I've been reading that layeredtech's helpdesk or whatever they call there backend has been hacked again just a few days ago and the hackers got the customers root passwords.
This happened about a year ago also with them. How does this keep happening?
I thought about not giving my datacenter my password but then if it goes down they can't do anything.
Just wanted to share my experiences with you once again. There are a select number of companies on this planet that really seem to go out of the way to be obnoxiously bad at their jobs. Comcast, AIG, United Airlines - the familiar litany. Well, my experience with online hosting would put Network Solutions right up there with those in competition for the title 'Worst Company in America.'
Here's the current problem. Yesterday, May 14, 2009, at about 6:00AM, one of my users reported that my site had come up with a malware/virus alert on his computer. This was odd, as I am not a malware host. Further, my work computer had been infected the day before, though I had only visited reputable news sites; and my own site.
Lo and behold, upon investigation I found that my site had been hacked to carry the FakeAlert-CL trojan, which had the effect of causing my computer to pretend it had been badly hacked to get me to buy some spurious anti-virus software. Essentially, buying "protection" in the Mafia sense.
Luckily for me, this is not my first rodeo with Network Solutions' laughable excuse for security. This exact same thing had happened 18 months or so ago. I realized then that a worm had infected NS's shared hosting servers, and had changed every file with "index" anywhere in the title to include an < iframe > tag linking to a malware site (from which the computer would be infected).
So here's my workaround. I downloaded and repaired the three index files which control my site. I then deleted the infected files, and re-uploaded clean ones. Being prudent, and having experience with this, I also uploaded *backup* copies with different file names. This proved wise. NS has now been hacked 3 times in the last 18 hours in the exact same way. Each time I get hacked again, I simply delete the infected 'index' file and rename my backup to replace it, then upload a new backup for later use.
Some notes: this has affected my entire Movable Type system by corrupting the templates. However, it attacks only the base index.php file; if you simply fix that one file, then rebuild your Movable Type database, the offending code snippet will be removed. Secondarily, some sections of my site (my bulletin board, for instance) do not have 'index' in the title of their operative files. If I could remove every index file from my site and rename them, I would, but unfortunately too many of the components are hard-wired for that name. Finally, I tried CHMODing the index files to 444, which should have prevented even an Administrator from overwriting or changing them, but it had no effect.
So, back to NS. I contacted a person from NS' marketing department (who contacted me after I posted a previous complaint on this board) and let him know that I had been hacked. He told me he was referring me to "third level support" (meaning what? they speak better English?). I have since been hacked twice more, and have emailed this same PR guy both times. The last time I asked for a phone call; no shock, I have not yet heard back. Maybe this post will prompt a response.
At any rate, to those of you experiencing this with Network Solutions, hopefully my solution will help you. To those of you considering a hosting provider, DO NOT CHOOSE NETWORK SOLUTIONS.
I've got two servers with LayeredTech in Texas. One is seemingly totally down. Their support page is unreachable and their billing page is loading as slow as AOL on dialup. Anyone else having issues this morning?
View 6 Replies View RelatedWe are the clients of LayeredTech for 4.5 years. Basically, we're fed up with poor service and below are the details. Love the stories about stupid circumstances leading to major catastrophes? You'll love the story below.
Another incident took place in June. We have ordered another hard drive for our server. During the maintenance, their technician obviously dropped an existing hard drive (never admitted by them), causing the bad sectors to appear immediately after upgrade. They were trying to replace it, but replaced a wrong hard drive (!). Their second attempt to fix things up resulted in a broken SCSI controller (!). Their verdict: the server is dead and can't be restored. It resulted in a huge downtime of three days. During these three days, we experienced the lack of professionalism from their staff (besides group leaders), poor coordination between the shifts (another shift comes and they have no idea of what the previous shift has started) and poor response times.
