Hacked By Aftehner How To Solve It
Apr 23, 2007
My server have been hacked by a user that have the nick of aftehner
excatly what he does is enter and execute a command by a php script that execute a command in shell that delete all the files that have in their name index or main, so he destruy alot of information.
My question is how can i reinstall everything in a remote server, I already try to reinstall cpanel, apache (but it doesnt work with the cpanel version so i try it to install a standalone but it only shows 1 page for all domains hosted)
I dont know what can i do, It delete alot of information and replace with a file of hacked by aftehner or something like that.
Yum is doesnt work correctly, i already try to reinstall python, perl, php, but i still having problems. I have been working all the day until 4 am for 3 days trying to fix it, I already know how he make the attack and i have all the log i can share this information with you for not have this problem.
What do you reccommend to do for solve this problem?
Server
Linux Fedora
Athlon XP 3800+
1 gb RAM
Data center: Layered tech
CPANEL / WHM
A domain hosted in it: Mindev.com
They hacked the website by the domain: Lodice.com
View 4 Replies
ADVERTISEMENT
Jan 12, 2007
I have a dedicated server and it works very well to all my sites and my scripts until 2 weeks ago, I start getting errors from my sites the following error message php_network_getaddresses: getaddrinfo failed: Temporary failure in name resolution
I thought this is a temporary error only when I first encounter it, but its been 2 weeks now and still the problem is continuesly showing.
The problem cause my 2 sites being penalized from google search engine because of this problem.
View 6 Replies
View Related
Aug 30, 2007
how it's possible to solve this problem: My domain name has an e-mail address that is being forged and used by a spammer, and I get an incredible amount of bounced emails to the point to bring down a Dual-Xeon with 4GB of RAM. This e-mail account has been discontinued and e-mail sent to non-existent accounts is set to be thrown away. The average server load goes through the roof in a few seconds as soon as I point the MX entries to the server. I don't have the money to set up a load-balanced system. What could I do to host this domain name and use e-mail, only allowing emails to existing email accounts?
View 14 Replies
View Related
Nov 16, 2008
i see my websites are infected with some trojan.
there are some iframe tag simlilar to this in all index files
<iframe src="http://traff<<removed>>.cn/in.cgi?27" width=100 height=80></iframe>
any idea how might this iframe inserted in my codes.
i have tried to format my systems and remove all saved ftp passwords , but still this virus is comming back and the strange thing is i have website on different servers infected with same virus
any idea how this is happened and how to avoide this?
View 9 Replies
View Related
Mar 5, 2008
My ISP gave me the box with /usr allocated only 8G, now is 6G used. I suppose that Cpanel will take space when I create email accounts, forwarders, maybe other stuff too.
What can I do to prevent running out of space?
View 5 Replies
View Related
Mar 12, 2007
I am trying to install some packages on my system and sometimes they depend on different, sometimes earlier, sometimes later versions of library packages on my system.
In that situation is it better to get the source for the package and recompile it with what you have on your system?
I am assuming that the dependent libraries the packages where compiled with were what was available on the package developer's system and do not necessarily contain new features lacking in the older versions.
Will recompling such packages from the source rpms fix the problems in most cases?
One particular group I persistently come across is the libcX.so libraries.
View 0 Replies
View Related
Jun 28, 2009
I installed Joomla today, and it went smoothly except that under Help -> System Info in the Joomla admin panel, all "Directory Permissions" are "Unwritable."
I've read up on various solutions, such as installing suphp to take care of user permissions. But if I have my own Linux VPS and I am the only user (i.e. noone else has accounts on my VPS), what is the easiest way to fix this issue? Can I just CHMOD those directories to 777 without worrying about causing a security issue? Or is there a similarly easy solution for someone like me with very basic Linux knowledge?
View 14 Replies
View Related
May 4, 2007
We've had a VPS for just over a month now. I am not going to mention the host by name (yet) but they advertise here and other people here reported liking them.
Sadly it's not my experience and I regret my purchase.
