How To Prevent Hacker Enter My Host

Jul 13, 2009

I want to ask about some tips to prevent my blog from hacker attack. My friends experience this and i dont want this happen to me. Is web hosting technical support can fix my host server if hacker break it out?

View 10 Replies


Hacker Safe Host

Mar 25, 2008

As with many sites. my site was hacked recently. my host was so negative about this. they didn't notice the hack attempt although it took the hacker 9 hours to break through.

after that I made some search on my host to find that it is not a real host at all. they are just resellers to another company. I was very disappointed, Then I decided to go to a better host who can protect me from hackers.

I read some threads about 'hacker safe host' but they all in general don't give a real name of trusted 'anti-hackers' companies.

can you guide me to some of the famous hosts?

if you can't my friends got a VPS hosted with WestHost. he offered me to move my site to his VPS. is west host trusted about hackers?

View 14 Replies View Related

Anyway To Prevent Host Company To Take Your Content

Dec 10, 2008

Is it possible to prevent the hosting company to take your source code and content?

View 11 Replies View Related

Many Visitors Cannt Enter My Site

Jul 2, 2009

many visitor cannt enter my site

and many user say that browsing my vbllieten forum very slow

and there is user can crowse my site very fast

i check blocked ip in cvs and there is nothing

View 9 Replies View Related

Website Hacked, But Not Sure About The Enter Server

Feb 19, 2007

my server was hacked by Cold he/she inserted a couple of scripts that enabled remote access into a 777 permission folder.

i found the following script names:
gcc-cold <- shell script

i have deleted all the above files, and changed the folder chmod to 755

but the weird thing is, through shell, when i try to locate the file gcc-cold i get this:


root@ [/tmp]# locate gcc-cold
root@ [/tmp]# rm /home/ns5f6/public_html/uploads/gcc-cold
rm: cannot lstat `/home/ns5f6/public_html/uploads/gcc-cold': No such file or directory

isn't locate NOT supposed to find that file after its been deleted? and if it was not deleted some how, isn't it supposed to delete it? am i missing something here??????

from a bit of researching the files, i found that it was a telnet script, BUT i have telnet disabled, and there's no process running along side GREP TELNET

how can i find malicious software or shell scripts that allow such hacking activities on the server?

View 6 Replies View Related

Monitor 11 Servers In One Enter Face !!

Apr 22, 2007

I have more than 10 servers I need to monitor that servers in one enter face like program our script our any thing

I need to monitor the load & traffic & enter to SSH its can be?

View 6 Replies View Related

Plesk 12.x / Linux :: How To Enter Range Of IPs To Block

May 25, 2015

I am trying to block this whole range of IPs, all that begin with 66.249. How is is that done?

View 1 Replies View Related

Plesk 12.x / Linux :: Leave Default Value Or Should Enter Domain

Feb 9, 2015

I've just purchased a VPS with Ubuntu 14.04 and Plesk 12 Web Admin Edition. I will use the vps to host just one domain/website. The first time I access Plesk, it asks for some info and first of all it asks form my domain. The default value is localhost.localdomain. Should I leave the default value or should I enter my domain (let's say

View 4 Replies View Related

Softlayer - Hacker Fix

Nov 13, 2008

For those who are still under the softlayer hacker abuse please note you will need to re-load your server. We got hit a 2nd time after thinking everything was clean. Anyhow, for those who got hit again, my team and another from WHT - forgot who made the original clean.php script...

anyhow, here is a tool to clean all the data for all of your users:Copy and clean4.php to a directory. IE: /home/yourusername

Change username "changeme" in to the username where clean4.php is located
execute IE: perl If you want to test this on one user uncomment the die statement. When you are ready to do the entire server comment the die statement. (perl script) Author: Robert Saylor

#!/usr/bin/perl$config{'basepath'} .....

View 0 Replies View Related

Hacker Dilema

Apr 12, 2008

i've got a couple of vps accounts and one got hacked today, i received a domain creation email for a domain i didn't create, password was "hackedonlyhost" and contact was not my email but someone elses. Root password was changed etc etc, but i managed to get control of the vps again.

