I am starting a online sotre. Someone told me to keep third party seals for good response.
Please recommend me which seals to be used
Hacker Safe, TRUSTe, BBB, and Trust Guard
I think Trust Guard seal give a multi package for all security,privacy and business verification. Shall people know it? Is it worth money?
As with many sites. my site was hacked recently. my host was so negative about this. they didn't notice the hack attempt although it took the hacker 9 hours to break through.
after that I made some search on my host to find that it is not a real host at all. they are just resellers to another company. I was very disappointed, Then I decided to go to a better host who can protect me from hackers.
I read some threads about 'hacker safe host' but they all in general don't give a real name of trusted 'anti-hackers' companies.
can you guide me to some of the famous hosts?
if you can't my friends got a VPS hosted with WestHost. he offered me to move my site to his VPS. is west host trusted about hackers?
I see a lot of DDos related articles here at WHT. We've got hit multiple times by DDos and had to handle those attacks everytime with a different approach.
The largest one and the most well know one (we were in Times Mag, AP news, CNN, slashdot, you name it - just do a search about us on WHT) was Russian botnet cyberattack - we had to anaylyze netflow and then block everything on our edge routers, then on the firewall and then locally on the servers.
Since then we had number of other attacks, some of them we were not able to defend on the server level, while, as you can understand we can't do netwflow and manual intervention evey time somebody gets an attach.
We have very good scripts which allow to mitigate huge number of DDos attack, whet our scripts are finding attacking IPs and blocking them automatically - still some attacks could be blocked only on the router level.
I've read that Cisco Guard (I am interesed in 65xx version of it) suppose to mitigate DDos attacks in automatic mode.
Our sites has been attacked by some viruses. Those files are in the extension of "20090307ycbak" followed by original file. For example if our site contains a html file in the name of index.html; that virus will create a another file like "index.html 20090307ycbak". So how to rectify this problem. Can any one suggest me how to secure our websites...
View 2 Replies View RelatedI seemed to have acquired a taste for getting volunteered for things here lately and I'm stuck on a firebox x550e firewall,
This application needs to be used to protect 2 servers that are going to be used to server 1 website and hold all of its financial records,
My main problem in the initial configuration of it.
69.65.22.144/28
69.65.22.144 Network IP
69.65.22.145 Gateway
69.65.22.159 Broadcast
Is the /28 Vlan
Picture 1
Picture 2
Picture 3
Picture 4
Just wanted to stop people to become they target of scamming and reported this right now while my server is with them and they dident answer me when it get down about 2 days ago until now...
People, DONT EVER TRUST THEM!
They prices are cheap but they are totally Untrustworthy!
You could pay more than that to have a real server not 15 days a month server!
In case of knowing my issue:
I have bought one of they september offer server, its a core2due 2.13Ghz and 2GB RAM and 2 x 160GB HDD about 14 days ago and my server is now down like 48 hours or more and I have placed 4 - 5 tickets now with every language I know either respectful or swearing, and no answer at all!
they simply ignored my tickets, they live chat is mostly offline (maybe online only 2 - 3 hours a day)
and I have no choice of having control on my server, even the reboot port is a ticket placer as emergency priority and actually no one answer you or even read you ticket!
Guys, you better dont fall in they scamming program by seeing they cheap prices and being tempted.
RBLs are a key part of blocking spam, what RBLs do you trust now? Spamhaus? Spamcop? Obviously, with hosting companies themselves being the victim of renegade RBLs who list people inappropriately you know which you trust or not..which are they?
My numbers show nearly 80% of mail (read: mail, not spam) is blocked by a simple RBL entry of Spamhaus.
I tend to trust Spamhaus, with enough precautions in place, which others?
If you upload your website(s) to any given host provider, what security do you have? None, they are in control of your website, if you're:
1. Late on payments.
2. Publish content they don't like.
3. Exceed your limits in any other way.
They can cut you out, close you down.
The only excellent (!) way, to be in total control, is to host your own website, on a dedicated server, in your own home, with a dedicated line, right or not?