Every morning for the past few weeks, we get load spikes every 30 minutes that make our site unusable for a minute (on our VPS, any load over 1.0 is sluggish, over 2.0 is virtually unusable, over 3 is unresponsive)
Here's a series of days as an example:
[url]
The worst part about this is the host insists 1. either it's not happening or 2. they can't find it
I know it's happening because when I try to load a page on the half-hour, it takes over 13 seconds (less than 1 second normally). And it's fairly obvious it's someone doing a cron job with some nasty downloading, uploading, or maybe a massive mysql update.
Someone tell me what to tell them because this is driving me out of my mind. The load is NOT being caused by ourselves, I've made sure all our cron jobs don't happen on the exact half hour and we get lots of traffic later in the day without loads.
View 14 Replies
View Related
Mar 27, 2015
Last night the plesk auto updater ran an update. And i was wondering if others have had the same issue?
CentOS6, RHEL5 x64 Plesk 12 Unlimited
Detecting installed product components.
Gathering information about installed license key...
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
[Code] .....
ERROR: The Yum utility failed to install the required packages.
Attention! Your software might be inoperable.
Please, contact product technical support.Click to expand...
View 9 Replies
View Related
Apr 3, 2008
I am renting a 384mb Plesk VPS, have 1 client website on it, and it was hacked. Someone set up a new user with root access and was attacking other networks including dictionary attacks. My host has cleaned up the mess. I suspect access was gained thru a weak password choice or thru a Wordpress hack.
The client website ran a php/mysql survey script sometimes with 20-25 simultaneous users, and about 5-10% were unable to complete the survey due to screen freeze up or time outs. I'm trying to get to the bottom of these errors and know that some of the problems were client side but could the attacks also have affected connectivity & website performance?
View 2 Replies
View Related
Aug 5, 2009
2 days ago i noticed my cpanel hardisk usage was a lot more then it should be, after looking around i found out my inbox was 400mb (82143)emails!! i don't use any of the cpanel email because i have them set to forwarding. all the emails are spam and i discovered a few emails using my domain (that i did not create) that are valid and when i email them it reaches this cpanel inbox
So how bad is it? have i been completely comprised or is someone managed to get some type of spaming access only?
View 5 Replies
View Related
Feb 5, 2008
I have a server with about 100 domains on it in Plesk. I have about 10 or so clients that pay me a pittance to host their site and the rest are various domains that have been parked.
About a week ago we received a "too many connections" error when accessing Plesk. This is our server and it sits at The Planet (formerly EV1). I cranked up the mx connections to 1,100 or so following some web tutorial but I'm really a complete idiot when it comes to this server stuff. (I'm more of a php / html kind of guy).
I check out logs and it appears that someone has been trying to access a bunch of celebrity images that shouldn't exist on our server. It's clearly spam of some kind. I can't seem to actually find these images on my server anywhere, but I've got a feeling that foul play has been involved.
View 7 Replies
View Related
Feb 4, 2007
Well, this is rather weird. I cant tell if this is a server error, or a hack.
Basically the contents of the thumbnail directories for videos, games and pictures were deleted, at 3pm today (according to the ftp time stamp). All those folders were chmodded 777, to allow PHP to upload the images into them.
View 14 Replies
View Related
Jul 23, 2007
My cpanel server has an intruder who brought all the sites down. I did my best to harden the server a year or so ago, but...
I got an email from one of my scripts:
SUBJECT: [hackcheck] kill has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account kill has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
To say the least, the server was compromised. I cannot find the user "0" or "kill" in WHM, but under "Wheel Group Users" "kill" is listed under "Add a user to the wheel group."
Any help or insight would be appreciated! Anyone proficient at hardening servers and exorcising hackers?
I uploaded the latest chkrootkit and ran it. The results say it's clean.
View 14 Replies
View Related
Feb 13, 2007
Am I hacked by somebody?
Any thing I can do to stop this (for example by hiring server management company)???