Why am i posting this in the ded forum? because the email in the account setup was for a hosting company. I traced the ip to LT. I've found this guy on a couple of hacker forums (arabic, he's in egypt) also using his email at his hosting company.

So, whilst he may not be breaking LT rules at all do i bother contacting them to say they are providing services to hacker?

View 6 Replies View Related

Php Version Vs Hacker

Aug 11, 2008

There Is Some Way That Hacker use a .htaccess file to change the php Version On The Server To use the Exploit
Look I Run A php Shell From My Server
You Can See From The picture that my php version is 5.2.6
then I Have upload the .htaccess To My server
the Version has been changed
look to other picture
You Can see The .htaccess file
And This Way Only Work If I have More Than one php Version on my server
How Can I Secure My server From This Way

View 2 Replies View Related

Hacker Got Root Password

May 18, 2009

I'm still trying to figure this one out. I got an email last night about 10:30pm that a weird IP had logged with root. I thought it was a guy that helps with tech things but I ran the IP... it came back from Korea and I knew I was in trouble. I immediately logged into WHM and changed the root password then sent the server down for a reboot. He was only in there for about 3 minutes before I nailed him. I've banned the IP from the server and have been watching it for nearly 12 hours now and they haven't came back yet.

Now comes the task of trying to figure out how he got the password. This is mind boggling to me. He knew the password, like someone gave it to him... there were no incorrect guesses or brute force. The password was a series of random letters, both upper and lower case. Is it possible he got it through getting to /etc/passwd via a PHP script? I have open basedir restrictions in place, can they get around that? I noticed at the time he logged in there were several IPs trying to exploit PHP scripts on my server, you know, setting the parameters to txt files but I assumed with shell functions disabled (except exec) and with open basedir this wouldn't be possible. Is there a hole in cpanel / PHP / kernel recently I may have missed?

View 14 Replies View Related

Hacker Trying To Login SQL Server

Jun 19, 2007

My server is generating a lot of this logs and taking too much RAM of my server in the SQL process

How can I block an IP adress ?

Log Description:
Login failed for user 'sa'. [CLIENT:]

For more information, see Help and Support Center at [url]

View 9 Replies View Related

Dealing With A Persistent Hacker

Aug 25, 2007

I was checking my business server's IIS errors logs when I ran across the following error:

2007-05-19 08:21:10 2243 80 HTTP/1.1 GET

/ 400 - Hostname -

Additional information about the those responsible for the hack attempts are as follows

(retrieved from

CustName: ----------------(hidden by me)
Address: Private Address
City: Plano
StateProv: TX
PostalCode: 75075
Country: US
RegDate: 2005-08-27
Updated: 2005-08-27

Apparently this person was trying to use the dfind hacker tool to find vulnerabilities on my server. The IP address belongs to AT&T Yahoo; and I've already contacted them by email. I believe that subsequent hack attempts have originated from this IP, however, the IP address has been masked by the use of proxies. I think that this may be someone I know because the IP is only about an hours drive from me. I'm starting to suspect a disgruntled former client who has friends living where that IP's from.

Has anyone here had any similar experiences?

What do you think AT&T Yahoo's response will be?

Is there anything else I can do or should not do?

I am also considering reimaging my server because of system issues but I am concerned that would erase any information needed for investigative purposes. I have saved my log files, though, on a CD but I'm thinking that AT&T Yahoo or whoever investigates this needs the server as it is.

View 8 Replies View Related

Hacked Vps, To Many Files, How To Detect Hacker

May 6, 2009

Sometime ago the DC told me there was too many files on server and I started to investigate what is was and i got info that some one hacked the server and was sending spam from it.

When I looked at the accounts in Direct Admin some of them had the contact email to some hacker so i deleted the emails and changed password on the DA account and the email of those accounts.

Still I got too many files all the time so the server goes down so i have to delete the spoolfile all the time like 10 times a day

Please help how do I detect from what account do the hacker operate?

