Hacked Server Remediation Plan
May 19, 2009
we are looking for a suggestion on a best practice to help a customer recover from being hacked. One thought is that the client should be put on a new server and allowed to rebuild from there. The concern is that there are so many web app breaches that the server often gets rehacked because the bad code is still in the web app.
View 2 Replies
ADVERTISEMENT
Jun 2, 2014
I like to create some service plans using the cli-tools, /usr/local/psa/bin/service_plan.I am able to create a service plan, but I'm unable to create a service plan inside a reseller plan. For example I cannot "tell" the service_plan script to add the created serviceplan to a reseller plan. Is it possible to create a serviceplan inside a reseller plan, using the cli?
View 4 Replies
View Related
Apr 23, 2009
So, there is my example. I have two servers in different locations. First one is the main server with all the data and the second one has just simple notice like "We will be back soon".
Now, if I set the primary DNS server on main server and secondary DNS on second one (but with different A records), will users actually get the server two if main server is down?
Will this work or not? I want 100% access to the site, at least to the server with only notice (I don't need data from main server). I can set the round robin, but I don't need load balancing (actually I want access only main server), but just if main server is down to go on the second one.
View 12 Replies
View Related
May 13, 2008
There is so much information on disaster recovery and backing up one's server, that I'm getting glassy-eyed trying to take it in. Maybe if I became an actual case study, and get some "group think" help, this thread could benefit many others in a similar situation.
Current Situation:
1. I'm a small hosting company, 5 years in existence, with about 350 clients. www.mlhi.net
2. Dedicated Linux server, PLESK CP w/unlimited domains license, fully managed at HostNexus (great guys). It does not have a RAID array (used to have that at Rackspace) but it does have a backup drive that everything is backed up to with a cron job every night.
3) In addition I have a Linux Sys Admin on retainer, www.linuxbox.co.uk (he is better than excellent). Two years of excellent server maintenance and security on top of the managed service I get at HostNexus.
4) I just bought a VPS plan at JauguarPC.com after much research (a lot of it here at WHT) and as they say "so far so good" with the ease of dealing with them. I have not setup anything there yet- just got the VPS provisioned a few days ago.
Fears and Concerns:
1. Data center destroyed/ my server burns up (including backup drive) etc etc.
2. DDOS attack (which did hit this data center a few months ago and I was down for hours)
3. If I had to FTP everything back to another server from my local, at 18 GB, it's not too cool.
Want to do this:
1. I want my Sys Admin to run a backup copy (and incrementals every night) to an identically configured VPS server at JaguarPC. Both servers are now running identical PLESK 8.4.
2. I want the fastest recovery possible without spending a ton of money. I know this means I don't get an "instant" recovery, but recovery within 24 hours is more than OK. None of my customers are ecommerce... just brochureware sites.
My "I'm not an expert" plan:
1. If primary server goes bye-bye forever, I can login to my BulkRegister/Enom account and change the child nameserver IPs to the IP's of the VPS. In 24 hours or less, every request for the nameservers would then be routed to the new server.
2. I can create an A record on every domain like www2.johndoeinsurance.com that would point to the IP at the VPS, so I can ease my mind anytime I want to make sure everything is safe and sound on the second server, and ready to go in an emergency.
How do I configure the DNS?
I control dns at Enom for about two-thirds of my customers. I have ALL domains pointed to ns.mlhi.net and ns2.mlhi.net. Here are my options??
1. I create two more child nameservers... ns3 and ns4 and have then pointed to the IPs at the new server, then update all the domains I control. The rest of the customers I can email and ask them to add the additional nameservers. I know... good luck on them doing it.
2. I change the ns2 IP to go to the new server. And I make sure when I make edits on a website during the day that I FTP to both servers.
3. I don't have any nameservers assigned to the new server. I just change the IP on the existing nameservers in the event of an emergency.
View 5 Replies
View Related
May 11, 2013
I have it installed with SmarterMail.
However I have a need to recreate a Service Plan that does not add the domain to SmarterMail.
Like on the Hosting Parameters tab there is an Enable hosting tick box, I need the same type of tick box on the Mail tab.
View 1 Replies
View Related
Mar 1, 2013
I am doing migration of plesk 11 from one server to another server on both server version is same but after migration I cant find any service plan which is there on old server.how can i copy / migrate service plan from one serer to another server
View 4 Replies
View Related
Mar 17, 2007
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
- How I can remove them?