Now, they are moving their data center forcing clients to order a new server (you guys probably heard about it) and we have the same experience: poor coordination of departments. Friday: technicians offered a configuration and suggested to submit a ticket to sales (I've no idea why clients have to transfer information between their departments). Sales came on Monday refusing to fulfill this order suggesting to order a new server from the web site. We gave another attempt and placed an order, asking to upgrade memory and disk - the features we already purchased. Their response? It's not upgradable. Nothing was suggested.
I'm not to tell about the other issues, about red eyes of our technicians that can't get to bed waiting for their support to reply and restoring the server from backups. I'm not telling about our IPs whitelisted in major mailing services; years of work discarded by moving our server without asking us if we like to. Finally, I'm not telling about minor issues; they happened for these years.
Guys, we're fed up with LayeredTech and moving our server out (we have one more and refer it as "hostage"). Yes, we loose money for the purchased memory, for purchased a hard drive and for a setup fee from another provider. But we can't deal with them anymore. Anyone thinking about LT - keep away. Dear fellows who already own a server there - let's keep our fingers crossed; LT is great when nothing happens, but horrible dealing with incidents. Good luck, guys.
For LT management: if you want to proof the facts, my client ID is 4553.
My server is down [At layeredtech.com]
I told them I selected 2009/3/28 to migrate my server on 13 march, 2009.
Then, I have not received any information from them, such as the new IP.
Now, my server is down and I don't know how to login my server.
Thought I may as well post up a review of Layeredtech having left them recently after 15 months of service.
Network: 10/10 - Don't recall a single downtime with them, certainly nothing that showed up on my cacti graphs & downtime would certainly show up.
Support: ?/10 - Unfortunately I can't comment on their support as it's something I never used. Ultimately though, given they are an unmanaged provider, support really should be limited to tracking down hardware issues etc.
Hardware: 10/10 - Never had a single problem with the box I was on.
Sales: 9/10 - I'll give em a 9 for the hassle of scanning ID etc, although in fairness these days, you expect that with pretty much all providers so not a major issue.
Other:-
I'd read bad things about their cancellation process, e.g. people continuing to get billed for cancelled servers etc, this hasn't happened to me, I gave my two days noticed (as required in their terms) and they did everything properly.
The only downside really was they increased the price by $9 or something, although in fairness, that was a pretty small increase and they made up for it by providing remote reboot ports, although I never did make use of them since my box never crashed.
Overall, a pretty positive experience, only left because I needed much more powerful hardware and LT's deals aren't as good as they once were.
While I only had a server with LT for testing and running our helpdesk off network... I'm happy to say that I'm finally fully moved from LT. (My new off network home is at GNAX, btw.)
I went from a reseller of 3+ years, with a peak of ~20 servers ... to nothing.
Way to go Layeredtech!
I started this thread out writing all about my history with LT, and my thoughts on what they've done... but I decided that it wasn't worth it. Layeredtech will probably continue doing what they are doing - swindling customers - and there's nothing I can do to stop it. I'm just happy to no longer be a victim.
Because they offer AppLogic we chose a company called LayeredTech.com a.k.a layeredtechnologies.com;
I have not had much issues with the access related issues and support was fairly quick;
But, i have decided not to use them as a DataCenter because
- One they they stopped our server by not giving any advance notification by telling us that there were a spammer and they do not allow any account with Spammer
- Earlier their warning were only for 8 hours . So if you happen to sleep when they send notifications you wake up a disabled server; They refused to improve this and they rejected to accept he fact that Web Hosting accounts can have many reasons that can be abused for spam.
- We have woken up to $1800 charge one day and we wanted to dispute it. They have given us RTG charts which does not explain anything about the detailed usage.
We have asked them to listen to our reports from WHM that shows only 200 GB usage rather than 15000 GB they charged us for. They were pretty quick to comment that WHM calculations are not reliable.
- On another note we paid for a year for Cpanel licenses. We had to cancel 2 Cpanel licenses and asked for a refund. They said, they could not refund the payment for Cpanel license; well they charged for a year. At least a credit? No. They offered to enable it if we need;
- Applogic? Another utopia. It does not work for cpanel purposes.