Can I detect that somehow?

Is it possible to do some small script to detect this?

Is there any advanced module to DA that gives me the info?

View 5 Replies View Related

Hacker Detection On Apache Log Files

Jul 2, 2009

I have a client that is certain someone is trying to hack her web-portal. I need to set up something that will alert me on suspicious activity on the server. For example someone fiddling with requests trying to make SQL / shell .. injection and similar threats.

Does any tool (for example bash script with grep) exist that would parse the raw apache logs and report if something is suspicious. Apache logs don't show the POST data so I am talking to admin to setup dump_io apache mod that enables this.

Or am I going into wrong direction here and there is whole another way to do this? I searched the web and forums for anything like this and didn't find anything.

View 4 Replies View Related

How Would A Hacker Change A Cpanel Password

Jan 5, 2008

I'm having a problem with a hacker...using insecure scripts on my user's accounts he changes Cpanel passwords. I do not understand how a script running as user nobody would change a Cpanel password. Any ideas on that ?

I am using mod security (rules from, register_globals are disabled. I also disabled the password reset feature as I thought the hacker may be resetting the passwords and then reading the new password from the email account on the server using the insecure script.

Unfortunately this guy simply doesn't stop...he seems to have a reverse DNS list or something. He is only attacking accounts on one specific server of mine but I am pretty sure he doesn't have root access.

View 7 Replies View Related

Hacker :: Pages Showing Errors

May 7, 2008

It seems like someone has hacked into my server, and all of the pages for one of my domains are showing errors.

Each page on my site is showing a PHP inclusion error, each file on my site is trying to include an unknown file /tmp/blah.php for example which doesn't exist on my site, therefore creating errors and not showing my site.

I checked my site in ftp, it isn't in the code. So it is definitely in a server file somewhere.

What could be doing this? Its for a single domain only, I've created the file it is trying to include as a temporary fix, I have checked php.ini and there seems no reference to the included file there.

View 3 Replies View Related

Hacker Attack On <my Reseller Accounts>

Mar 15, 2008

I have two reseller accounts with Innohosting and a hacker has got into several sites on both accounts. I have contacted Innohosting and hopefully will get an explanation soon.

But as this is very serious, I want to put it out on this forum also.

At first I thought they must have cracked my FTP access, but they have got into several sites on both reseller accounts so they must have gained access to the server itself, I suspect.

how to stop these lowlifes striking

View 14 Replies View Related

Mod_security- Hacker Still Upload File..

Jan 18, 2007

I just have someone uploading file via php on a website, i need a way to block that kind of attack via mod security?

can add in mod security to avoid this? - - [17/Jan/2007:12:24:11 -0600] "GET /favicon.ico HTTP/1.1" 404 1002 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20061204 Firefox/" - - [17/Jan/2007:12:24:23 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/ HTTP/1.1" 200 154634 [url]
x=************.***??" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20061204 Firefox/" - - [17/Jan/2007:12:24:32 -0600] "GET /XXXX/index.php?x=************.***?&chdir=/var/www/vhosts/ HTTP/1.1" 200 7444 [url
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20061204 Firefox/" - - [17/Jan/2007:12:24:41 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/************.*** HTTP/1.1" 200 8422 [url]
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20061204 Firefox/"

View 4 Replies View Related

Plesk 12.x / Linux :: How To Get Content From Hacker 9.5 To 12.0

Nov 1, 2014

my VPS hosted by Strato was hacked and seems to be part of a botnet now. Until now I thought that the automatic backups of the provider would be enough and I did no separate backups using pleskbackup. Unfortunately the hacker attack was earlier than my oldest backup.

Now I want to move the complete server content including the configuration of approx. 10 domains to a new one. Therefore I want to make a backup of the plesk 9.5 server using pleskbackup to import it on the new server running plesk 12.I can access the old server in recovery mode only, which means, that a recovery system runs with the content of the old server mounted under /repair. Is there a possibility to tell pleskbackup, that the content to backup is mounted under /repair? Otherwise it seems, that I have to move the content manually...(I tried starting the old server in normal mode, but it immediately starts doing evil things, so this doesn't seem a good option...)