Here's the info that RKHunter provided:
/sbin/modinfo [ NA ]
/sbin/insmod [ NA ]
/sbin/depmod [ NA
Rootkit 'RH-Sharpe's rootkit'... [ Warning! ]
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------
Checking users with UID '0' (root)... [ Warning! (some users in root group) ]
info: adm:0
And here's the info I've found after investigation:
-bash-2.05b# pwd
/usr/local/games
-bash-2.05b# ls -lah
total 332K
drwxr-xr-x 3 root root 4.0K Feb 5 15:59 .
drwxr-xr-x 15 root root 4.0K Feb 12 19:32 ..
drwxr-xr-x 3 1555 1555 4.0K Feb 2 12:58 .fl
-rwxr-xr-x 1 root root 263K Feb 2 12:51 ettercap
-rwxr-xr-x 1 root root 17K Feb 2 12:51 parse
-rw-r--r-- 1 root root 119 Feb 2 12:51 pid
-rw-r--r-- 1 root root 27K Feb 3 17:44 x
-bash-2.05b#
View 5 Replies
View Related
May 22, 2007
i daily check my error log files to see if something was wrong , checkout what i found
the first one is probably trying to hack my site to get to my ads and changing it to them i think
[error] [client 195.23.16.24] File does not exist: /var/www/html/a1b2c3d4e5f6g7h8i9
[error] [client 195.23.16.24] script '/var/www/html/adxmlrpc.php' not found or unable to stat
[error] [client 195.23.16.24] File does not exist: /var/www/html/adserver
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpAdsNew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpadsnew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpads
[error] [client 195.23.16.24] File does not exist: /var/www/html/Ads
[error] [client 195.23.16.24] File does not exist: /var/www/html/ads
this 1 I dont know
[error] [client 71.190.229.120] File does not exist: /var/www/html/_vti_bin
[error] [client 71.190.229.120] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/_vti_bin
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
This 1 is kinda keep me scared i dont know what it is either
[Mon May 21 16:11:00 2007] [error] [client 129.29.227.4] Invalid URI in request T 5.1; U; en)
[Tue May 22 15:59:09 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179781859
[Tue May 22 16:09:15 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:20 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:24 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:29 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:29:29 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179868171
[Tue May 22 16:30:23 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179869368
[Tue May 22 16:30:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:30:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
View 3 Replies
View Related
Sep 10, 2007
my server hacked
24 cat /proc/cpuinfo
25 ls
26 cd /var/tmp
27 ps x
28 ls
29 mkdir .www
30 cat /proc/cpuinfo
31 cat /etc/issue
32 mkdir .ww
33 cd .ww
36 download alexscan.tar.gz
37 tar xvfz alexscan.tar.gz
38 tar xvf alexscan.tar.gz
39 cd Vek
40 ls
41 ./Vek 210
42 ls
43 cd ..
44 ./ss
45 ls
46 cd ..
47 cd .ww
48 download joker.tgz
49 tar xvfz joker.tgz
50 download flood-udp.tar
52 tar xvfz flood-udp.tar
53 tar xvf flood-udp.tar
54 perl udp.pl 72.8.131.39 0 0
55 perl udp.pl 89.42.72.6 0 0
56 perl udp.pl 83.42.64.149 0 0
57 passwd
58 ls
59 cd joker
60 ls
61 chmod +x *
62 ./x 23.12
View 14 Replies
View Related
May 9, 2007
I have a new server and I have hardened it with csf+lfd. It's about 65/70 in the cfs score.
This morning, I noted that lfd log sent me an email saying there is a SSH login via 207.210.233.128 on 10th May 2007. I am not sure whether it was a successful login or not?
Here is the output:
=================
Time: Thu May 10 01:31:52 2007IP: 207.210.233.128 (Unknown)Account: rootMethod: password authentication
========================
I know for sure that I did not login my SSH yesterday.
However, when I logged in SSH this morning, it says in telnet that my last login was from my own home computer's IP, so from that it looks like no one else has logged in SSH since last time I logged in myself.
Was my server intruded or was lfd just playing up?