Here's what I asked a sales rep:
Quote:
It would be a slam-dunk to go with HE if the limit was 2.5 AMPS- so I have to ask one more time: is is 2.5 or 2 AMPS that I am limited to? Reason I ask is that in a 4/6 email you said:
> >>
> >>> Hello,
> >>>
> >>> Thanks checking it out. I think Dell can only spec it out configured
> >>> fully loaded. 600Watts So it looks like your server will not be fully
> >>> loaded. Like you said, you can get, check it your self or just go with
> >>> our $200 7u special, rack and read the kill-a-watt meter we provide. If
> >>> its around 2.5A, it should be no problem, if its higher, we can
> >>> immediately upgrade you to the full 15A cabinet and 1Mbps for $600.
> >>
But everything else you have said and I have read says 2 AMPS."
And here's the response:
Quote:
> > Keep in mind its not the start up power usage its the operating power
> > which is much less than start up. If you are at 2.5 Amps you will not be
> > asked to upgrade. 3 Amps yes but not 2.5..
> >
> > Let me know if you would like go forward with the services. My quote is
> > good for 30 days even if the marketing dept decided to eliminate the
> > special pricing.
To which I replied:
Quote:
Thanks,
Then I’m ready to sign-up, if we can amend the contract to state the
following (changes in bold):
“7U customers are provided with one metered outlet with a limit of 2 amps.
If customer exceeds 2.5 amps, customer will be allocated a full cabinet,
asked to move their equipment to the cabinet, and the full cabinet rate of
$600/month will be added to the monthly bill for the remainder of the term."
Let me know if that’s acceptable and I’ll amend the copy I have, sign it and fax it back to you.
To which I receive the response:
Quote:
> Hello,
>
> Unfortunately I cannot amend the terms. I can only assure you by email
> that 2.5 Amps should not be an issue. As an example, we had one customer
> with 2.8 Amps and didn't ask him to upgrade until he hit 3.4 Amps.
>
> I would say to consider getting started with the one server now and when
> you add your second one, we can look at the power usage then. We will
> work with you and are reasonably flexible.
>
> I look forward to your reply.
Would YOU sign this contract? I've only heard good things about Hurricane Electric on this board, but I hate having to trust someone who probably works on commission.
Should I trust my host with providing correct BW stats? Is there any way I can confirm those stats? (I don't have any tracking software or log analyzer installed because it uses too much resources.) The log file is tiny. Probably no more than 12-24 hours logged.
View 7 Replies View RelatedI am in the process of upgrading from apache 2.2.21 to apache 2.4.3. I'm using apache lounge's compiled 2.4.3 by the way. I'm working on a windows 7 SP1 64 bit workstation.
My old 2.2.21 was configured to use ssl with client pki authentication. When I configure 2.4.3 with the ssl options and move the CAs, private key and server certificate from my old 2.2.21 instance I get the following error.
For those who are still under the softlayer hacker abuse please note you will need to re-load your server. We got hit a 2nd time after thinking everything was clean. Anyhow, for those who got hit again, my team and another from WHT - forgot who made the original clean.php script...
anyhow, here is a tool to clean all the data for all of your users:Copy fixit.pl and clean4.php to a directory. IE: /home/yourusername
Change username "changeme" in fixit.pl to the username where clean4.php is located
execute fixit.pl: IE: perl fixit.pl. If you want to test this on one user uncomment the die statement. When you are ready to do the entire server comment the die statement.
fixit.pl (perl script) Author: Robert Saylor
#!/usr/bin/perl$config{'basepath'} .....
i've got a couple of vps accounts and one got hacked today, i received a domain creation email for a domain i didn't create, password was "hackedonlyhost" and contact was not my email but someone elses. Root password was changed etc etc, but i managed to get control of the vps again.
Why am i posting this in the ded forum? because the email in the account setup was for a hosting company. I traced the ip to LT. I've found this guy on a couple of hacker forums (arabic, he's in egypt) also using his email at his hosting company.
So, whilst he may not be breaking LT rules at all do i bother contacting them to say they are providing services to hacker?