View 4 Replies View Related

Hacker Adds Malicious Code To All Html And Php Files

Apr 30, 2009

we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?

The problem:

On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.

Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.

On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.

We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.

What we have done to attempt to secure the server:
1) We have installed SuPhp.

2) We have ensured that all scripts on the affected websites are updated and running the latest versions.

3) We have changed all the passwords.

Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.

The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.

One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.

Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?


View 14 Replies View Related

Hacker Safe, TRUSTe, BBB And Trust Guard Seals

Jun 4, 2008

I am starting a online sotre. Someone told me to keep third party seals for good response.

Please recommend me which seals to be used
Hacker Safe, TRUSTe, BBB, and Trust Guard

I think Trust Guard seal give a multi package for all security,privacy and business verification. Shall people know it? Is it worth money?

View 0 Replies View Related

Virtuozzo Firewall :: Is It Possible To Enter Two Different Ip Address In Source Address?

Aug 4, 2008

I am using virtuozzo firewall to secure access.

I enter for Source Address and Netmask for port 22.

But still I can connect using or

Second is it possible to enter two different ip address in source address?

View 4 Replies View Related

Linux System Compromised, Hacker In As "root"

Mar 16, 2007

I've been trying to fight off a hacker's attack for the past 24 hours. Chronologically, this is how the events evolved:

- Yesterday, I tried SSH-ing into my server as usual and I got an error saying that the host's key was not recognized, which made a bit suspicious

- I tried logging into my VPS' PowerPanel, but my root password did not work, which I found disturbing. I reached out to support and they reset the password

- I ignored Putty's warning and SSH-ed into the server and was greeted by this, which I've never seen before:

Last login: Wed Mar 14 2007 14:13:35 -0500
No mail.
This made even more conscious and I started actively searching for indicators of a breach.

- The following processes were running, and I did not recognize them:

named 15756 0.0 0.4 36088 2256 ? S Mar14 0:00 /usr/sbin/named -u named -t /var/named/chroot

dmorg 26360 0.0 0.1 2264 872 pts/2 T 20:40 0:00 sh -c (cd /usr/share/man && (echo ".ll 14.2i"; echo ".pl 1100i"; /usr/bin/gunzip -c '/usr/share
dmorg 26361 0.0 0.1 2264 512 pts/2 T 20:40 0:00 sh -c (cd /usr/share/man && (echo ".ll 14.2i"; echo ".pl 1100i"; /usr/bin/gunzip -c '/usr/share
- Then I found a user called 'pma' in the /home directory, which I had never created. I could not find any suspicious files in the user's directory

- I finally spotted the point of breach in /var/log/messages:

Mar 15 15:05:25 xxxxxxxxx passwd(pam_unix)[28121]: password changed for root
Mar 15 15:06:34 xxxxxxxxx su(pam_unix)[30182]: session opened for user news by (uid=0)
Mar 15 15:07:16 xxxxxxxxx su(pam_unix)[30182]: session closed for user news
Mar 15 15:22:04 xxxxxxxxx sshd[20118]: Listener created on port 22.
Mar 15 15:22:04 xxxxxxxxx sshd[20119]: Daemon is running.
Mar 15 15:28:01 xxxxxxxxx su(pam_unix)[32568]: session opened for user pma by (uid=0)
Mar 15 15:28:45 xxxxxxxxx su(pam_unix)[32568]: session closed for user pma
Somehow they had gotten in as root and then opened sessions for news and pma.

