my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.
[url] [url] [url] [url] [url]
I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.
Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.
I see following errors in my server ie. httpd error logs:
Code: [Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 79.132.204.192) (OpenSSL library error follows) [Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [Mon Mar 30 07:23:55 2009] [error] mod_ssl: SSL handshake failed (server localhost:443, client 60.63.241.18) (OpenSSL library error follows) [Mon Mar 30 07:23:55 2009] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?] [Mon Mar 30 07:23:56 2009] [error] [client 114.224.169.0] File does not exist: /var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bFT/SX00/VtJVht/D1XvJBgHP/5lll.gif [Mon Mar 30 08:46:42 2009] [error] server reached MaxClients setting, consider raising the MaxClients setting In last you can see that MySQL reached maximum allowed client ..and it crashed
Also, at regular intervals I see such requests: /var/www/html/XRkVCfvCJ/GzTk/ChDbhf/-YSDDv/1Sch/2hfMMf/-M0DO/ACDEzXMEM/CYSkGFj/SGXtEUX0W/0KMV/RKJ2fTUDC/bF/SX00/VtJVht/D1XvJBgHP/5lll.gif
Also I see SSL handshake failure notices while I do not have any SSL cert or SSL running site on this server.
I have reported this to BurstNET admin/abuse/NOC and have added a line to block them for now.
Does this belong to anyone??? Nslookup/dig reveals nothing.
This is my /var/log/messages Mar 19 19:24:50 ginger sshd[11565]: Failed password for root from 66.197.245.241 port 46346 ssh2 Mar 19 19:24:50 ginger sshd[11565]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:51 ginger sshd[11567]: Failed password for root from 66.197.245.241 port 46407 ssh2 Mar 19 19:24:52 ginger sshd[11567]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:53 ginger sshd[11569]: Failed password for root from 66.197.245.241 port 46468 ssh2 Mar 19 19:24:53 ginger sshd[11569]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:55 ginger sshd[11571]: Failed password for root from 66.197.245.241 port 46531 ssh2 Mar 19 19:24:55 ginger sshd[11571]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:57 ginger sshd[11573]: Failed password for root from 66.197.245.241 port 46584 ssh2 Mar 19 19:24:57 ginger sshd[11573]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - !POSSIBLE BREAK-IN ATTEMPT
I have started seeing the following error in the Event Viewer every day:
"An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."
The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?
Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?
A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?
The account has been susspended for the time being.
i did all of that , and when i restarted http it said : [root@host www]# service httpd restart Syntax error on line 51 of /usr/local/apache/conf/httpd.conf: Invalid command 'Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch', perhaps misspelled or defined by a module not included in the server configuration
so you all know my problem now ! and i think alot of you have the same problem , so i wish we all try to find any solution for this and knows the best way to protect pel on the server .
I have not been able to login to my cPanel from my desktop which runs WinXP service Pack3. Both Firefox and Internet Explorer returns the following error message
Login Attempt Failed!
Also, I am unable to connect using Filezilla Client.
However, I am able to connect to the same cPanel on my colleague's desktop which runs WinXP service Pack3 using Firefox browser or IE. We both share the same internet modem.
- I have cleared all the cookies and private data on my desktop. Still the problem persist.
- I changed to a different user on my desktop, but still could not login.
- I changed my desktop IP address but still I could not log in.
I use DSLinux from within Innotek Virtual Box and I was able to login to the same cPanel with the same details that were rejected under WinXP.
Please anyone with a solution should please advise me on what to do. Thanks in advance.
It is not convenient going to my colleagues desk to access my cPanel.
Mon May 18 15:17:08 2009 lfd: *Suspicious File* /tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan [someuser:someuser ] - Suspicious directory The 'someuser' is a legitimate user on the server, an auto body website setup last October.
The content of the directory:
Quote:
root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/CPAN]# ls -lh total 3.0K drwx------ 2 someuser someuser 1.0K May 16 17:54 ./ drwx------ 3 someuser someuser 1.0K May 16 17:54 ../ -rw-r--r-- 1 someuser someuser 361 May 16 17:54 MyConfig.pm
I had an untapped image upload site on my server which i forgot. Some guys or children upload something noxious and neutralize all the "index.php". This was a hack attempt with SSH.
We noticed that, close this account delete uploaded files. But there is a quirky problem. Any of index.php's isn't working after this attempt. Index file is working after change its name, example "mindex.php".
We updated all the services, rebuild apache but don't working. We can't use any index.php on the server.
Additionally, there are 34 possible trojans appear on the server. I tried to delete them with BitDefender but can't do that.( I checked that WHM / Scan for Trojan Horses )
one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to
GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"
a site i manage for a client is being hacked every couple of days, its not the actual site but the hosts server thats getting attacked, all sites on that server, well actually all thier servers.
