ssh - Checking if a server is compromised

I do free/low-cost web/shell hosting as a non-profit organization (With a the same friend and co-founder) since 2007.

We're on CentOS 6 + CPanel, and unfortunately we're still funding the organization from our own money. Since last year, we've noticed some strange subdomains, additional domains and parking domains created for phishing websites, we usually suspend or terminate them until we've noticed it was random and sometimes on trustworthy customers account or even ours (personal admin accounts).

2 months ago, we've rent a new and stronger server, reconfigured it from scratch and migrated the CPanel account, changed passwords, prevented root login without password ans changed our WHM access key, but the "strange" domains/subdomains are still appearing and BuyCpanel (our CPanel licence reseller) told us it seems to be a compromised server and we should investigate it.

We would like to investigate it ourselves but we don't know where to start or how to trace the origin of "compromise", we've checked root connections, FTP connections, WHM connections, we can't find a trace of a script creating the subdomains. Can you give us some advices?

Thanks

All of the recommendations start by telling you to disconnect the server from the Internet, something that might not be possible here. The problem is, a determined attacker can get round any changes you make "live" faster than you can change things.

One of your biggest problems is your reliance on 3rd party software such as CPanel. This shows regular vulnerabilities that would allow attackers to gain remote access and elevated privileges. Unless you can move your DNS and domain management functions out of CPanel and disable them there, I'm not sure you are going to be able to totally fix the problem.

I'd perhaps recommend moving that part of the service to a secondary server that doesn't use CPanel and has an absolutely minimal server install. Make sure all accounts have long passwords and don't connect the two systems until you have fully hardened the new server. You need to ensure that you have IPTABLES configured correctly and have moved any remote access to non-standard ports (don't leave SSH on port 22 for example or you will never be able to spot real problems in your logs from the constant hacking attempts.).

You also need to make all of your users aware of the ongoing problem. Keep them informed.

Also, did you change all your account passwords and certificates after you updated after Heartbleed?

If you want to start then start by scanning the public_html folder of each account. If you have many domains then it will take a long time. Basically You want to look for word 'base64_encode' in all files. You can do it by compressing public_html and downloading it from cpanel. Once downloaded, you have to download another software called textcrawler(http://textcrawler.soft112.com/) which will make it easy for you to find certain word in folder.

On server side you can install firewall like CSF(http://configserver.com/cp/csf.html), mod security and to scan clamav.

Further you can check if the website contain malware or not by going on sitecheck3.sucuri.net.