- This morning I finally found where the hacker's files are hiding. He had created a new user overnight and a directory in there called "...". The folder contains various files:

[root@xxxxxxxxx root]# ls -al
total 445
drwxr-x--- 8 root root 1024 Mar 16 15:48 .
drwxr-xr-x 20 root root 1024 Mar 16 15:48 ..
drwxr-xr-x 2 1004 1004 1024 Dec 17 08:57 ...
-rw-r--r-- 1 root root 1126 Aug 23 1995 .Xresources
-rw------- 1 root root 14641 Mar 16 15:47 .bash_history
-rw-r--r-- 1 root root 24 Jun 10 2000 .bash_logout
-rw-r--r-- 1 root root 234 Jul 5 2001 .bash_profile
-rw-r--r-- 1 root root 176 Aug 23 1995 .bashrc
-rw-r--r-- 1 root root 210 Jun 10 2000 .cshrc
-rw------- 1 root root 38 Jul 26 2005 .mysql_history
drwx------ 2 root root 1024 Mar 15 18:01 .ssh
drwxr-xr-x 2 root root 1024 Mar 15 15:21 .ssh2
-rw-r--r-- 1 root root 196 Jul 11 2000 .tcshrc

[root@xxxxxxxxx root]# cd "..."
[root@xxxxxxxxx ...]# ls -al
total 420
drwxr-xr-x 2 1004 1004 1024 Dec 17 08:57 .
drwxr-x--- 8 root root 1024 Mar 16 15:48 ..
-rwxr-xr-x 1 1004 1004 141817 Sep 3 2001 init
-rw-r--r-- 1 1004 1004 113482 Mar 15 15:09 log
-rw------- 1 1004 1004 640 Feb 18 05:34 messages
-rw-r--r-- 1 1004 1004 664 Feb 27 01:12 muhrc
-rwxr-xr-x 1 1004 1004 165596 Nov 2 2004 pico
-rw------- 1 1004 1004 5 Mar 15 15:09 pid
[root@xxxxxxxxx ...]#
- Here's what's in the log file:

[root@xxxxxxxxx ...]# less log

[Thu 08 May 08:03:27] + ---------- NEW SESSION ----------
[Thu 08 May 08:03:27] + muh version 2.05d - starting log...
[Thu 08 May 08:03:27] + listening on port 6667.
[Thu 08 May 08:03:27] + muh's nick is 'StefanG'.
[Thu 08 May 08:03:27] + trying server '' on port 6667...
[Thu 08 May 08:03:28] + tcp-connection to '' established!
[Thu 08 May 08:03:29] + connected to ''.
[Thu 08 May 08:03:30] + caught client from ''.
[Thu 08 May 08:03:45] + authorization successful!
[Thu 08 May 08:03:45] + reintroducing channels...

[Thu 08 May 08:07:54] + ---------- NEW SESSION ----------
[Thu 08 May 08:07:54] + muh version 2.05d - starting log...
[Thu 08 May 08:07:54] + listening on port 6667.
[Thu 08 May 08:07:54] + muh's nick is 'StefanG'.
[Thu 08 May 08:07:54] + trying server '' on port 6667...
[Thu 08 May 08:07:55] + tcp-connection to '' established!
[Thu 08 May 08:08:05] + connected to ''.
[Thu 08 May 08:08:05] + caught client from ''.
[Thu 08 May 08:08:05] + authorization successful!
[Thu 08 May 08:08:05] + reintroducing channels...
There is a whole lot of these in that log file, and the timestamps look odd. I am not sure what all this is.

- This is where I am at right now. Can you guys help figure this thing out?
How did they get in? What sort of vulnerability are they using? How can I patch things up?

- Here is my server info:

[root@xxxxxxxxx ...]# uname -a
Linux 2.6.9-023stab033.9-enterprise #1 SMP Tue Dec 5 14:40:57 MSK 2006 i686 athlon i386 GNU/Linux

[root@xxxxxxxxx httpd]# vmstat 5 5
procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----
r b swpd free buff cache si so bi bo in cs us sy id wa
1 0 0 390688 0 0 0 0 0 0 0 8365 1 0 99 0
0 0 0 390524 0 0 0 0 0 0 0 0 0 0 100 0
0 0 0 390524 0 0 0 0 0 0 0 0 0 0 100 0
0 0 0 390528 0 0 0 0 0 0 0 0 0 0 100 0
0 0 0 390528 0 0 0 0 0 0 0 0 0 0 100 0

- I have Apache & MySQL & PHP running. I host 3 websites. They run Simple Machines Forum 1.1.2, phpMyAdmin, phpcollab, awstats and that's about it.

