SmoothDesigners

First we need to change the settings so we can see the password.

Go to: C:\Inetpub\AdminScripts\
And open adsutil.vbs in notepad or any text editor.

Search and replace: IsSecureProperty = True
With: IsSecureProperty = False

Alright we have now set the Secure Property to False so we can see the password in plain text.

To get the IUSR password:
Start up command prompt (Start -> run -> cmd)
C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/anonymoususerpass

Results should be something like:

anonymoususerpass : (STRING) “:NX^+N49:67j5$”

To get the IWAM password:
Start up command prompt (Start -> run -> cmd)
C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/wamuserpass

Changing the IUSR or IWAM password:
Instead of running a ‘get’ command in your cscript we’re going to run a ’set’ command to set our password.  So below is an example of how to set the password for the IUSR account.
C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/anonymoususerpass “P@ssword”

Sync passwords between IIS and MTS:
Last but not least we need to sync the passwords.  Simply run the following line and you’re all set:
C:\Inetpub\AdminScripts>cscript.exe synciwam.vbs -v

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items…

Under Domains Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail Attempt to prevent pop3 connection floods Default catch-all/default address behavior for new accounts - blackhole

Under System Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security Enable php open_basedir Protection Enable mod_userdir Protection Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password

Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:

/sbin/depmod /sbin/insmod /sbin/insmod.static /sbin/modinfo /sbin/modprobe /sbin/rmmod

hese are measures that can be taken to secure your server, with SSH access.

Udate OS, Apache and CPanel to the latest stable versions.

This can be done from WHM/CPanel.

Restrict SSH Access

To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root. Note: You can download Putty by Clicking Here. It’s a clean running application that will not require installation on Windows-boxes.

At command prompt type: pico /etc/ssh/sshd_config Scroll down to the section of the file that looks like this:

Code:

#Port 22 #Protocol 2, 1 #ListenAddress 0.0.0.0 #ListenAddress ::

Uncomment and change

#Port 22

to look like Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)

Uncomment and change

#Protocol 2, 1

to look like

Protocol 2

Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find #PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.

Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

Now restart SSH At command prompt type: [b]/etc/rc.d/init.d/sshd restart[b]

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

Disable Telnet

To disable telnet, SSH into server and login as root. At command prompt type: pico -w /etc/xinetd.d/telnet change disable = no to disable = yes Save and Exit

At command prompt type: /etc/init.d/xinetd restart

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root. At command prompt type: pico .bash_profile Scroll down to the end of the file and add the following line:

echo ‘ALERT - Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com

Save and exit.

Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root. At command prompt type: pico /etc/motd Enter your message, save and exit. Note: I use the following message…

Code:

ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system isrestricted to authorized access only. All activities on this system arerecorded and logged. Unauthorized access will be fully investigated andreported to the appropriate law enforcement agencies.

Now everytime someone logs in as root, they will see this message… go ahead a try it.

Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

locate irc locate eggdrop locate bnc locate BNC locate ptlink locate BitchX locate guardservices locate psyBNC locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg /usr/local/cpanel/etc/sym/eggdrop.sym /usr/local/cpanel/etc/sym/bnc.sym /usr/local/cpanel/etc/sym/psyBNC.sym /usr/local/cpanel/etc/sym/ptlink.sym /usr/lib/libncurses.so /usr/lib/libncurses.a etc.

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off Restart Apache At command prompt type: /etc/rc.d/init.d/httpd restart These are applications that will help to secure your server.

Install chkrootkit

To install chrootkit, SSH into server and login as root. At command prompt type: cd /root/ At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz At command prompt type: tar xvzf chkrootkit.tar.gz At command prompt type: cd chkrootkit-0.44 At command prompt type: make sense

To run chkrootkit At command prompt type: /root/chkrootkit-0.44/chkrootkit Make sure you run it on a regular basis, perhaps including it in a cron job.

