If you don't have any signs of a root level intrusion, then it is possible to perform a salvage operation. I would recommend the following course of action:
1 - Scour the logs for signs of root level action, which you apparently have done
2 - look for modified system binaries, using either RPM verify or debsums depending on your distribution
3 - Use the commands in the CERT checklist to find any other hidden files, root owned files with setuid, etc and verify that all of these are clean.
4 - look through the bash history and verify that cron tables have not been messed with.
5 - look at the output of lsof -Pwn and netstat -tanpe and make sure you don't have any processes you can't account for with open connections.
The above items should take you about an hour or two, but will be well worth the peace of mind that your compromise was limited. If all looks good, double check your web files for any modifications and or strange scripts (look at the mtime and ctime and use the find command to see if anything has been modified post suspect compromise time). Then make your cpanel backup. On the new host machine: one, if you haven't already make sure all of your server applications are up to date as this will be one of the key defenses against becoming re-compomised, two install some sort of active HIDS that will give you alerts as to whether or not there are system modifications. Then bring your web site up on line on these other machines. I would also highly recommend that you use .htaccess or vhost configuration to make any of you admin web control programs accessible only from a trusted host, or even from localhost and then use a certificate to require access to the site. Also consider using an application like mod_security or fail2ban to discourage brute force attempts against your system and if you notice a repeat IP address attempting to scan or gain entry to your system, consider blocking the IP or even the entire ISP, at least temporarilly.
Ultimately, you still need to try to determine what enabled file inclusion and execution of scripts on your system as the weekness could still be in your web stack that you are porting over.
|