam Assassin button
  5. Spam Assassin should be now enabled on this account!

 Documentation

Some times you’ll receive an email with a subject line like this:

cpsrvd failed @ Apr 08 13:01:21 2008. A restart was attempted automagicly.

cpsrvd is “cPanel Service Daemon,” which manages the cPanel services.
This service crashes really often. So often that cPanel handles the crashing by restarting and sending you the above email.
There is nothing big to worry about.

If it does happen frequenly you’ll have to go through the server logs, especially the messages log and look for problems. Also, watch top on the server and see if the server starts swapping heavily which could be the problem - i.e. not enough physical RAM for what you’re trying to get the server to do.

If you continue experiencing this problems please contact us.


Quick Intrusion Detection

Note: This is not a Full Security Audit nor a way to track and clean spammers or intruders on your server. If you really need to clean your server from exploits and hackers please contact ServerBuddies team.

Investigating Processes

type:

  1. # ps –aux

Get familiar with “normal” processes for the machine. Look for unusual processes. Focus on processes with root (UID 0) and nobody user privileges.
If you find a process that is uncommon, try doing a further research by typing the following:

  1. # lsof –p [pid]

Where [pid] is the Process Identifier of the process you would like to track.
lsof will show all files and ports used by the running process.

Investigating Hidden Files

  1. # find / -name "…" –print
  2. # find / -name ".. " –print
  3. # find / -name ". " –print
  4. # find / -name " " –print

Note the spaces between the 2th,3th and 4th command.
This will search for hidden files in all the filesystem.
Write them down and research if they are common. Ex: “.bash_profile “.bash_history” “.bashrc” are legit files.

Investigating New Accounts

Look in /etc/passwd for new accounts, especially

with UID 0 or GID 0

  1. # less /etc/passwd

grep :0: /etc/passwd

Normal accounts will be there, but look for new, unexpected accounts.
Look at the botton of the passwd file, newer accounts will always be created at the end of this file.

  1. # tail -n5 /etc/passwd

Investigating system-wide cron jobs

  1. # cat /etc/crontab
  2. # ls /etc/cron.*

See if there is any suspicious cronjob running on your system.

Investigating System Logs

  1. # cd /var/log
  2. # less /var/log/secure & less /var/log/messages

Look for successfully authentications (SSH and FTP) investigate the IP address and see if they are legit.
Look for new uploaded files. Check the files on your browser and see if they are legit.

Installing and performing a Rkhunter scan

  1. # cd /usr/local/src/
  2. # wget http://www.serverbuddies.com/files/rkhunter-1.3.2.tar.gz
  3. # tar -zxf rkhunter-1.3.2.tar.gz
  4. # cd rkhunter-1.3.2
  5. # ./installer.sh –layout default –install
  6. # /usr/local/bin/rkhunter –update
  7. # /usr/local/bin/rkhunter -c –createlogfile

Rkhunter log will be placed on /var/log/rkhunter.log - check the log and see if you have any compromised system file or binary and re install it with a clean and legit version.
Rkhunter will show you if there is any common backdoor installed as well.

We recommend all our customers to use a software based firewall and to restrict your open tcp/udp ports, so if someone tries to install a backdoor or a connect back port application, they will be restricted by the firewall.

If you need a more detailed Server Audit, please contact us.

* ServerBuddies Team

A vulnerability has been detected in the way some Domain Name System (DNS) services handle recursive DNS queries. The DNS is responsible for translating host names to IP addresses and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. Older versions of the BIND (Berkeley Internet Name Domain) DNS service and the Microsoft DNS service have been found to be susceptible to the poisoning of cached recursive resolvers with spoofed data If you are running any 3rd party DNS service you should check your server for vulnerabilities or updates immediately. You should upgrade your server as soon as possible to prevent any issues from occurring.

If you wish to have your DNS server upgraded please purchase a ServerBuddies Hour of Support plan and we will do it straight away.

* ServerBuddies Team

« Prev - Next »