Whenever you have problems, High Availability feature never works. The other server never picks up the functionality.
When you ask why, they say you put so many accounts on one server.
Well, you want us to put 250 account on a server prices for $700 USD per month? That does not make any sense;
I have used in the past so many Data Centers
- Bustnet
- Iweb
- NAC
- Netelligent
- Dedicatednow
Layered is the least flexible one. They do not give any value to your thoughts and rights;
I have started using netelligent.ca and they are great guys. I will be canceling all my accounts with Layered as soon as my account term paid will expire.
Just wanted to share my experience
Bulent Turkoglu
[url]
I remember long time ago when I used to host on Layered Tech fast network good stuff, affordable price my first server costed me 90 dollars on Layered Tech with about 20 dollar setup one time fee.
I visited today after about 2 years and I'm pretty much surprised to see their prices they are by no means affordable as they were previously and the setup fee is now 50 dollars on every server.
With such large number of servers in their data centers shouldn't they be able to make them affordable? yet I have seen same server on WHT ads section for fraction of the price LT expects and not to mention the excessive setup fee.
I'm not complaining, its their business, but is it really helping them? I cant be the only person feeling this anti-love for Layered Tech being a former LT customer, I had no problems with them or their services I just left after I sold my site and moved into VPS. But seeing the new prices its a bit shocking.
I have a Win2003 dedicated server w/theplanet since 2004 and a Win2003 Web and FreeBSD server with LT shortly after purchasing theplanet server. I'm leaving the dedicated world and into the colo world. The reason is i like the total control of my server and when something happened to my server. I know i'll work nonstop to fix it and not reinstall OS as the only option. (My win2k3 server got system corruption at LT and th tech told me, OS reload to fix the problem. I know a lot of you thinking having dedicated server gave you a piece of mind or whatever but if OS reload is the only option then i might as well take the risk and run my own server and buy some spare parts in case of server melt down. However, i think it got to do more with LT using whitebox parts because my theplanet's server take a lot of abuse as well from me and it chuck a long just fine since it's Dell's entry level tower server despite having Cellery as CPU while my LT's windows server have P4 w/HT option. Both have 1GB of RAM. I think 1GB is rather limited nowaday. I also like the option of using whatever hardware that i want with my colo server and not paying extra $20 per month for RAM or whatever.) /end rant.
anyway, here are some pro and con that i hope you guys will find it helpful.
theplanet:
Pro -
1. very stable hardware because they use name brand like Dell
2. good network/tech support
3. Orbit - one place for everything. love it.
4. professional service
5. No price hike since 2004!
6. they have system in place to alter(email) you if your sever went down. LT have no such thing that i know of.
Con - not many. Didn't come across anything that piss me off.
LT (LayeredTech)
Pro -
1. good network/tech support
Con -
1. Not so stable hardware. They have to replace my FreeBSD server with AMD64. Originally the server have AMD XP. I think they use whitebox parts. I'm not saying there is anything wrong with whitebox parts but they could be using cheaper parts.
2. too many different login. Encompass, knowledge base for tech support...etc. It will be nice if they have something like Orbit. plus, you have to call them to change your CC and their reason is it is more secure that way but how so? their employee can write down my CC. why do you need human interaction for CC change?
3. price hike
This is all i can think of right now. I'm leaving the dedicated world and leaving the comfrot of dedicated provider and going into manage my own server plus the hardware. Hopefully, my server hardware can hold up like theplanet's Dell server.
I had two server from LT for few years. I was happy with the server until 6 month ago. I got an email from LT and was told the price will be increased. I have not choice but paid what they asked. I got another email few days later, again LT increased price. I think it's fine if they increase the price. The problem I got is: LT increases the price but at same time LT still offer same package I had back to few years to their new customers. I called LT, they told me they can do nothing. Today I looked the offer carefully. Here's detail.
