C99Shell Stop Shell Hacking Totally?
Is there a way to stop them totally? i.e. even though they are successfully uploaded but I do not want the source to be available to them etc.?
I mean, is there a way to hide or not allow them to execute any shell?
View Complete Thread with Replies
Sponsored Links:
Related Forum Messages:
Stop Hacking
a site i manage for a client is being hacked every couple of days, its not the actual site but the hosts server thats getting attacked, all sites on that server, well actually all thier servers. They have made no attempt to sort this problem, i report it they look at the site and say "site loads fine for us" which it does. All index files are having a base64 encode line written after the <body> tag, this adds hundreds of spam links which are hidden with display:none; they also add .html to application types in htaccess for php to run in these files too. Problem is, i am moving the site to another host but cannot change the nameservers to the new host's untill the client returns from a holiday, so i must keep the site up on the insecure host for now. I am removing the spam code almost daily, is there anyway i can stop this attack happening for the time being, the host does nothing.
View Replies!
View Related
How To Prevent Shell Hacking Like C.100 / R57 Exploit?
one of my client account has just been hacked with c.100 exploit. This method injects 1 php file that acts like fully featured file manager. This hacker use my client account to place multiple scam & phissing sites now i'm wondering if this kind of exploit hacking have a way to counter them as my friend that there aren't any proved method untill now :-/ This is the php file i've recovered: <<url removed>> FYI, my server configuration: - apache 2.2.11 - centos 5.2 - cpanel + whm 11.24.4 - suphp, clamav & modsec enabled
View Replies!
View Related
C99Shell :: How To Detect Or Disable The Functionality Of C99Shell
Recently my site was defaced, (i own a dedicated server), my server was not touched, but one of the applications I used on the site was exploited to gain access to it. I have noticed 4 or 5 c99 shells in different locations on my ftp. The site is back online, but it's definitely possible that they have one of these hidden somewhere and that they'll just do it again. I am using cent os 5 How can I easily search for these on my box? Can I disable their functionality? is there setting I can use in htaccess or something to make my website safer? I visited one of the scripts, and it said SAFEMODE OFF, how can I at least enable safemode? I don't know much of anything about linux, but I am running cpanel and WHM. I have a guy who manages my box but he is hard to get a hold of sometimes, and I'd like to take care of this ASAP!
View Replies!
View Related
Totally Hacked
How can I block somebody send email using ....@server.myserver.com? I terminated his account, but he is using ...@server.myserver.com I need to have a company who can take care of this issues.
View Replies!
View Related
Burton Hosting Totally Unresponsive
Has anyone had any more luck getting a response to either tickets or emails from Burton Hosting since the last thread here, which is months old? Our uptime remains decent, but with absolutely no responses to tickets (we have many outstanding by now) or emails (both to the standard network and support addresses and to individuals personally), and their phones disconnected, we of course are very concerned, and will probably be forced to look for a new host (I just hate the hassle!!) when our contract expires next month. I did find in another forum posts about a Virante Marketing fiasco in which Burton was falsifying reviews, etc.---this does NOT sound like the Burton I knew before. While we have exploratory emails out to DreamHost and a few others, I was hoping someone here would know a way to contact Burton---I just hate not knowing!
View Replies!
View Related
Totally Static HTML Content Hosting
I'm configuring an VPS that's going to serve all static stuff and absolutely no dynamic scripts at all. What could be the bottle necks with all these static content websites? Can a 256MB VPS handle a static website receiving millions of page views a month?
View Replies!