View 11 Replies View Related

Any Info On Blocking The "Turkish Hacker"

Jun 26, 2009

One of my clients has a shared hosting account with a major hosting company. Their site was recently hacked by the "Turkish Hacker."

A quick web search indicates that this is a well known attacker, going back several years. (Of course, it could just be a copycat.)

The hosting company provided no help in identifying how the site was hacked, or how to prevent it in the future, other than saying "change your passwords."

Is there any information available on how this particular hacker penetrates a site? Are there precautions the hosting company should have taken and did not? Are their things the client can do, other than using secure passwords and changing them regularly?

View 7 Replies View Related

"JaMaYcKa" Hacker Strikes On My Server

Feb 18, 2007

All index.php and index.html files on my server have been replaced with the "JaMaYcKa" hackers page. I was reading on WHT, and just about 10 days ago this happened to another member here.

I am using seeksadmin for system administration, and coincidently the guy who was hacked 10 days ago was also using seeksadmin. I believe there was another member here a month ago who was also hacked by "JaMaYcKa", and he was also a seeksadmin customer. I am not blaming seeksadmin in any way, they have helped a lot and I hope they can get this resolved.

Does anyone have any information on how to reverse/fix this issue? I am no system admin, just to put that out there, hence the reason I hired seeksadmin.

Here is the .bash_history from what the "JaMaYcKa" hacker did,


cd /
/usr/sbin/useradd -o -u 0 -g 0 r00t -p ******************
passwd r00t
rm -rf tmp/
cd tmp
ls -a
perl /tmp/index.html

According the the history, he ran some script which would cause all index.php/html files to be changed (I am assuming). I have already removed the user "r00t" as seen above is what he created.

Any info on how to get this reversed (and if anyone else was using seeksadmin, let me know if they resolved your issue). I am currently waiting for an update from seeksadmin, so I'll update you guys once they reply to the ticket. Also to note I am using whmcs which contained the root password to this server; another user mentioned in another thread that if you were using whmcs/mb/ce/etc a hacker could get your root password, which of course if the password was not encrypted or the script had a glitch, the hacker could easily get your root password.

View 14 Replies View Related

How To Prevent Rm -rf /

Jul 4, 2009

Does anyone know anyway that "rm -rf /" can be disabled? OR any selinux rule or something to prevent this?

Or if I wanted to prevent a certain directory from being deleted like backups but something unlike chattr that someone can figure out quickly.

Im sure LOTS of people would like to know about this. Ive searched around and only somewhat useful thing I have found is an rm wrapper that sends everything to a trash file in the root of the mount point.

View 14 Replies View Related

How To Prevent DNS Flood

May 28, 2008

Can anyone share tips how to prevent DNS flood on a cPanel and Directadmin server platform on Centos?

View 7 Replies View Related

Prevent Phishing

Jun 1, 2008

I'm not that techy I'd like to ask why this person downloaded the file below before uploading some phishing webpages on my account ? I've changed my password numerious times from different computers and even from mobile phone just to check if the person can still get in. But again it is no use the person were able to upload phishing pages.


May 25 21:50:42 server100 pure-ftpd: (weblogin100@ [NOTICE] /home/weblogin100//.htpasswds/update/Login.php downloaded (21251 bytes, 755.78KB/sec)

Right now I deleted all other scripts on the account and remain some htmls. Folder were also set to 644 no 777, while waiting if the person can still upload his phishing pages please help me why he downloaded the file above. I've check the file on my account and I cannot see Login.php. By the way I have a root login and only two accounts were a constant phishing victims.

View 1 Replies View Related

Copyrights 2005-15, All rights reserved