There Is Some Way That Hacker use a .htaccess file to change the php Version On The Server To use the Exploit
Look I Run A php Shell From My Server
[url]
You Can See From The picture that my php version is 5.2.6
then I Have upload the .htaccess To My server
the Version has been changed
look to other picture
[url]
You Can see The .htaccess file
And This Way Only Work If I have More Than one php Version on my server
How Can I Secure My server From This Way
I'm still trying to figure this one out. I got an email last night about 10:30pm that a weird IP had logged with root. I thought it was a guy that helps with tech things but I ran the IP... it came back from Korea and I knew I was in trouble. I immediately logged into WHM and changed the root password then sent the server down for a reboot. He was only in there for about 3 minutes before I nailed him. I've banned the IP from the server and have been watching it for nearly 12 hours now and they haven't came back yet.
Now comes the task of trying to figure out how he got the password. This is mind boggling to me. He knew the password, like someone gave it to him... there were no incorrect guesses or brute force. The password was a series of random letters, both upper and lower case. Is it possible he got it through getting to /etc/passwd via a PHP script? I have open basedir restrictions in place, can they get around that? I noticed at the time he logged in there were several IPs trying to exploit PHP scripts on my server, you know, setting the parameters to txt files but I assumed with shell functions disabled (except exec) and with open basedir this wouldn't be possible. Is there a hole in cpanel / PHP / kernel recently I may have missed?
My server is generating a lot of this logs and taking too much RAM of my server in the SQL process
How can I block an IP adress ?
Log Description:
Login failed for user 'sa'. [CLIENT: 199.227.13.134]
For more information, see Help and Support Center at [url]
I was checking my business server's IIS errors logs when I ran across the following error:
2007-05-19 08:21:10 00.000.000.00 2243 00.000.000.000 80 HTTP/1.1 GET
/w00tw00t.at.ISC.SANS.DFind 400 - Hostname -
Additional information about the those responsible for the hack attempts are as follows
(retrieved from domaintools.com):
CustName: ----------------(hidden by me)
Address: Private Address
City: Plano
StateProv: TX
PostalCode: 75075
Country: US
RegDate: 2005-08-27
Updated: 2005-08-27
Apparently this person was trying to use the dfind hacker tool to find vulnerabilities on my server. The IP address belongs to AT&T Yahoo; and I've already contacted them by email. I believe that subsequent hack attempts have originated from this IP, however, the IP address has been masked by the use of proxies. I think that this may be someone I know because the IP is only about an hours drive from me. I'm starting to suspect a disgruntled former client who has friends living where that IP's from.
Has anyone here had any similar experiences?
What do you think AT&T Yahoo's response will be?
Is there anything else I can do or should not do?
I am also considering reimaging my server because of system issues but I am concerned that would erase any information needed for investigative purposes. I have saved my log files, though, on a CD but I'm thinking that AT&T Yahoo or whoever investigates this needs the server as it is.
I want to ask about some tips to prevent my blog from hacker attack. My friends experience this and i dont want this happen to me. Is web hosting technical support can fix my host server if hacker break it out?
View 10 Replies View RelatedSometime ago the DC told me there was too many files on server and I started to investigate what is was and i got info that some one hacked the server and was sending spam from it.
When I looked at the accounts in Direct Admin some of them had the contact email to some hacker so i deleted the emails and changed password on the DA account and the email of those accounts.
Still I got too many files all the time so the server goes down so i have to delete the spoolfile all the time like 10 times a day
Please help how do I detect from what account do the hacker operate?
Can I detect that somehow?
Is it possible to do some small script to detect this?
Is there any advanced module to DA that gives me the info?
I have a client that is certain someone is trying to hack her web-portal. I need to set up something that will alert me on suspicious activity on the server. For example someone fiddling with requests trying to make SQL / shell .. injection and similar threats.
Does any tool (for example bash script with grep) exist that would parse the raw apache logs and report if something is suspicious. Apache logs don't show the POST data so I am talking to admin to setup dump_io apache mod that enables this.