View Related
Mysql High CPU Load - Totally Stumped
Quad Core server, 4GB ram. MySQL runs at all times between 200 - 300% CPU. Server does only 5K unique per day, and runs zen cart. I am at a loss, I have experiece with tracking dowen reasons for this but this one has stumpped me. So I was hoping to get new eyes on this and see if anyone had any ideas. my.cnf [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock #old_passwords=1 skip-locking skip-name-resolve skip-bdb key_buffer = 64M max_allowed_packet = 16M table_cache = 2048 sort_buffer_size = 1M read_buffer_size = 1M read_rnd_buffer_size = 8M myisam_sort_buffer_size = 64M thread_cache_size = 16 thread_concurrency = 8 query_cache_size = 25M query_cache_type = 1 tmp_table_size=64M back_log = 100 max_connect_errors = 10000 join_buffer_size=1M open-files = 20000 interactive_timeout = 300 wait_timeout = 300 max_connections=200 # The following directives should be commented out # but included as they are things that get added # very frequently on tickets. These are more in a # need-this-feature basis. # The below 2 cannot be set on the fly. If the customer already has # InnoDB tables and wants to change the size of the InnoDB tablespace # and InnoDB logs, then: # 1. Run a full backup with mysqldump # 2. Stop MySQL # 3. Move current ibdata and ib_logfiles out of /var/lib/mysql # 4. Uncomment the below innodb_data_file_path and innodb_log_file_size # 5. Start MySQL (it will recreate new InnoDB files) # 6. Restore data from backup #innodb_data_file_path = ibdata1:2000M;ibdata2:10M:autoextend #innodb_log_file_size = 100M innodb_buffer_pool_size = 64M innodb_additional_mem_pool_size = 8M #log-slow-queries=/var/lib/mysqllogs/slow-log #long_query_time=2 #log-queries-not-using-indexes #log-bin=/var/lib/mysqllogs/bin-log #log-slave-updates #expire_logs_days = 14 server-id = 1 [mysql.server] user=mysql #basedir=/var/lib [mysqld_safe] err-log=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid open_files_limit=65536 mysqladmin status Uptime: 1458 Threads: 1 Questions: 366975 Slow queries: 0 Opens: 401 Flush tables: 1 Open tables: 395 Queries per second avg: 251.698 SHOW STATUS; mysql> SHOW STATUS; +-----------------------------------+----------+ | Variable_name | Value | +-----------------------------------+----------+ | Aborted_clients | 0 | | Aborted_connects | 8 | | Binlog_cache_disk_use | 0 | | Binlog_cache_use | 0 | | Bytes_received | 116 | | Bytes_sent | 157 | | Com_admin_commands | 0 | | Com_alter_db | 0 | | Com_alter_table | 0 | | Com_analyze | 0 | | Com_backup_table | 0 | | Com_begin | 0 | | Com_call_procedure | 0 | | Com_change_db | 0 | | Com_change_master | 0 | | Com_check | 0 | | Com_checksum | 0 | | Com_commit | 0 | | Com_create_db | 0 | | Com_create_function | 0 | | Com_create_index | 0 | | Com_create_table | 0 | | Com_create_user | 0 | | Com_dealloc_sql | 0 | | Com_delete | 0 | | Com_delete_multi | 0 | | Com_do | 0 | | Com_drop_db | 0 | | Com_drop_function | 0 | | Com_drop_index | 0 | | Com_drop_table | 0 | | Com_drop_user | 0 | | Com_execute_sql | 0 | | Com_flush | 0 | | Com_grant | 0 | | Com_ha_close | 0 | | Com_ha_open | 0 | | Com_ha_read | 0 | | Com_help | 0 | | Com_insert | 0 | | Com_insert_select | 0 | | Com_kill | 0 | | Com_load | 0 | | Com_load_master_data | 0 | | Com_load_master_table | 0 | | Com_lock_tables | 0 | | Com_optimize | 0 | | Com_preload_keys | 0 | | Com_prepare_sql | 0 | | Com_purge | 0 | | Com_purge_before_date | 0 | | Com_rename_table | 0 | | Com_repair | 0 | | Com_replace | 0 | | Com_replace_select | 0 | | Com_reset | 0 | | Com_restore_table | 0 | | Com_revoke | 0 | | Com_revoke_all | 0 | | Com_rollback | 0 | | Com_savepoint | 0 | | Com_select | 1 | | Com_set_option | 0 | | Com_show_binlog_events | 0 | | Com_show_binlogs | 0 | | Com_show_charsets | 0 | | Com_show_collations | 0 | | Com_show_column_types | 0 | | Com_show_create_db | 0 | | Com_show_create_table | 0 | | Com_show_databases | 0 | | Com_show_errors | 0 | | Com_show_fields | 0 | | Com_show_grants | 0 | | Com_show_innodb_status | 0 | | Com_show_keys | 0 | | Com_show_logs | 0 | | Com_show_master_status | 0 | | Com_show_ndb_status | 0 | | Com_show_new_master | 0 | | Com_show_open_tables | 0 | | Com_show_privileges | 0 | | Com_show_processlist | 0 | | Com_show_slave_hosts | 0 | | Com_show_slave_status | 0 | | Com_show_status | 1 | | Com_show_storage_engines | 0 | | Com_show_tables | 0 | | Com_show_triggers | 0 | | Com_show_variables | 0 | | Com_show_warnings | 0 | | Com_slave_start | 0 | | Com_slave_stop | 0 | | Com_stmt_close | 0 | | Com_stmt_execute | 0 | | Com_stmt_fetch | 0 | | Com_stmt_prepare | 0 | | Com_stmt_reset | 0 | | Com_stmt_send_long_data | 0 | | Com_truncate | 0 | | Com_unlock_tables | 0 | | Com_update | 0 | | Com_update_multi | 0 | | Com_xa_commit | 0 | | Com_xa_end | 0 | | Com_xa_prepare | 0 | | Com_xa_recover | 0 | | Com_xa_rollback | 0 | | Com_xa_start | 0 | | Compression | OFF | | Connections | 1569 | | Created_tmp_disk_tables | 0 | | Created_tmp_files | 5 | | Created_tmp_tables | 1 | | Delayed_errors | 0 | | Delayed_insert_threads | 0 | | Delayed_writes | 0 | | Flush_commands | 1 | | Handler_commit | 0 | | Handler_delete | 0 | | Handler_discover | 0 | | Handler_prepare | 0 | | Handler_read_first | 0 | | Handler_read_key | 0 | | Handler_read_next | 0 | | Handler_read_prev | 0 | | Handler_read_rnd | 0 | | Handler_read_rnd_next | 0 | | Handler_rollback | 0 | | Handler_savepoint | 0 | | Handler_savepoint_rollback | 0 | | Handler_update | 0 | | Handler_write | 132 | | Innodb_buffer_pool_pages_data | 307 | | Innodb_buffer_pool_pages_dirty | 0 | | Innodb_buffer_pool_pages_flushed | 1 | | Innodb_buffer_pool_pages_free | 3787 | | Innodb_buffer_pool_pages_latched | 0 | | Innodb_buffer_pool_pages_misc | 2 | | Innodb_buffer_pool_pages_total | 4096 | | Innodb_buffer_pool_read_ahead_rnd | 2 | | Innodb_buffer_pool_read_ahead_seq | 0 | | Innodb_buffer_pool_read_requests | 48197 | | Innodb_buffer_pool_reads | 205 | | Innodb_buffer_pool_wait_free | 0 | | Innodb_buffer_pool_write_requests | 1 | | Innodb_data_fsyncs | 7 | | Innodb_data_pending_fsyncs | 0 | | Innodb_data_pending_reads | 0 | | Innodb_data_pending_writes | 0 | | Innodb_data_read | 7213056 | | Innodb_data_reads | 221 | | Innodb_data_writes | 7 | | Innodb_data_written | 35328 | | Innodb_dblwr_pages_written | 1 | | Innodb_dblwr_writes | 1 | | Innodb_log_waits | 0 | | Innodb_log_write_requests | 0 | | Innodb_log_writes | 2 | | Innodb_os_log_fsyncs | 5 | | Innodb_os_log_pending_fsyncs | 0 | | Innodb_os_log_pending_writes | 0 | | Innodb_os_log_written | 1024 | | Innodb_page_size | 16384 | | Innodb_pages_created | 0 | | Innodb_pages_read | 307 | | Innodb_pages_written | 1 | | Innodb_row_lock_current_waits | 0 | | Innodb_row_lock_time | 0 | | Innodb_row_lock_time_avg | 0 | | Innodb_row_lock_time_max | 0 | | Innodb_row_lock_waits | 0 | | Innodb_rows_deleted | 0 | | Innodb_rows_inserted | 0 | | Innodb_rows_read | 165 | | Innodb_rows_updated | 0 | | Key_blocks_not_flushed | 0 | | Key_blocks_unused | 52512 | | Key_blocks_used | 1074 | | Key_read_requests | 24616475 | | Key_reads | 1170 | | Key_write_requests | 11301 | | Key_writes | 4948 | | Last_query_cost | 0.000000 | | Max_used_connections | 13 | | Not_flushed_delayed_rows | 0 | | Open_files | 495 | | Open_streams | 0 | | Open_tables | 395 | | Opened_tables | 0 | | Prepared_stmt_count | 0 | | Qcache_free_blocks | 440 | | Qcache_free_memory | 2620672 | | Qcache_hits | 293141 | | Qcache_inserts | 69381 | | Qcache_lowmem_prunes | 60094 | | Qcache_not_cached | 20918 | | Qcache_queries_in_cache | 1338 | | Qcache_total_blocks | 5755 | | Questions | 394590 | | Rpl_status | NULL | | Select_full_join | 0 | | Select_full_range_join | 0 | | Select_range | 0 | | Select_range_check | 0 | | Select_scan | 1 | | Slave_open_temp_tables | 0 | | Slave_retried_transactions | 0 | | Slave_running | OFF | | Slow_launch_threads | 0 | | Slow_queries | 0 | | Sort_merge_passes | 0 | | Sort_range | 0 | | Sort_rows | 0 | | Sort_scan | 0 | | Ssl_accept_renegotiates | 0 | | Ssl_accepts | 0 | | Ssl_callback_cache_hits | 0 | | Ssl_cipher | | | Ssl_cipher_list | | | Ssl_client_connects | 0 | | Ssl_connect_renegotiates | 0 | | Ssl_ctx_verify_depth | 0 | | Ssl_ctx_verify_mode | 0 | | Ssl_default_timeout | 0 | | Ssl_finished_accepts | 0 | | Ssl_finished_connects | 0 | | Ssl_session_cache_hits | 0 | | Ssl_session_cache_misses | 0 | | Ssl_session_cache_mode | NONE | | Ssl_session_cache_overflows | 0 | | Ssl_session_cache_size | 0 | | Ssl_session_cache_timeouts | 0 | | Ssl_sessions_reused | 0 | | Ssl_used_session_cache_entries | 0 | | Ssl_verify_depth | 0 | | Ssl_verify_mode | 0 | | Ssl_version | | | Table_locks_immediate | 173929 | | Table_locks_waited | 3 | | Tc_log_max_pages_used | 0 | | Tc_log_page_size | 0 | | Tc_log_page_waits | 0 | | Threads_cached | 11 | | Threads_connected | 2 | | Threads_created | 13 | | Threads_running | 2 | | Uptime | 1540 | | Uptime_since_flush_status | 1540 | +-----------------------------------+----------+
View Replies!
View Related
C99Shell Folders?
I found these folders in the root /usr/bin/c99 /usr/include/boost/numeric/interval/detail/c99_rounding_control.hpp /usr/include/boost/numeric/interval/detail/c99sub_rounding_control.hpp what are these ? is it normal folders ? or somebody hacked our server? what shall I do?
View Replies!
View Related
Trojan C99Shell
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell. I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
View Replies!
View Related
C99Shell Hackers Killing Me!
guys im tired off fighting those hackers everyday! i have about 20 websites,and everyday i have one of them hacked! i restore a backup then another one hacked! thats unbelivable!!! those bastards upload there shell scripts to websites via bugs or whatever from php files!! is there anyway to stop these commands? can .htaccess helps? how? i talked to my webhosting companies for my websites! ....
View Replies!
View Related
Mod_security & C99shell Anyone Help Please ?
I installed modsecurity from Addone module in Cpanel When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini. Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
View Replies!
View Related
C99shell Disable PHP Scripts?
the biggest security issue i have with my clients is php c99 shell and similar php files, somehow these files uploaded on the website and from here they start attacking the websites. i have seen also that once you upload the c99 php file you are able to see the accounts information ( such as a user name ) on the same server so is there any way to disable this kind of php file or at least disable some function within the file! i have been thinking to install and run a antivirus on the server , but i see sometimes they upload the encrypted version of the file , so the antirus can't catch the file as a torjan!
View Replies!
View Related
C99Shell :: Attack Rules For Mod_security
i want to prevent c99shell scripts from running. I found this rule to detect URI's for the c99 shell. #new kit SecFilterSelective REQUEST_URI "/c99shell.txt" SecFilterSelective REQUEST_URI "/c99.txt?" My problem is that the hackers are being more stealthy and calling the script some random name like .../myphpstuff.php. So the URI no longer helps detect it. How could I detect "c99shell" in the actual file that apache servers? This assumes that the hacker was successfully in installing it. my box Apache 1.3.37 WHM 11.2.0 cPanel 11.11.0-R16983 FEDORA 5 i686 - WHM X v3.1.0
View Replies!