View 2 Replies
View Related
May 11, 2007
Go to this page:
[url]
how I can find out what page they have changed? It is a php file with loads of includes etc. Not sure where to look! Or could it be a redirect or something?
View 2 Replies
View Related
Apr 12, 2007
I have a VPS running cpanel/whm on CentOS.
Everyday someone keeps coming in and deleting all my accounts. I do have them saved, but I cannot figure out how they are doing it.
I have followed the tips on the forum for locking down VPS. We have restriced SSH logins to our IP, we have checked all directories for ones that are 777 and changed them, we have moved the server to a different IP address.
View 14 Replies
View Related
Jul 27, 2007
So I'm interviewing with a company and when I typed in the URL to their website, I was met with a nasty surprise: a "hacked by so and so" message! However, after looking closer, I see that I had accidentally appended a period (".") to the end of the domain name, for example: http://www.example.com./
When I removed the period, the site appeared as normal. I don't know anything about the server other than it's IIS. Is there anything I can suggest to them when I go in to interview? I'd like to point this out to them; it may even help my chances at landing the job! (It's not related to networking, though.)
View 0 Replies
View Related
Nov 23, 2008
Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.
Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.
Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png
Just a warning to everyone out there. His IP address was 86.132.228.82.
View 11 Replies
View Related
Jul 27, 2008
A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?
View 6 Replies
View Related
Jan 27, 2009
we have a vps server and someone did what I would call a calling card attack, thankfully.
It is a stock kubuntu os with stock apache. Root passwords for everything have been changed to our own
Somehow they logged into kubuntu as root and changed the htpasswd in usr/passwords (changed to protect the password).
Then since they changed the htpasswd they were able to log into phpmyadmin and changed the admin password in the database.
I'm pretty sure I know who did it and he is teaching us a lesson which I respect but he will not comunicate with us.
We have hourly snapshots of our vps and we need to know how they are getting in. See my sig and click on the hotspot login.
Looking at the sudoers there is the Defaults line that we suspect as a means to get in.
We have a great php etc... app but it is either Apache or kubuntu that they can get in.
I would like to learn about what needs to be done about security but where do I start?
Can someone help me look for something that would allow the attack?
I'm a php guy and it is not a mysql injection attack nor is it an xss attack.
I am not a kubuntu / server security guy and now need your advice.
View 7 Replies
View Related
May 22, 2008
Out of the three websites that were hacked the hacker left a get.php file in the root and i decided to see what it was and i ran it. To my shock and horror it gave me all the different types of people hosted on the server and it also gave me their database passwords etc...
Now each time i ran it, it gave me different results of different users on the server each time with a long never ending list. I just couldnt believe my eyes a simple short written php script showed me a lot.
Now im not a PHP guru but this is quite serious and ive notified my web host showing them my findings. I was quite astonished it showed me passwords in peoples configs.
Now my question is... is this something new or old and that my web hosts forgot to look into that area...? I mean its a php script thats all.
View 8 Replies
View Related
Oct 1, 2007
One of my clients has just sent me a bounced email to an address she had never heard of. This made me suspect my server had been hacked and was being used for a scam.
Sure enough, I found a file in one of my folders, that was related to a Bank of America scam.
I have since put a password on this folder. But does anyone have any advice on how to secure the site to prevent this happening again? It is a shopping cart and the 'rogue' file was in the admin area of the shopping cart.
View 10 Replies
View Related
Mar 17, 2007
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
- How I can remove them?
View 14 Replies
View Related
May 18, 2009
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"
What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...
View 6 Replies
View Related
Dec 21, 2006
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.
[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate
View 10 Replies
View Related
Apr 7, 2007
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.
Now, I'm looking into the log file /var/log/messages and I have few questions:
1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235
Do these messages mean that hacker trying to enter the server under root?
2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND
What does this mean? Virus on my server or something else?
3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND
Does someone read my emails?
View 6 Replies
View Related
Nov 17, 2006
My server just got hacked i just bought it!!
and they was going to charge me anouther $35 to reset the password how stupid...
in the end we got it done free
View 8 Replies
View Related