-------------------------------------
Dual-Processor Opteron 248$59/Month
RAM:2GB
Hard Drive(s):2 x 160GB SATA
Free upgrade to 2 x 250GB
Bandwidth:3300GB
IP Addresses:8 (5 Usable)
Notes:No Reseller Discount
Setup Fee:$999 setup
---------------------------------------
Ha, $59 not bad deal at all. But watch out, $999 setup fee. Think this, LT will increase your price two years later. Then monthly cost will be $59+$999/24=$100 OR if LT increase you price one year later, your cost will be $59+$999/12=$142. Just think twice before you order from LT.
I've worked with LT and a few others for some years but, never worked with SoftLayer. I'm looking for people's comments and advice that have had at least a years experience with both companies. We have some serious sites. One site reads from MySQL, uses about 30% of its traffic pulling in external data from around the world to create png maps from the data, and serves 10,000 pages in just under a minute and 6 seconds during busy times. We've been moved around inside SAVVIS once for traffic reasons, and the network is fine.
It's time to upgrade. Softlayer seems to have a lot of compelling features not the least of which is KVM. Because of our traffic, a wrong DC choice would be very expensive for us. That's why I'm doing my due diligence here. That’s why I need to hear from people with experience with both.
If you actually use the KVM to load servers, and the power switch to do hard-reboots, I'd like to hear about how well that all works. Maybe iSCSI experience as well if there is any of that out there.
I received an e-mail that goes like:
"Data Center Migration Efforts Underway, from SAVVIS to Databank"
"The LayeredTech data center have informed us that in an effort to optimize the network architecture, they are planning to move all servers from SAVVIS location to a more centralized facility, the DataBank data center which is also located in Dallas."
I've been a layeredtech customer since early 2005, and until this last insane price-hike fiasco, I've never had a major complaint.
But now it keeps getting worse.
I wound up keeping this particular server around after the price hike (for several reasons, one of which was misinformation from a LT sales person regarding the prepay option) and several days ago received an email stating that my server would have to be moved, and that due to the chassis type of my old server, they could not move my server, I would need to migrate to a new server.
The email was less than forthcoming with details, so I tried to phone the person who sent me the email. The call went straight to his voicemail, where I left a couple messages asking him to return my calls, which he never did.
Finally I called their Sales department to figure out what was going on, and finally spoke with a nice & friendly guy (in a different department), who he stated that he felt like he was in the middle, and he just wanted to help us (the affected customers) out.
Okay, I figure I can handle moving all my custom software to a new server figuring that they would find some comparable piece of hardware to move me to at the same cost.
No.
I was told I would have to pay around 10% more per month for a server with only a slightly faster CPU, only 1GB of ram and only 1 hard-drive (current server has 1.5GB of ram & 2 hard-drives mirrored)
Oh, and I have to have everything moved by the 18th of October.
And I'll have to pay for 2 servers while I move.
Or, I might be able to have the server moved to a different space at Savvis, but that would likely only be a short-term solution, and this situation would come up again.
I find this really appalling--they really must hate their customers who helped them through the early years!
any experiences to report about purchasing used / refurb gear from either Network Liquidators (nweq.com) or Network Hardware (networkhardware.com)?
View 12 Replies View RelatedI am renting a 384mb Plesk VPS, have 1 client website on it, and it was hacked. Someone set up a new user with root access and was attacking other networks including dictionary attacks. My host has cleaned up the mess. I suspect access was gained thru a weak password choice or thru a Wordpress hack.
The client website ran a php/mysql survey script sometimes with 20-25 simultaneous users, and about 5-10% were unable to complete the survey due to screen freeze up or time outs. I'm trying to get to the bottom of these errors and know that some of the problems were client side but could the attacks also have affected connectivity & website performance?
2 days ago i noticed my cpanel hardisk usage was a lot more then it should be, after looking around i found out my inbox was 400mb (82143)emails!! i don't use any of the cpanel email because i have them set to forwarding. all the emails are spam and i discovered a few emails using my domain (that i did not create) that are valid and when i email them it reaches this cpanel inbox
So how bad is it? have i been completely comprised or is someone managed to get some type of spaming access only?