They have made no attempt to sort this problem, i report it they look at the site and say "site loads fine for us" which it does.
All index files are having a base64 encode line written after the <body> tag, this adds hundreds of spam links which are hidden with display:none; they also add .html to application types in htaccess for php to run in these files too.
Problem is, i am moving the site to another host but cannot change the nameservers to the new host's untill the client returns from a holiday, so i must keep the site up on the insecure host for now.
I am removing the spam code almost daily, is there anyway i can stop this attack happening for the time being, the host does nothing.
As well all know there has been a hypervm exploit which may have taken down fsckvps and other hosts have been having attacks. If possible install any program that will warn you of a connection to your server and or provide input on what it may or may not be.
I myself Just had a blank php format file uploaded to a clients vps and It tried accessing other vps servers. As far as I know the ip was rapidly changing and untraceable (this may or may not be from the exploit), If anyone else is having hypervm attacks or server attacks please post here so instead of working within our own company's we are working as a group of over 10 thousand+ wht members to solve this issue ourselves.
i have a server and these days my server is hacking by the hacker the problem is, chmod 777, there are many dir's with the chmod 777 and hacker is uploading files and creating folders under the folder which is created with chmod 777, now i just want to know how i can block the hacker, and is there any way to allow the scripts which in my server and not allow any other scripts to upload files in my server
Alot of VB forums have hacking every day In fact All hackers couldn't hack databases or files
They only edit one template in style like header or forumhome So Uploading style again resolve the problem But How can I disallow them to to edit templates
I keep reading all these devastating posts about people's machines being compromised. Are most of these hacks due to weak passwords of administrators or clients which end up getting bruted, or are there known exploits for cpanel/plesk/apache etc? I am setting up an apache-only server with a really secure password, but I am wondering if it could still be breached using an exploit.
I keep seeing sa login failure on Event viewer Application log for MS SQL 2005. I'm tired of blocking off the failed attempt ip. A huge portion of them seem to come from China and Estern Euro. Should i just block off those region? Is there a better way for securing SQL2005?
Currently having a problem with proftpd on my centos plesk 8.1 server.
During large uploads, lets say around 10 MB the FTP connection fails within 5 minutes or so saying:
"A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."
I have asked for help from my server provider but they have tried and are now unable to help.
I currently have the APF firewall in my server.
Has anyone experienced this?
Below is the APF config file that i currently have & the proftpd config files that i have, if anyone can help it would be really really appreciated
APF CONFIG:
Code: #!/bin/sh # # APF 0.9.6 [apf@r-fx.org] # # NOTE: This file should be edited with word/line wrapping off, # if your using pico please start it with the -w switch # (e.g: pico -w filename) #
## # [Devel Mode] # !!! Do not leave set to (1) !!! # When set to enabled; 5 minute cronjob is set to stop the firewall. Set # this mode off (0) when firewall determined to be operating as desired. ##
# The installation path of APF; this can be changed but it has not # been tested what would happen. INSTALL_PATH="/etc/apf"
# Untrusted Network interface(s); all traffic on defined interface will be # subject to all firewall rules. This should be your internet exposed # interfaces. Only one interface is accepted for each value. # NOTE: The interfacing structure is being worked towards support of MASQ/NAT IFACE_IN="eth0" IFACE_OUT="eth0"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass # ALL firewall rules, format is white space or comma seperated list. IFACE_TRUSTED=""
# Enable virtual network subsystem; creats independent policy ruleset for each # ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules # Template is located in the vnet/ folder for rule files. This feature can # reduce apf start/stop performance and is not recommend for systems with more # than 255 (/24) ip's. [0 = Disabled / 1 = Enabled] SET_VNET="0"
# Support Monolithic kernel builds [no LKM's]. This mode of operation is # not really supported and you use at your own risk. SET_MONOKERN="0"
# Verifies that all inbound traffic is sourced from a defined local gateway MAC # address. All other traffic that does not match this source MAC address will be # rejected as untrusted traffic. It is quite trivial to forge a MAC address and as # such this feature executes NO default accept policy against this MAC address. VF_LGATE=""
# Verifies that the IF and IFACE_TRUSTED interfaces are actually routed (/sbin/route) # to something. If not then chances are APF will not start properly if at all. VF_ROUTE="1"
# Verifies that crond service is running when DEVEL_MODE=1; if not then APF will not # try to load as if lock-up occures no cron service to flush firewall VF_CROND="1"
# Verifies that the current system uptime is greater than this value before APF # can activate. This is to prevent on-boot lockup issues or delays due to excessive # amount of firewall rules. Value is in seconds; should you wish to disable this # feature, simply set VF_UTIME to 0 value. !! NOTE: APF WILL NOT START