View 14 Replies
View Related
May 18, 2009
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"
What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...
View 6 Replies
View Related
Dec 21, 2006
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.
[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate
View 10 Replies
View Related
Apr 7, 2007
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.
Now, I'm looking into the log file /var/log/messages and I have few questions:
1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235
Do these messages mean that hacker trying to enter the server under root?
2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND
What does this mean? Virus on my server or something else?
3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND
Does someone read my emails?
View 6 Replies
View Related
Nov 17, 2006
My server just got hacked i just bought it!!
and they was going to charge me anouther $35 to reset the password how stupid...
in the end we got it done free
View 8 Replies
View Related
Oct 29, 2009
My server was hacked night before last and here is the log
Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.
View 14 Replies
View Related
Jan 10, 2008
I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?
send(4, "@206113irc10quakenet3org1"..., 34, MSG_NOSIGNAL) = 34
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(4, FIONREAD, [162]) = 0
recvfrom(4, "@2062012001103irc10quakenet3org1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(4) = 0
open("/etc/protocols", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
View 7 Replies
View Related
May 14, 2008
My websites worked very well some days ago. I've touched nothing on my server since then and now every website I have on it is down!
I have a VPS and have root access.
When I restart my apache web server, my websites are working for about 3 seconds! Then it doesn't work any longer!
I've talked to my host but they may find the error if their technicians look at my server but this will cost!
View 6 Replies
View Related
Dec 8, 2008
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.
When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.
I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.
During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.
As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.
I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............
View 10 Replies
View Related
Sep 1, 2007
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.
Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.
I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.
I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.
I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).
I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.
I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,
View 7 Replies
View Related
Feb 16, 2007
I'm using windows 2003 Server to host my website.
I was on vacation for 2 weeks so I wasn't able to log onto the server. Nor was there any need to log onto the server as the website was up and running and was fine!
However, when I logged into today, there were extra icons on my desktop.
My server was turned into a spam e-mail remailer. There were applications installed that dissected/generated e-mail addresses.
In my system logs in event viewer, starting from January 30th, there is a whole list of failed log on events where the user tried logging on with different usernames and passwords.
I'm guessing they got into my server by brute force.
I was wondering, does anyone know if windows 2003 automatically logs the IPs of users trying to login remotely and where they are stored?
View 13 Replies
View Related
Jan 2, 2007
Today while i run some commands like ls this error appeared segmentation falt
any way the reason is my server's hacked now i reinstall it but my question
How could my server hack while i have disabled Compilers for unprivileged users
i admited that i have found cgi-telnet scripts but how could he used it to install rootkit
View 6 Replies
View Related
Jan 11, 2007
We have a dedicated server with a well known company here in the UK, its running Windows 2003 server std. This runs an application that was developed by our company and accessed by around a max number of users per day of around 50 - max.
Over the last few months the server has got slower and slower, although we do have periods when its really fast, there seems to be nothing we can point our finger at as to why it speeds up and slows down, we checked number of users accessing etc and it does not seem to effect speed (users access by a secure logon)
This week server was nearly at a stand still, I rang hosting company who informed me that they thought our server had been hacked. They said they could see exe files running that they had not installed, mentioned the following -
Dxplay.exe
Dameware.exe
Tree.exe
They said these exe files were listening to a TCP port (excuse my ignorance, not that techically minded)
They also said two users were accessing our server from Canada and California.
They also said because we had loaded our own software on the server it was not their responsibility if our server was hacked, that we were also running PCAnywhere and this was notorious for allowing a server to be hacked.
I pointed out that we paid them to host the server, it was behind their firewall, would that not stop unauthorised access, the response was no.
I have a few questions I wonder somebody might help me with the answers to,
1, Does it appear our server was hacked? - do the exe files look suspicious?
2, What is our hosting companys responsibility?
3, Is PCA secure
4, How can we stop this in future?
I am also told by our guys there is evidence of someone using our server to surf the web, could this be internal, i.e our hosting company, or maybe a hacker?
We can see when users are logged into our application, but nothing else, is there some reporting software we can install to let us view who is accessing our server?
What can we do to make the server more secure?
We are currently scanning it with spyware software and although we have anti virus we are scanning again, this new scan picked up 7 virus, I'm not sure yet what these were.
View 5 Replies
View Related
May 19, 2007
I have worked with rack911 but he does not answer my emails. is there anyone who can start it immediately?