I have a server with about 100 domains on it in Plesk. I have about 10 or so clients that pay me a pittance to host their site and the rest are various domains that have been parked.
About a week ago we received a "too many connections" error when accessing Plesk. This is our server and it sits at The Planet (formerly EV1). I cranked up the mx connections to 1,100 or so following some web tutorial but I'm really a complete idiot when it comes to this server stuff. (I'm more of a php / html kind of guy).
I check out logs and it appears that someone has been trying to access a bunch of celebrity images that shouldn't exist on our server. It's clearly spam of some kind. I can't seem to actually find these images on my server anywhere, but I've got a feeling that foul play has been involved.
Well, this is rather weird. I cant tell if this is a server error, or a hack.
Basically the contents of the thumbnail directories for videos, games and pictures were deleted, at 3pm today (according to the ftp time stamp). All those folders were chmodded 777, to allow PHP to upload the images into them.
My cpanel server has an intruder who brought all the sites down. I did my best to harden the server a year or so ago, but...
I got an email from one of my scripts:
SUBJECT: [hackcheck] kill has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account kill has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
To say the least, the server was compromised. I cannot find the user "0" or "kill" in WHM, but under "Wheel Group Users" "kill" is listed under "Add a user to the wheel group."
Any help or insight would be appreciated! Anyone proficient at hardening servers and exorcising hackers?
I uploaded the latest chkrootkit and ran it. The results say it's clean.
Am I hacked by somebody?
Any thing I can do to stop this (for example by hiring server management company)???
Here's the info that RKHunter provided:
/sbin/modinfo [ NA ]
/sbin/insmod [ NA ]
/sbin/depmod [ NA
Rootkit 'RH-Sharpe's rootkit'... [ Warning! ]
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------
Checking users with UID '0' (root)... [ Warning! (some users in root group) ]
info: adm:0
And here's the info I've found after investigation:
-bash-2.05b# pwd
/usr/local/games
-bash-2.05b# ls -lah
total 332K
drwxr-xr-x 3 root root 4.0K Feb 5 15:59 .
drwxr-xr-x 15 root root 4.0K Feb 12 19:32 ..
drwxr-xr-x 3 1555 1555 4.0K Feb 2 12:58 .fl
-rwxr-xr-x 1 root root 263K Feb 2 12:51 ettercap
-rwxr-xr-x 1 root root 17K Feb 2 12:51 parse
-rw-r--r-- 1 root root 119 Feb 2 12:51 pid
-rw-r--r-- 1 root root 27K Feb 3 17:44 x
-bash-2.05b#
i daily check my error log files to see if something was wrong , checkout what i found
the first one is probably trying to hack my site to get to my ads and changing it to them i think
[error] [client 195.23.16.24] File does not exist: /var/www/html/a1b2c3d4e5f6g7h8i9
[error] [client 195.23.16.24] script '/var/www/html/adxmlrpc.php' not found or unable to stat
[error] [client 195.23.16.24] File does not exist: /var/www/html/adserver
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpAdsNew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpadsnew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpads
[error] [client 195.23.16.24] File does not exist: /var/www/html/Ads
[error] [client 195.23.16.24] File does not exist: /var/www/html/ads
this 1 I dont know
[error] [client 71.190.229.120] File does not exist: /var/www/html/_vti_bin
[error] [client 71.190.229.120] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/_vti_bin
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
This 1 is kinda keep me scared i dont know what it is either
[Mon May 21 16:11:00 2007] [error] [client 129.29.227.4] Invalid URI in request T 5.1; U; en)
[Tue May 22 15:59:09 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179781859
[Tue May 22 16:09:15 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:20 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:24 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:29 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:29:29 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179868171
[Tue May 22 16:30:23 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179869368
[Tue May 22 16:30:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:30:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
my server hacked
24 cat /proc/cpuinfo
25 ls
26 cd /var/tmp
27 ps x
28 ls
29 mkdir .www
30 cat /proc/cpuinfo
31 cat /etc/issue
32 mkdir .ww
33 cd .ww
36 download alexscan.tar.gz
37 tar xvfz alexscan.tar.gz
38 tar xvf alexscan.tar.gz
39 cd Vek
40 ls
41 ./Vek 210
42 ls
43 cd ..