ON IT's OWN; # IT WILL EXIT WITH FATAL ERROR BELOW SET UPTIME !! VF_UTIME="0"
## # [Packet Filtering/Handling] ##
# How to handle TCP packet filtering? # # RESET (sends a tcp-reset; TCP/IP default) # DROP (drop the packet; stealth ?) # REJECT (reject the packet) TCP_STOP="DROP"
# How to handle UDP packet filtering? # # RESET (sends a icmp-port-unreachable; TCP/IP default) # DROP (drop the packet; stealth ?) # REJECT (reject the packet) # PROHIBIT (send an icmp-host-prohibited) UDP_STOP="DROP"
# How to handle all other packet filtering? (icmp,arp,igmp) # # DROP (drop the packet) # REJECT (reject the packet) DSTOP="DROP"
# The sanity options control the way packets are scrutinized as # they flow through the firewall. The main PKT_SANITY option is a # top level toggle for all SANITY options and provides general # packet flag sanity as a pre-scrub for the other sanity options PKT_SANITY="1"
# Block any packets that do not conform as VALID; this feature # is safe for most but some may experience protocol issues with # broken remote clients PKT_SANITY_INV="0"
Just an FYI - we have been monitoring some attempts from europe. Here is a file that they were trying to include using a hole in PHPCoin's URL handler:
[URL removed] stringa.txt
The attempt was coming from linux.htd-information.dk
I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine.
And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ?
------------------------------------------------------------------ function update_region($id,$regname,$regcom) { $query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."', region_comments = '". $regcom."' WHERE region_id =" .$id; mysql_query($query);
Is security really that critical? If so, why are some of the largest software companies providing such a bad example for the rest of the industry? Why would someone want to target my website? Why is security often overlooked?
These are all common questions that arise on a daily basis within the online industry.
The rest of this article will provide some detailed answers, along with practical examples and true scenarios.
I've spoken with numerous hackers over the past short while. I can't count the number of times I've heard the line "Ignorant site owners deserve to be hacked". In my opinion, that's like claiming that cars without alarms deserve to be stolen, or homes without alarm systems deserve to be burglarized. It's not just wrong - it's illegal.
Security risks and vulnerabilities affect the entire online industry. When a single website is hacked, there are usually multiple other victims. This is most commonly seen with widely distributed software. A potential attacker has the ability to install the software on a test environment, locate the vulnerabilities, then attack random victims even before anyone else is aware of the potential exploits. Once a vulnerability is located, the attacker simply needs to search for other environments using the same software, and within minutes there are hundreds, often thousands of potential victims.
Typically, in the race to market, software providers are encouraged to release their products as soon as the applications are usable. Critical development procedures are often overlooked or intentionally bypassed. One such miss is an application vulnerability assessment. Although the product may be usable, the effects of a vulnerable application could be severe.
Sadly, nobody is "off limits" when it comes to hacking. Most hackers feel safe committing online crime, since the online industry has evolved much faster than the security industry. Many applications are not created with the intent to recognize hacking attempts. Some hackers view their actions as a competition - Who can attack the most valuable website? Who can exploit the most user databases? In many cases, these attacks are bragged about within the hacker's immediate network. The competitive nature of these hacking groups has become so severe, there have been reports of attacks between competing organizations.
You might ask, "If I use industry standards, won't my environment be secure?". The short answer: no, but it helps. Hackers are not restricted by industry standards. Most security companies only implement new standards once at least one victim is reported. This often gives hackers plenty of time to locate other vulnerable environments, and before long, the number of victims can increase rapidly. Hackers are some of the most innovative individuals within the online industry. The most logical way to combat them is to use similar methodology for security purposes.
Our VPS is being hit several times a day with hacking attempts. We have been actively monitoring error logs and can see the failed attempts. I was just wondering if there is a better way to track such attempts or another system log that wold provide additional info on these attacks? or maybe some 3rd party logging scripts?
apparently a mod_deflate patch has been available for apache 1.3.37 for some time but since I rely on cpanel as a huge time/knowledge saver, I'd like to hack it into buildapache/easyapache so it's an option just as easy as mod_gzip is (with a simple checkbox)
after poking around I learned that all the magic happens in /home/cpapachebuild/buildapache I've studied how mod_gzip is activated/installed but some steps are beyond me
mod_deflate for 1.3.37 is here [url]the critical files inside are of course mod_deflate.patch and mod_deflate.c
so I assume stick those files into a directory under buildapache, but where do I hack in the patch and build steps?
One of my customer's domain name's index page is hacked with the pharmacy kind of URLs all over on the homepage. Anyone has idea about this? You can see the URL at [url]