View Related
A Lot Of Hacking
today i have a lot of hacking on my server . i searched for shell scripts on the server , and i found alot of it : [root@host svt]# ls -l total 48 -rw-r--r-- 1 koky koky 6700 May 7 08:14 s.php lrwxrwxrwx 1 koky koky 48 May 7 08:07 s1 -> /home/user1/public_html/vb/includes/config.php lrwxrwxrwx 1 koky koky 47 May 7 08:12 s2 -> /home/user2/public_html/vb/includes/config.php lrwxrwxrwx 1 koky koky 48 May 7 08:19 s3 -> /home/user3/public_html/vb/includes/config.php lrwxrwxrwx 1 koky koky 47 May 7 08:37 s5 -> /home/user4/public_html/vb/includes/config.php lrwxrwxrwx 1 koky koky 49 May 7 08:49 s6 -> /home/user5/public_html/vb/includes/config.php -rw-r--r-- 1 koky koky 13199 May 7 07:59 ss.php -rwxr-xr-x 1 koky koky 23005 May 7 07:58 svt.svt as u can see he uploaded the files on this account "koky" and redirected this files to user1,user2,user3,user4 and user5 accounts . and he could read the config.php and then hacked the site easly !! i read befor that the reason of this is Perl on the server , and the way to solve it to edit httpd.conf by adding this in it : <Directory "/home"> Options -ExecCGI -FollowSymLinks AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch </Directory> and then restart the http : service httpd restart i did all of that , and when i restarted http it said : [root@host www]# service httpd restart Syntax error on line 51 of /usr/local/apache/conf/httpd.conf: Invalid command 'Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch', perhaps misspelled or defined by a module not included in the server configuration and all the sites got down ! i deleted : <Directory "/home"> Options -ExecCGI -FollowSymLinks AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch </Directory> from httpd.conf and then sites worked correctly . so you all know my problem now ! and i think alot of you have the same problem , so i wish we all try to find any solution for this and knows the best way to protect pel on the server .
View Replies!
View Related
Hypervm Hacking
As well all know there has been a hypervm exploit which may have taken down fsckvps and other hosts have been having attacks. If possible install any program that will warn you of a connection to your server and or provide input on what it may or may not be. I myself Just had a blank php format file uploaded to a clients vps and It tried accessing other vps servers. As far as I know the ip was rapidly changing and untraceable (this may or may not be from the exploit), If anyone else is having hypervm attacks or server attacks please post here so instead of working within our own company's we are working as a group of over 10 thousand+ wht members to solve this issue ourselves. (mods may move this wherever)
View Replies!
View Related
Server Hacking...
i have a server and these days my server is hacking by the hacker the problem is, chmod 777, there are many dir's with the chmod 777 and hacker is uploading files and creating folders under the folder which is created with chmod 777, now i just want to know how i can block the hacker, and is there any way to allow the scripts which in my server and not allow any other scripts to upload files in my server i have linux server
View Replies!
View Related
Is This A Hacking Attempt
my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc. [url] [url] [url] [url] [url] I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website. Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.
View Replies!
View Related
Forums Hacking
Alot of VB forums have hacking every day In fact All hackers couldn't hack databases or files They only edit one template in style like header or forumhome So Uploading style again resolve the problem But How can I disallow them to to edit templates Any functiond to disable or rule for mod_sec ?
View Replies!
View Related
Hacking Attempt
see the log entries below: LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i"" 1.2.3.4 - -[12/Sep/2007:11:15:38 +0900] "GET /~kjm/security/ml-archive/bugtraq/2006.04/msg00283.html//footer.inc.php?settings[footer]=[url]HTTP/1.1" 404 268 "-" "libwww-perl/5.808" "-" 1.2.3.4 - - [12/Sep/2007:11:16:00 +0900] "GET //footer.inc.php?settings[footer]=[url] HTTP/1.1" 404 213 "-" "libwww-perl/5.808" "-" What can you say from the above log entries?
View Replies!
View Related
So How Does Hacking Work
I keep reading all these devastating posts about people's machines being compromised. Are most of these hacks due to weak passwords of administrators or clients which end up getting bruted, or are there known exploits for cpanel/plesk/apache etc? I am setting up an apache-only server with a really secure password, but I am wondering if it could still be breached using an exploit.
View Replies!
View Related
Is Someone Hacking My Server
Purely by accident I logged in a few minutes ago onto my server and ran a 'ps -ax' At the very end I had the following lines: 29803 ? S 0:00 /bin/sh /usr/local/sbin/bfd -s 29804 ? D 0:00 /bin/sh /usr/local/bfd/tlog /var/log/secure sshd.4 29805 ? S 0:00 grep sshd 29807 ? S 0:00 grep -viw error: Bind 29808 ? S 0:00 sed s/::ffff:// 29814 ? S 0:00 grep -iw Illegal user 29816 ? S 0:00 grep -iwv Failed password for illegal user 29817 ? S 0:00 grep -iwf /usr/local/bfd/pattern.auth 29818 ? S 0:00 awk {print$10":"$8} 29819 ? S 0:00 grep -E [0-9]+ Is this someone hacking my password file or is this something diffrent?
View Replies!