Install APF Firewall

To install APF, SSH into server and login as root. At command prompt type: cd /root/ At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz At command prompt type: tar -xvzf apf-current.tar.gz At command prompt type: rm -f apf-current.tar.gz At command prompt type: cd apf-0.9.4-6

At command prompt type: sh ./install.sh

After APF has been installed, you need to edit the configuration file. At command prompt type: cd /etc/apf At command prompt type: pico -w conf.apf

Scroll down and find

USE_DS=”0″

change it to

USE_DS=”1″

Now scroll down and configure the Ports. The following ports are required for CPanel:

Code:

Common ingress (inbound) TCP portsIG_TCP_CPORTS=”21,22,25,53,80,110,143,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500″

Note: If you changed the port for SSH, be sure to include that port and remove port 22.

21 FTP (TCP) 22 SSH (TCP) 25 SMTP (TCP) 53 DNS - Domain Name Server (TCP) 80 HTTP (TCP) 110 POP3 (TCP) 143 IMAP (TCP) 443 HTTPS (TCP) 465 sSMTP (TCP) 953 ??BIND?? 993 IMAP4 protocol over TLS/SSL (TCP) 995 POP3 protocol over TLS/SSL (was spop3) (TCP) 2082 CPANEL (http://sitename.com:2082) (TCP) 2083 CPANEL SSL (https://sitename.com:2083) (TCP) 2084 entropychat server (disable from CPANEL service manager if not used) (TCP) 2086 WHM (http://sitename.com:2086) (TCP)

2087 WHM SSL (https://sitename.com:2087) (TCP) 2095 WebMail (http://sitename.com:2095) (TCP) 2096 WebMail SSL (https://sitename.com:2096) 3306 mySQL remote access (TCP) 6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP) 7786 Interchange (TCP) 3000_3500

5100 for ASP, 8080 and 8443 for JSP if you use them.

Code:

Common ingress (inbound) UDP ports IG_UDP_CPORTS=”53,6277

53 DNS - Domain Name Server 6277 SpamAssassin / DCC (email scanning)

Code:

Common ICMP (inbound) types IG_ICMP_TYPES=”3,5,11,0,30,8″

0 Echo Reply 3 Destination Unreachable 5 Destination Unreachable 8 Echo 11 Time Exceeded 30 Traceroute

Code:

Common egress (outbound) TCP portsEG_TCP_CPORTS=”21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306″

21 FTP 25 SMTP 37 Required for CPANEL Licensing 53 DNS - Domain Name Server 80 HTTP 110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk) 113 Authentication Protocol (AUTH) 123 NTP (Network Time) 443 HTTPS 43 WHOIS 873 rsync (CPanel updates) 953 BIND ?? 2089 Required for CPANEL Licensing 2703 Razor (email scanning) 3306 mySQL remote access

Code:

Common egress (outbound) UDP ports EG_UDP_CPORTS=”20,21,53,873,953,6277″

20 ftp-data 21 FTP 53 DNS - Domain Name Server 873 rsync 953 BIND ?? 6277 SpamAssassin / DCC (email scanning)

Code:

Common ICMP (outbound) types EG_ICMP_TYPES=”all”

Save the changes then exit. To start APF

At command prompt type: /usr/local/sbin/apf -s

APF commands are:

-s start -r restart -f flush - stop -l list -st status -a HOST allow HOST -d HOST deny HOST

Log out of SSH and then login again.

After you are sure everything is working fine, change the DEV option At command prompt type: cd /etc/apf At command prompt type: pico -w conf.apf

Scroll down and find

DEVM=”1″

change it to

DEVM=”0″

Save changes, exit and then restart firewall, At command prompt type: /usr/local/sbin/apf -r

Install BFD (Brute Force Detection) To install BFD, SSH into server and login as root. At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz At command prompt type: tar -xvzf bfd-current.tar.gz At command prompt type: cd bfd-0.4 At command prompt type: ./install.sh

After BFD has been installed, you need to edit the configuration file. At command prompt type: pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts: Find

ALERT_USR=”0″

and change it to

ALERT_USR=”1″

Find

EMAIL_USR=”root”

and change it to

EMAIL_USR=”your@email.com”

Save the changes then exit.

