I have been getting a lot of abusive email lately, just deleted them and thought nothing off it. Just about to go to bed and I see my website has been hacked.
www.pic-spot.com
They also said they were after www.anotherlaugh.com and www.shinyproxy.com
So I'm interviewing with a company and when I typed in the URL to their website, I was met with a nasty surprise: a "hacked by so and so" message! However, after looking closer, I see that I had accidentally appended a period (".") to the end of the domain name, for example: http://www.example.com./
When I removed the period, the site appeared as normal. I don't know anything about the server other than it's IIS. Is there anything I can suggest to them when I go in to interview? I'd like to point this out to them; it may even help my chances at landing the job! (It's not related to networking, though.)
Just this week, I believe one of my site has been hacked...or potentially my whole server! When accessing the website (a vBulletin forum), instead of going to the main page, we get a screen that looks like Window's "My Computer" and there is a scan running. Firefox has blocked the site for suspicion.
I am stumped. Where to begin? I have full SSH access to my server (after rebooting it). Thank you in advance.
few sites are continously been hacked, these sites i m working on, whenever i connect the sites through FTP client(i m using Flash FXP) and upload the files the very next day the index file have the Iframe code written after the body tag by someone else of some malware site.
i have tried everything, changing the password on daily basis,even reinstall my system completey(thinking if there any backdoor trojan) firewall and antivirus,
We have a simple flash site. Not CMS or anything of that sort.
Recently out site was hacked. Nothing malicious as the only code that seems to have changed was out index file in which they injected a malware script ....
This is the second time this week that my website was hacked. On the first hack attempt they somehow got into my cpanel and corrupted my license file which I had my host fix. Other than that the only damage done was an html file that replaced my main page. Then today, I find that my website has been further compromised, but by a completely different group. The first hacker was g3n3t1x and this second hack was done by www.turkishdefacerteam.com
Now, the problem is my sites dedicated IP is 72.36.192.150, and my domain name is gamingguilds.net, but if you resolve the domain name, it resolves to 74.53.52.66. I have checked my nameservers and everything is set properly. But the thing I don't get is that when you type in my domain name in a web browser, you see my website. How can it be resolving to the wrong IP and STILL show my website. Also note that when you type in my dedicated IP it would still show my website (before this second attack).
Now after the second attack, my dedicated IP no longer works, I cant get into cpanel using the IP, I cant get into my FTP account, and I get view my website. Yet if you use the domain name to log into cpanel or view the website it works. The strange part here is that I can't get into the FTP using the domain name.
SO, if you go to [url]you see a blank cpanel site, if you go to [url] you get a 404 error, and if you go to www.gamingguilds.net you get my website.
I have a small but somewhat popular space-history website. Very simple HTML that I typed into wordpad, but it has long pages full of photos. Since 2003, I've been using media3.net with their business-class Windows service.
A few weeks ago, mypages were hacked, and a one line script inserted that called an Adobe Flash file. Apparently this was a server-wise attack, not just my web pages. Media3.net cleaned this up, but now it has happened again.
This is bad, because Google blacklists my site, and folks on Wikipedia get upset because there are a lot of links to my site.
How are they breaking in to media3.net? I think I must change hosts, but I don't want to put my image-intensive site on overbooked hardware with limited bandwidth.
my server was hacked by Cold he/she inserted a couple of scripts that enabled remote access into a 777 permission folder.
i found the following script names: back.pl cpanel.php cgitelnet.pl cpanel.pl gcc-cold <- shell script
i have deleted all the above files, and changed the folder chmod to 755
but the weird thing is, through shell, when i try to locate the file gcc-cold i get this:
Quote:
root@ [/tmp]# locate gcc-cold /home/ns5f6/public_html/uploads/gcc-cold root@ [/tmp]# rm /home/ns5f6/public_html/uploads/gcc-cold rm: cannot lstat `/home/ns5f6/public_html/uploads/gcc-cold': No such file or directory
isn't locate NOT supposed to find that file after its been deleted? and if it was not deleted some how, isn't it supposed to delete it? am i missing something here??????
from a bit of researching the files, i found that it was a telnet script, BUT i have telnet disabled, and there's no process running along side GREP TELNET
how can i find malicious software or shell scripts that allow such hacking activities on the server?