View Related
Hacking Attempt On Site
I am having issue with my server. Someone is trying to execute some code and possibly trying mysql injection method. I have pasted the code below. Please suggest what can be done in this case. Regards Gagandeep +++++++++++ The person tried to use different IPs and different websites to execute the code. URL >> IP [url] [url] [url] ftp://212.11.127.86/tmp/trem/1? >> 87.118.118.156 There are many such queries under my logs. The person is using different IPs, so, i can't even block that many IPs. ++++++++++++ The CODE <?php function ConvertBytes($number) { $len = strlen($number); if($len < 4) { return sprintf("%d b", $number); } if($len >= 4 && $len <=6) { return sprintf("%0.2f Kb", $number/1024); } if($len >= 7 && $len <=9) { return sprintf("%0.2f Mb", $number/1024/1024); } return sprintf("%0.2f Gb", $number/1024/1024/1024); } echo "Osirys<br>"; $un = @php_uname(); $id1 = system(id); $pwd1 = @getcwd(); $free1= diskfreespace($pwd1); $free = ConvertBytes(diskfreespace($pwd1)); if (!$free) {$free = 0;} $all1= disk_total_space($pwd1); $all = ConvertBytes(disk_total_space($pwd1)); if (!$all) {$all = 0;} $used = ConvertBytes($all1-$free1); $os = @PHP_OS; echo "0sirys was here ..<br>"; echo "uname -a: $un<br>"; echo "os: $os<br>"; echo "id: $id1<br>"; echo "free: $free<br>"; echo "used: $used<br>"; echo "total: $all<br>"; exit; ?>
View Replies!
View Related
My Thoughts About Hacking... [Part 1]
Is security really that critical? If so, why are some of the largest software companies providing such a bad example for the rest of the industry? Why would someone want to target my website? Why is security often overlooked? These are all common questions that arise on a daily basis within the online industry. The rest of this article will provide some detailed answers, along with practical examples and true scenarios. I've spoken with numerous hackers over the past short while. I can't count the number of times I've heard the line "Ignorant site owners deserve to be hacked". In my opinion, that's like claiming that cars without alarms deserve to be stolen, or homes without alarm systems deserve to be burglarized. It's not just wrong - it's illegal. Security risks and vulnerabilities affect the entire online industry. When a single website is hacked, there are usually multiple other victims. This is most commonly seen with widely distributed software. A potential attacker has the ability to install the software on a test environment, locate the vulnerabilities, then attack random victims even before anyone else is aware of the potential exploits. Once a vulnerability is located, the attacker simply needs to search for other environments using the same software, and within minutes there are hundreds, often thousands of potential victims. Typically, in the race to market, software providers are encouraged to release their products as soon as the applications are usable. Critical development procedures are often overlooked or intentionally bypassed. One such miss is an application vulnerability assessment. Although the product may be usable, the effects of a vulnerable application could be severe. Sadly, nobody is "off limits" when it comes to hacking. Most hackers feel safe committing online crime, since the online industry has evolved much faster than the security industry. Many applications are not created with the intent to recognize hacking attempts. Some hackers view their actions as a competition - Who can attack the most valuable website? Who can exploit the most user databases? In many cases, these attacks are bragged about within the hacker's immediate network. The competitive nature of these hacking groups has become so severe, there have been reports of attacks between competing organizations. You might ask, "If I use industry standards, won't my environment be secure?". The short answer: no, but it helps. Hackers are not restricted by industry standards. Most security companies only implement new standards once at least one victim is reported. This often gives hackers plenty of time to locate other vulnerable environments, and before long, the number of victims can increase rapidly. Hackers are some of the most innovative individuals within the online industry. The most logical way to combat them is to use similar methodology for security purposes.
View Replies!
View Related
Daily Hacking Attempts
Our VPS is being hit several times a day with hacking attempts. We have been actively monitoring error logs and can see the failed attempts. I was just wondering if there is a better way to track such attempts or another system log that wold provide additional info on these attacks? or maybe some 3rd party logging scripts?
View Replies!
View Related
Hacking Attempts From Server.softjin.com
I have been getting a lot of hacking attempts from this server: server.softjin.com They have offices in the U.S. as well as India, Japan, Singapore. I have reported them to [url] and if you are in the U.S. and have proof of hacking attempts from this company, please post them here - I am currently looking to compile a list of complaints so I can send another complaint report to ic3.gov
View Replies!
View Related
IP Address Which Begins With 10 Means Hacking
I have some websites with different support, contact, ... forms. I have set the forms to record the subscriber IP, need to know when the IP begins with 10, it means a person submitted the form from inside the server? If so, what is the appropriate defense? If no, what it means? I know many experts are present here, please in addition to selling and introducing your service,
View Replies!