44 ./ss
45 ls
46 cd ..
47 cd .ww
48 download joker.tgz
49 tar xvfz joker.tgz
50 download flood-udp.tar
52 tar xvfz flood-udp.tar
53 tar xvf flood-udp.tar
54 perl udp.pl 72.8.131.39 0 0
55 perl udp.pl 89.42.72.6 0 0
56 perl udp.pl 83.42.64.149 0 0
57 passwd
58 ls
59 cd joker
60 ls
61 chmod +x *
62 ./x 23.12
I have a new server and I have hardened it with csf+lfd. It's about 65/70 in the cfs score.
This morning, I noted that lfd log sent me an email saying there is a SSH login via 207.210.233.128 on 10th May 2007. I am not sure whether it was a successful login or not?
Here is the output:
=================
Time: Thu May 10 01:31:52 2007IP: 207.210.233.128 (Unknown)Account: rootMethod: password authentication
========================
I know for sure that I did not login my SSH yesterday.
However, when I logged in SSH this morning, it says in telnet that my last login was from my own home computer's IP, so from that it looks like no one else has logged in SSH since last time I logged in myself.
Was my server intruded or was lfd just playing up?
Go to this page:
[url]
how I can find out what page they have changed? It is a php file with loads of includes etc. Not sure where to look! Or could it be a redirect or something?
I have a VPS running cpanel/whm on CentOS.
Everyday someone keeps coming in and deleting all my accounts. I do have them saved, but I cannot figure out how they are doing it.
I have followed the tips on the forum for locking down VPS. We have restriced SSH logins to our IP, we have checked all directories for ones that are 777 and changed them, we have moved the server to a different IP address.
So I'm interviewing with a company and when I typed in the URL to their website, I was met with a nasty surprise: a "hacked by so and so" message! However, after looking closer, I see that I had accidentally appended a period (".") to the end of the domain name, for example: http://www.example.com./
When I removed the period, the site appeared as normal. I don't know anything about the server other than it's IIS. Is there anything I can suggest to them when I go in to interview? I'd like to point this out to them; it may even help my chances at landing the job! (It's not related to networking, though.)
Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.
Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.
Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png
Just a warning to everyone out there. His IP address was 86.132.228.82.
A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?
View 6 Replies View Relatedwe have a vps server and someone did what I would call a calling card attack, thankfully.
It is a stock kubuntu os with stock apache. Root passwords for everything have been changed to our own
Somehow they logged into kubuntu as root and changed the htpasswd in usr/passwords (changed to protect the password).
Then since they changed the htpasswd they were able to log into phpmyadmin and changed the admin password in the database.
I'm pretty sure I know who did it and he is teaching us a lesson which I respect but he will not comunicate with us.
We have hourly snapshots of our vps and we need to know how they are getting in. See my sig and click on the hotspot login.
Looking at the sudoers there is the Defaults line that we suspect as a means to get in.
We have a great php etc... app but it is either Apache or kubuntu that they can get in.
I would like to learn about what needs to be done about security but where do I start?
Can someone help me look for something that would allow the attack?
I'm a php guy and it is not a mysql injection attack nor is it an xss attack.
I am not a kubuntu / server security guy and now need your advice.
Out of the three websites that were hacked the hacker left a get.php file in the root and i decided to see what it was and i ran it. To my shock and horror it gave me all the different types of people hosted on the server and it also gave me their database passwords etc...
Now each time i ran it, it gave me different results of different users on the server each time with a long never ending list. I just couldnt believe my eyes a simple short written php script showed me a lot.
Now im not a PHP guru but this is quite serious and ive notified my web host showing them my findings. I was quite astonished it showed me passwords in peoples configs.
Now my question is... is this something new or old and that my web hosts forgot to look into that area...? I mean its a php script thats all.