If I type google.com in my address bar, it forwards me to www.google.com. This is not happening for my website right now. I think its a good idea to do this, since then search engines will have only 1 main URL for the website to index.
My question is:
How do I implement this? I think this may involve mucking with CNAME settings...
I am renting a 384mb Plesk VPS, have 1 client website on it, and it was hacked. Someone set up a new user with root access and was attacking other networks including dictionary attacks. My host has cleaned up the mess. I suspect access was gained thru a weak password choice or thru a Wordpress hack.
The client website ran a php/mysql survey script sometimes with 20-25 simultaneous users, and about 5-10% were unable to complete the survey due to screen freeze up or time outs. I'm trying to get to the bottom of these errors and know that some of the problems were client side but could the attacks also have affected connectivity & website performance?
2 days ago i noticed my cpanel hardisk usage was a lot more then it should be, after looking around i found out my inbox was 400mb (82143)emails!! i don't use any of the cpanel email because i have them set to forwarding. all the emails are spam and i discovered a few emails using my domain (that i did not create) that are valid and when i email them it reaches this cpanel inbox
So how bad is it? have i been completely comprised or is someone managed to get some type of spaming access only?
I have a server with about 100 domains on it in Plesk. I have about 10 or so clients that pay me a pittance to host their site and the rest are various domains that have been parked.
About a week ago we received a "too many connections" error when accessing Plesk. This is our server and it sits at The Planet (formerly EV1). I cranked up the mx connections to 1,100 or so following some web tutorial but I'm really a complete idiot when it comes to this server stuff. (I'm more of a php / html kind of guy).
I check out logs and it appears that someone has been trying to access a bunch of celebrity images that shouldn't exist on our server. It's clearly spam of some kind. I can't seem to actually find these images on my server anywhere, but I've got a feeling that foul play has been involved.
Well, this is rather weird. I cant tell if this is a server error, or a hack.
Basically the contents of the thumbnail directories for videos, games and pictures were deleted, at 3pm today (according to the ftp time stamp). All those folders were chmodded 777, to allow PHP to upload the images into them.
My cpanel server has an intruder who brought all the sites down. I did my best to harden the server a year or so ago, but...
I got an email from one of my scripts:
SUBJECT: [hackcheck] kill has a uid 0 account
IMPORTANT: Do not ignore this email. This message is to inform you that the account kill has user id 0 (root privs). This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
To say the least, the server was compromised. I cannot find the user "0" or "kill" in WHM, but under "Wheel Group Users" "kill" is listed under "Add a user to the wheel group."
Any help or insight would be appreciated! Anyone proficient at hardening servers and exorcising hackers?
I uploaded the latest chkrootkit and ran it. The results say it's clean.
Any thing I can do to stop this (for example by hiring server management company)???