View Related
Track Perl Hacking Script
I have FreeBsd with Cpanel.someone is running attacking perl script from my server.Below is information about that script but it shows / path in command lsof -p 30251 | grep cwd. PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 29018 root 96 0 35968K 30528K select 0:03 2.71% 2.69% perl newinst# lsof -p 30251 | grep cwd lsof: WARNING: compiled for FreeBSD release 5.5-STABLE; this is 5.3-RELEASE. perl 29018 root cwd VDIR 4,12 1024 2 / newinst# ls -la / | more total 22413 drwxr-xr-x 25 root wheel 1024 May 16 03:23 . drwxr-xr-x 25 root wheel 1024 May 16 03:23 .. -rw-r--r-- 1 root wheel 1 Feb 21 2007 .black -rw-r--r-- 1 root wheel 1 Feb 21 2007 .black.bak -rw-r--r-- 2 root wheel 801 Nov 5 2004 .cshrc -rw-r--r-- 1 root wheel 355 Feb 21 2007 .new -rw-r--r-- 2 root wheel 251 Nov 5 2004 .profile -rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db -rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db.bak drwxrwxr-x 2 root operator 512 Jul 19 2005 .snap -rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db -rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db.bak -rw-r--r-- 1 root wheel 1 Feb 21 2007 .white -rw-r--r-- 1 root wheel 1 Feb 21 2007 .white.bak -r--r--r-- 1 root wheel 6184 Nov 5 2004 COPYRIGHT drwx--x--x 3 root wheel 512 Aug 20 2005 backup drwxr-xr-x 2 root wheel 1024 Dec 28 2006 bin drwxr-xr-x 5 root wheel 512 Jul 19 2005 boot drwxr-xr-x 2 root wheel 512 Jul 19 2005 cdrom lrwxr-xr-x 1 root wheel 10 Jul 19 2005 compat -> usr/compat -rw-r--r-- 1 root wheel 177 Dec 5 12:15 cpgd.c dr-xr-xr-x 4 root wheel 512 May 16 16:23 dev drwxr-xr-x 2 root wheel 512 Jul 19 2005 dist -rw------- 1 root wheel 4096 May 13 15:58 entropy drwxr-xr-x 28 root wheel 4608 May 19 11:57 etc drwx--x--x 501 root wheel 9216 May 19 01:33 home drwxr-xr-x 3 root wheel 1024 Jul 19 2005 lib drwxr-xr-x 2 root wheel 512 Jul 19 2005 libexec drwxr-xr-x 2 root wheel 512 Nov 5 2004 mnt drwxr-xr-x 3 root wheel 512 Jul 21 2005 nonexistent drwxr-xr-x 8 root wheel 512 Oct 30 2007 opt -rw------- 1 root wheel 22786048 May 16 04:51 perl.core dr-xr-xr-x 1 root wheel 0 May 19 11:57 proc drwxr-xr-x 2 root wheel 2560 Jul 19 2005 rescue drwxr-xr-x 13 root wheel 1024 May 19 01:33 root drwxr-xr-x 2 root wheel 2560 Jul 19 2005 sbin drwxr-xr-x 5 root wheel 13824 May 19 01:22 scripts drwxr-xr-x 4 root wheel 1024 Jul 19 2005 stand lrwxrwxrwx 1 root wheel 11 Jul 19 2005 sys -> usr/src/sys drwxrwxrwt 9 root wheel 31744 May 19 11:57 tmp drwxr-xr-x 21 root wheel 512 Dec 5 12:12 usr drwxrwxrwx 24 root wheel 512 May 16 16:24 var where it is localted at/path.
View Replies!
View Related
Hacking Buildapache To Add Mod_deflate (for 1.3.37)
apparently a mod_deflate patch has been available for apache 1.3.37 for some time but since I rely on cpanel as a huge time/knowledge saver, I'd like to hack it into buildapache/easyapache so it's an option just as easy as mod_gzip is (with a simple checkbox) after poking around I learned that all the magic happens in /home/cpapachebuild/buildapache I've studied how mod_gzip is activated/installed but some steps are beyond me mod_deflate for 1.3.37 is here [url]the critical files inside are of course mod_deflate.patch and mod_deflate.c so I assume stick those files into a directory under buildapache, but where do I hack in the patch and build steps?
View Replies!
View Related
Php Injection & Session Hacking
I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine. And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ? ------------------------------------------------------------------ function update_region($id,$regname,$regcom) { $query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."', region_comments = '". $regcom."' WHERE region_id =" .$id; mysql_query($query); ...... -------------------------------------------------------------------
View Replies!