How can I secure php?
my server is hacked but not so deep.
View 12 Replies
View Related
Oct 19, 2007
how does one know if their server is being or has been attacked / compromised / DOSed / DDOSed / hacked / you name it?
View 2 Replies
View Related
Oct 5, 2007
my server was just hacked.
basically every index.htm/html/php in all my accounts (/home/*) have been replaced by some hack page.
i have backups, so not too concerned. problems though are:
1) opening any subfolder in an account causes an endless loop
2) putting any other page and trying to load it from the home directory yields a 500 error message
most likely going ot have to rebuild the entire server... but any ideas what i could look for first?
for e.g. the loop thing is nearly like there's some "global .htaccess file" that's controling every single domain to keep reloading a subfolder called index, which does not exist...
View 4 Replies
View Related
Apr 14, 2007
I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..
How can I find their doorway?
View 4 Replies
View Related
May 11, 2009
I am running not so big hosting and do not have much customers. One of our customers have complied to me, that registration mails from his website goes to spam. I searched my IP and found it blacklisted in two databases.
I started to analyze logs, and noticed that from 25th of April something started to happen. Tons of mails are sent, but I do not have such many customers. My mail server is in .lv zone and I have customers witth .lv domains, but mostly some .es mail addresses are there in maillog.
Maillog is full of this records: .....
View 7 Replies
View Related
Nov 11, 2007
One of my personal servers has been compromised. It is the tornkit v8 rootkit. I tried to follow the instructions here http://www.webhostgear.com/101.html but I dont have write permissions on /etc/rc.d/rc.sysinit to save changes or even delete the file.
I am logged in as root and the file has rwx permissions for owner which root. But I still cant do anything to that file. I get the following message: cannot remove `rc.sysinit': Operation not permitted.
I need to get this server online asap. I am running centos4.2 and logged in as root in recovery mode.
View 9 Replies
View Related
Jan 20, 2008
the data center tell me we use a lot of bandwidth,
and i check from the mrtg they offer to check,it reach about 80M,
my server really used a lot of bandwidth,
but i login whm to check the bandwidth of accounts,
and it looks likely my customers did not use a lot of bandwidth,
i worry if my server is hacked to attack others or other things,
how can i check this?
View 3 Replies
View Related
Jun 23, 2007
My hosting provider will shut down my server because it was used by a hacker for DoS attacks.
((outging 2090kbits/sec, incoming 29kbits/sec )
Server got Freebsd 6.2 , apache 2.2, php4.4.7 ,ipfw installed
To be more specific, somehow the hacker can upload a script "udp.pl" into the /tmp directory and then execute it through "perl udp.pl".
The script "udp.pl" does mass flooding on the IP they specify.
The header of udp.pl code is attached at the bottom.
After I deleted "udp.pl"
secured /tmp (noexec,nosuid,rw)
chkrootkit/ rootkit hunter, Checked /etc/passwd for new users and users with UIDs of 0 other than root. Checked for the presence of SUID/SGID root files. nothing found.
installed mod_security2
installed Suhosin
Currently Still have lots of outgoing traffic via port 80 (outging 390kbits/sec, incoming 19kbits/sec )
find nothing suspicius process by using "lsof, top" .....
View 14 Replies
View Related
Mar 26, 2008
my server hacked and when I trying to login to cpanel and after enter username and password show the hacked page.
help me to change the cpanel page.
and what section I should check?
View 11 Replies
View Related
Jul 12, 2008
i find a site hacked all the sites are vbulletin and has no protection .. i think it hacked by Fourm home
i mad a search for SSH and i didnt find any thing
can you advice me how to stop this way of hacking plz?
View 10 Replies
View Related
Oct 2, 2007
My server was recently hacked and I'm looking ways to secure it in the future. I use the server to host my own websites.
It was hacked to be a spam server. I traced the new files the hackers added to my "upload" directory, which is where my site members upload pics. I had set the directory to chmod 777. Could someone hack that directory solely from it being its rights being 777?
The site was custom developed in PHP, and looking through it myself, I couldn't find any security issues. But then again, I may not know what exactly to look up.
I would appreciate any general tips to protecting a server, as well as general tactics hackers use to hack a server and PHP site.
View 13 Replies
View Related
Aug 3, 2008
My server with Softlayer was hacked after being 5 Days under attack.
Do you guys have any suggestion about secure data centers
Any hosting we can depand on them when we face a problem?
View 14 Replies
View Related