I have a server with cpanel in a Date Center so some hacker speak to me and he said i will hack your server in 2 days .
...which meant you had 2 days to go and do some prevention and install some detection.
Today i recive this message from kernel but before im not recive it the message is
ftpd-xferlog
TOTAL KB OUT: 38KB (0MB)
TOTAL KB IN: 302KB (0MB)
That's the FTP log and no errors can be seen from it. Who has access to service FTP? Are those users chrooted in their home? Are they allowed to execute/compile stuff there? Is /tmp on a separate partition? Is it mounted nosuid,noexec? (If noexec breaks server stuff, then make users have their $TMP within their $HOME and mount that nosuid,noexec). Any other services you run unprivileged user have access to?
Kernel
WARNING: Kernel Errors Present
microcode: Error in the microcode...: 1Time(s)
microcode: error! Bad data in mic...: 1Time(s)
Logwatch just noting the microcode "service" has errors. Disable that service unless you need it.
ModProbe
Can't locate these modules:
char-major-188: 1 Time(s)
Just Logwatch noting some module loading errors. 188 has to do with USB.
That's "alias char-major-188 off" in /etc/modules.conf to suppress this.
Im too afrid of kernel message so i think i need to re install the kernel before the hacker hack my server
please help
None of that as far as can be seen from Logwatch. What you'll want is to install a file integrity checker like Aide, Samhain or tripwire and cronjob it so you get regular reports on what changes on the system by mail. Normally this is done when the OS is installed and the system is in a pristine state. Before you install any, run your package manager in verify mode, then install and run chkrootkit(.org), Rootkit Hunter (rootkit.nl), Tiger (
http://savannah.nongnu.org/projects/tiger/) and Bastille-Linux.
Correct the errors they mention and start your system hardening from there.
@Xav
If you think you have been cracked, your first step is to get the server off the network and off the internet.
I agree, (and nothing is easier to do like a "telinit 1" and let the colo ppl handle the rest) but for remote servers there's some considerations. If he did so only on the basis of these messages it would have seemed to be quite unnecessary.
Then, read here. This will give you reading material on hardening your security.
Wrong URI. Here's the
LQ FAQ: Security references.
And please don't mark threads as "urgent", it doesn't mean that your problem will be seen any quicker and what is urgent to you is less so to the rest of us.
In the Linux - Security forum people are allowed to submit suspected breaches of compromise and classify it as "urgent" or whatever gets attention (provided it's a serious report and you don't violate the LQ Rules).
.