View Related
Mod Security Rules And Hacking Attacks
I have a problem with a hacker from China. He keeps uploading 4 files to my server: mail.php mysql.info.php footer.txt header.txt He did this with 4 different accounts so far. I have mod security installed with the ruleset from gotroot.com but it doesn't help. Now my questions: 1. Where can I download the mod security core ruleset (is it helpful anyway ?) I already found this page [url] but I do not see a "download here" link anywhere... I found the link that points to [url] but then I do not see the mod sec ruleset anywhere... 2. The rules on gotroot.com have not been updated for a long time. Are they still useful ? What do you think ? 3. Any other sources for good mod sec rules that may resolve my issues with PHP exploits.
View Replies!
View Related
Is It A Hacking Attempt.. Request Of Wierd Files Along With Unwanted SSL Handshake
I see following errors in my server ie. httpd error logs: Code: [Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 79.132.204.192) (OpenSSL library error follows) [Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 60.63.241.18) (OpenSSL library error follows) [Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?] [Mon Mar 30 07:23:56 2009] [error] [client 114.224.169.0] File does not exist: /var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bFT/SX00/VtJVht/D1XvJBgHP/5lll.gif [Mon Mar 30 08:46:42 2009] [error] server reached MaxClients setting, consider raising the MaxClients setting In last you can see that MySQL reached maximum allowed client ..and it crashed Also, at regular intervals I see such requests: /var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bF/SX00/VtJVht/D1XvJBgHP/5lll.gif Also I see SSL handshake failure notices while I do not have any SSL cert or SSL running site on this server.
View Replies!
View Related
Shell
my server in under attack of shell how can i find shell code in my server? (c99 ...) is any anti virus or open source tools to find it how can i disable shell function?
View Replies!
View Related
Shell Allow.
I have spare dedicated machine. I want to allow user to run few processes on machine (debian etch). I configurated limits at /etc/security/limits.conf for group "shell". When I attached user to group shell, limits work well, but he still can look everywhere on system. (he can do cat /home/somefile.txt, even owned by root). Is there any method, software to limit user to acces only their home directories?
View Replies!
View Related
How To Stop Spammers?
I was wondering if anyone has any methods to stop spammers? Currently i am keeping watch on the mail queue and making sure nothing unsual. I have in WHM configuration setup to not allow more 200 mail messages per account per hour but for some reason it will hit thousands. WHMCS does seem to suspend them automatically or maybe its because of WHM BUT only when its too late. Any thoughts or suggestions?
View Replies!
View Related
How To Stop Spammers ...?
Have a persistent spammer who kept emailing my clients, even non existent domain accounts and getting the bounced emails to be send to a particular yahoo address. I tried to block in all ways but can't seem to stop him. His spams are from all over the world. Any suggestions?
View Replies!
View Related
How To Stop Gunzip -c
how to stop gunzip -c? By mistake instead of using gunzip file name on my friend's vps, I had used gunzip -c filename and its taking hell a lot of time to unzip it, I have no clue on how to stop this and I am scared if I close ssh client, it might be still adding load to the server .. I am unzipping an 4.5mb file, which on un-compression must be around 14.5mb .. for the past 10 mins its still unzipping and not sure how long it will go on.. unless I stop it..
View Replies!
View Related
How Stop Spam
I have a server that is sending spam, but I can not know who sent because the server not has installed suphp. There is another option to see who sends spam?
View Replies!
View Related
Stop Hotlinking
Is there a way to stop hotlinking? I have a client who has a blog. They have post pics of tattoos. Now there are at least 50 tattoo forums, blogs and other sites hotling to the pics. Now his bandwidth usage has skyrocketed. So enable hotlink protection in his cPanel. Just did a redirect to my main hosting site with a nice please stop hotlink image. Now I see all this in my logs. So I then made a 150 x 9000 clear BG gf with the text at the top please stop hotlinking. My questions is there any way to stop it. If not should I just make a 1x1 clear gif to redirect to? Also is there a way to not have this traffic show in my log files?
View Replies!
View Related
I Want To Stop Emailing Myself
I want to stop emailing myself I have received quite a few emails from senders claiming to be the recipients [in this case one of my email accounts]. I did not send these emails. This is happening with almost every email account I have setup on one of my domains. I know this is probably an easy fix-- I am simply unsure of what it is. I noted that someone else recently posted a similar question-- with only one response. I wanted to see if another post my garner another response.
View Replies!
View Related
Too Much Traffic, How To Stop It?
i've a vps with iptables, but i've too much traffic (RX), there are too many packets received from random ports on both upt and tcp. Today in just 14 hours i've 2.8 gib of traffic, without any connection for web, email, etc (i've stopped all the services). How can i stop this? it's going to burn all my monthly traffic
View Replies!
View Related
|
TRACKER