To start BFD At command prompt type: /usr/local/sbin/bfd -s

Modify LogWatch

Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root. At command prompt type: pico -w /etc/log.d/conf/logwatch.conf

Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to

Detail = Low

Change that to Medium, or High… Detail = 5 or Detail = 10 Note: High will give you more detailed logs with all actions.

Save and exit.

Backtrack’s Home: http://www.remote-exploit.org/backtrack.html

Note:
This should only be used for security purposes. This is intended for password retrieval for lost
passwords and should be done only by system administrators. This guide will only cover how to crack
these passwords on local systems and will use a brute force method instead of a wordlist. All the
commands are case sensitive if you receive a command error please check case.
Before we begin make sure that your system BIOS it is set to boot via CD if there is on, in case it has
been disabled or the order has been altered on your system. Now lets begin:

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

1. Insert Backtrack CD, and reboot system.

2. When the load screen comes up hit enter to boot Backtrack via CD.

3. The default username and password for Backtrack is:
root
toor

4. This will bring you to a command prompt. For this example we are going to be doing this
without a network.
Note: Where we could work for this command prompt and skip the GUI interface we
will load the GUI interface and a system monitor resource for ease of use. If you prefer
to skip the GUI skip to step #10

5. To load the GUI interface type:
xconf ‐This will configure Xwindows
startx ‐This will start Xwindows

6. Once the interface has loaded up, we will want to launch the command line terminal. This is
done by clicking the second box on the lower left menu. It should look like a small black box
with a frame around it.

7. Upon entering the Command Terminal we will launch a resource monitor so we can watch the
resources of this process. We will refer back to this later on. To do this type
leetmode

8. You will now be able to click the top of this monitor and drag it into a location that is best for
you.

9. That will conclude the portion of this guide for the GUI interface. Time to get some dirty work
done. Go back to the Command terminal and the rest of our work will be done here.

10. Determining which drive is the windows drive:
Type:
DF ‐DF is a Unix command meaning, Disk Free. This will display the amount of disk
space used and available on the system.
The windows drive should be hda1 but depending on the system setup this may be
different. Look for the drive with the largest size, this usually determines the
windows drive. It unsure, type : cd /mnt/DiveInQuestion/ and see what the file
contains.

11. Lets move into the live drive (the memory drive, we will be working from here later on) Type:
Cd /mnt/live/

12. Lets first get the passwords using Bkhive. Type:
Bkhive /mnt/hda1/WINDOWS/system32/config/system /mnt/live/key.txt
This will create a key.txt file for us to use within the live drive.

13. We will continue with a Samdump file. This will give us the hash’s of the passwords we want to
crack. Type:
Samdump2 /mnt/hda1/WINDOWS/system32/config/SAM /mnt/live/key.txt>hashlist.txt
This will take a samdup from the SAM directory in windows, where the passwords are
stored, and with the key.txt file it will save it as hashlist.txt

14. Time to crack the passwords!!! We will be using John the Ripper to do a brute force crack of
these passwords. I know brute force is a slow method. Using a wordlist file will be much faster
but for this example we will be using a brute force method because we know that we will get
the password with time being the only constraint. Lets do this by typing:
John hashlist.txt –f=NT
John is the program John the Ripper. The hashlist.txt is the hash file we saved. We have
already moved into the live directory where we saved it. The –f=NT is setting the password
format to NT, or windows passwords.

15. Now all you have to do is sit back and watch. As it cracks the passwords they will be displayed
with the password listed first then the user name incased in ()’s.
Enjoy and let me know if you have any questions.