Here's the info that RKHunter provided:
/sbin/modinfo [ NA ] /sbin/insmod [ NA ] /sbin/depmod [ NA
Rootkit 'RH-Sharpe's rootkit'... [ Warning! ]
-------------------------------------------------------------------------------- Found parts of this rootkit/trojan by checking the default files and directories Please inspect the available files, by running this check with the parameter --createlogfile and check the log file (current file: /dev/null). --------------------------------------------------------------------------------
Checking users with UID '0' (root)... [ Warning! (some users in root group) ] info: adm:0
And here's the info I've found after investigation:
-bash-2.05b# pwd /usr/local/games -bash-2.05b# ls -lah total 332K drwxr-xr-x 3 root root 4.0K Feb 5 15:59 . drwxr-xr-x 15 root root 4.0K Feb 12 19:32 .. drwxr-xr-x 3 1555 1555 4.0K Feb 2 12:58 .fl -rwxr-xr-x 1 root root 263K Feb 2 12:51 ettercap -rwxr-xr-x 1 root root 17K Feb 2 12:51 parse -rw-r--r-- 1 root root 119 Feb 2 12:51 pid -rw-r--r-- 1 root root 27K Feb 3 17:44 x -bash-2.05b#
i daily check my error log files to see if something was wrong , checkout what i found
the first one is probably trying to hack my site to get to my ads and changing it to them i think [error] [client 195.23.16.24] File does not exist: /var/www/html/a1b2c3d4e5f6g7h8i9 [error] [client 195.23.16.24] script '/var/www/html/adxmlrpc.php' not found or unable to stat [error] [client 195.23.16.24] File does not exist: /var/www/html/adserver [error] [client 195.23.16.24] File does not exist: /var/www/html/phpAdsNew [error] [client 195.23.16.24] File does not exist: /var/www/html/phpadsnew [error] [client 195.23.16.24] File does not exist: /var/www/html/phpads [error] [client 195.23.16.24] File does not exist: /var/www/html/Ads [error] [client 195.23.16.24] File does not exist: /var/www/html/ads
this 1 I dont know
[error] [client 71.190.229.120] File does not exist: /var/www/html/_vti_bin [error] [client 71.190.229.120] File does not exist: /var/www/html/MSOffice [error] [client 69.181.195.171] File does not exist: /var/www/html/_vti_bin [error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice [error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
This 1 is kinda keep me scared i dont know what it is either
[Mon May 21 16:11:00 2007] [error] [client 129.29.227.4] Invalid URI in request T 5.1; U; en) [Tue May 22 15:59:09 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179781859 [Tue May 22 16:09:15 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547 [Tue May 22 16:09:20 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547 [Tue May 22 16:09:24 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0 [Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0 [Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0 [Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0 [Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0 [Tue May 22 16:09:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0 [Tue May 22 16:09:29 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0 [Tue May 22 16:29:29 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179868171 [Tue May 22 16:30:23 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179869368 [Tue May 22 16:30:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0 [Tue May 22 16:30:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
I have a new server and I have hardened it with csf+lfd. It's about 65/70 in the cfs score.
This morning, I noted that lfd log sent me an email saying there is a SSH login via 207.210.233.128 on 10th May 2007. I am not sure whether it was a successful login or not?
Here is the output: ================= Time: Thu May 10 01:31:52 2007IP: 207.210.233.128 (Unknown)Account: rootMethod: password authentication ========================
I know for sure that I did not login my SSH yesterday.
However, when I logged in SSH this morning, it says in telnet that my last login was from my own home computer's IP, so from that it looks like no one else has logged in SSH since last time I logged in myself.
Was my server intruded or was lfd just playing up?
how I can find out what page they have changed? It is a php file with loads of includes etc. Not sure where to look! Or could it be a redirect or something?
Everyday someone keeps coming in and deleting all my accounts. I do have them saved, but I cannot figure out how they are doing it.
I have followed the tips on the forum for locking down VPS. We have restriced SSH logins to our IP, we have checked all directories for ones that are 777 and changed them, we have moved the server to a different IP address.
Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.
Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.
Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png
Just a warning to everyone out there. His IP address was 86.132.228.82.
A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?
Out of the three websites that were hacked the hacker left a get.php file in the root and i decided to see what it was and i ran it. To my shock and horror it gave me all the different types of people hosted on the server and it also gave me their database passwords etc...
Now each time i ran it, it gave me different results of different users on the server each time with a long never ending list. I just couldnt believe my eyes a simple short written php script showed me a lot.
Now im not a PHP guru but this is quite serious and ive notified my web host showing them my findings. I was quite astonished it showed me passwords in peoples configs.
Now my question is... is this something new or old and that my web hosts forgot to look into that area...? I mean its a php script thats all.
One of my clients has just sent me a bounced email to an address she had never heard of. This made me suspect my server had been hacked and was being used for a scam.
Sure enough, I found a file in one of my folders, that was related to a Bank of America scam.
I have since put a password on this folder. But does anyone have any advice on how to secure the site to prevent this happening again? It is a shopping cart and the 'rogue' file was in the admin area of the shopping cart.
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not? and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.