Or am I going into wrong direction here and there is whole another way to do this? I searched the web and forums for anything like this and didn't find anything.
I'm having a problem with a hacker...using insecure scripts on my user's accounts he changes Cpanel passwords. I do not understand how a script running as user nobody would change a Cpanel password. Any ideas on that ?
I am using mod security (rules from gotroot.com), register_globals are disabled. I also disabled the password reset feature as I thought the hacker may be resetting the passwords and then reading the new password from the email account on the server using the insecure script.
Unfortunately this guy simply doesn't stop...he seems to have a reverse DNS list or something. He is only attacking accounts on one specific server of mine but I am pretty sure he doesn't have root access.
It seems like someone has hacked into my server, and all of the pages for one of my domains are showing errors.
Each page on my site is showing a PHP inclusion error, each file on my site is trying to include an unknown file /tmp/blah.php for example which doesn't exist on my site, therefore creating errors and not showing my site.
I checked my site in ftp, it isn't in the code. So it is definitely in a server file somewhere.
What could be doing this? Its for a single domain only, I've created the file it is trying to include as a temporary fix, I have checked php.ini and there seems no reference to the included file there.
I have two reseller accounts with Innohosting and a hacker has got into several sites on both accounts. I have contacted Innohosting and hopefully will get an explanation soon.
But as this is very serious, I want to put it out on this forum also.
At first I thought they must have cracked my FTP access, but they have got into several sites on both reseller accounts so they must have gained access to the server itself, I suspect.
how to stop these lowlifes striking
I just have someone uploading file via php on a website, i need a way to block that kind of attack via mod security?
can add in mod security to avoid this?
89.146.147.144 - - [17/Jan/2007:12:24:11 -0600] "GET /favicon.ico HTTP/1.1" 404 1002 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:23 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/&newdir=bh HTTP/1.1" 200 154634 [url]
x=************.***??" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:32 -0600] "GET /XXXX/index.php?x=************.***?&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/ HTTP/1.1" 200 7444 [url
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:41 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/&newdir=************.*** HTTP/1.1" 200 8422 [url]
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
my VPS hosted by Strato was hacked and seems to be part of a botnet now. Until now I thought that the automatic backups of the provider would be enough and I did no separate backups using pleskbackup. Unfortunately the hacker attack was earlier than my oldest backup.
Now I want to move the complete server content including the configuration of approx. 10 domains to a new one. Therefore I want to make a backup of the plesk 9.5 server using pleskbackup to import it on the new server running plesk 12.I can access the old server in recovery mode only, which means, that a recovery system runs with the content of the old server mounted under /repair. Is there a possibility to tell pleskbackup, that the content to backup is mounted under /repair? Otherwise it seems, that I have to move the content manually...(I tried starting the old server in normal mode, but it immediately starts doing evil things, so this doesn't seem a good option...)
we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?
The problem:
On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.
Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.
On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.
We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.
What we have done to attempt to secure the server:
1) We have installed SuPhp.
2) We have ensured that all scripts on the affected websites are updated and running the latest versions.
3) We have changed all the passwords.
Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.
The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.
One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.
Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?
[url]
What is the best option in the php setting does keeping the php function safe mode on or off?
View 12 Replies View Relatedi need to enable php safe mode on for my joomla and i came across this
Quote:
When the php safe mode is turned off globally by default at our server end, you can still override the setting to turn it ON for only your domain by just insert the following line inside the ".htaccess" file (at Linux server):
Code:
php_value safe_mode "1"
my joomla .htaccess file:
Quote:
##
# @version $Id: htaccess.txt 10492 2008-07-02 06:38:28Z ircmaxell $
# @package Joomla
# @copyright Copyright (C) 2005 - 2008 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##
#####################################################
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################
## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
#
# mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
My /tmp on my cPanel hosting server is nearly full, and I was wondering if it is safe to remove all the contents in /tmp, if not, what can I delete to clear up the space?
View 6 Replies View RelatedMost of my files are 755 as permission. Is this safe?
How about putting all files under 644 permission? What is the best permission so that all files are safe from intrusion?