Rootkit Detection On A Windows VPS
May 4, 2007
My Windows VPS has come under heavy attack by hackers trying to get through MSFTPSVC for the past month and they finally managed to somehow get in 2 days ago. Somehow, the "Allow anonymous login" setting was selected in my FTP settings and they got in.
They even managed to turn off my firewall. I guessing they used a buffer overflow or some other Windows Server 2003 weakness that was fixed in SP2 (too bad SP2 is'nt supported by SWSoft yet).
The attacks began less than 1 week after I had signed up with Virpus. I did'nt even have my domain name pointing to the server or a site up when the first set of dictionary attacks began. How common is that 0_0 ?
Anyway, since I now know they've gotten in I've run a virus check and everything looks clean but I really want to run some kind of root kit detection software. I've tried everything suggested on the antirootkit website but none of them seem to work on a VPS.
View 10 Replies
ADVERTISEMENT
Sep 25, 2007
I have recently been using snort but I need something ideally graphically based so that it is easy to use and find your way around.
Can anyone recommend an IDS product that has a GUI?
View 1 Replies
View Related
Apr 6, 2007
ive just installed bfd on a new server:
[url]
And im getting the following in an email every 10 minutes:
Code:
/usr/local/bfd/conf.bfd: line 26:
: command not found
/usr/local/bfd/conf.bfd: line 38:
: command not found
/usr/local/bfd/conf.bfd: line 47:
: command not found
/usr/local/bfd/conf.bfd: line 59:
: command not found
/usr/local/bfd/conf.bfd: line 60:
: command not found
/usr/local/bfd/conf.bfd: line 76:
: command not found
/usr/local/bfd/conf.bfd: line 88:
: command not found
The email is being sent from:
Cron Daemon <root@hostname.com> (replaced hostname myself)
Now i know this isnt r-fx networks support but none of there support options seem to work so i figured id post here considering the amount of users that are likely to be using bfd (or you should be)
View 3 Replies
View Related
Jul 30, 2007
I downloaded the tripwire version 2.4.1.1 but after the installation the /etc/tripwire/twinstall.sh file is not generated after the installation. I checked the contents of the RPM I downloaded and the script is not there.
How can I prepare the cfg file without this script?
[root@user]# rpm -qpl tripwire-2.4.1.1-1.i386.rpm
/etc/cron.daily/tripwire-check
/etc/tripwire
/etc/tripwire/twcfg.txt
/etc/tripwire/twpol.txt
/usr/sbin/siggen
/usr/sbin/tripwire
/usr/sbin/tripwire-setup-keyfiles
/usr/sbin/twadmin
/usr/sbin/twprint
/usr/share/doc/tripwire-2.4.1.1
/usr/share/doc/tripwire-2.4.1.1/COMMERCIAL
/usr/share/doc/tripwire-2.4.1.1/COPYING
/usr/share/doc/tripwire-2.4.1.1/ChangeLog
/usr/share/doc/tripwire-2.4.1.1/License-Issues
/usr/share/doc/tripwire-2.4.1.1/README.Fedora
/usr/share/doc/tripwire-2.4.1.1/TRADEMARK
/usr/share/doc/tripwire-2.4.1.1/policyguide.txt
/usr/share/doc/tripwire-2.4.1.1/tripwire.gif
/usr/share/man/man4/twconfig.4.gz
/usr/share/man/man4/twpolicy.4.gz
/usr/share/man/man5/twfiles.5.gz
/usr/share/man/man8/siggen.8.gz
/usr/share/man/man8/tripwire.8.gz
/usr/share/man/man8/twadmin.8.gz
/usr/share/man/man8/twintro.8.gz
/usr/share/man/man8/twprint.8.gz
/var/lib/tripwire
/var/lib/tripwire/report
View 3 Replies
View Related
Jul 2, 2009
I have a client that is certain someone is trying to hack her web-portal. I need to set up something that will alert me on suspicious activity on the server. For example someone fiddling with requests trying to make SQL / shell .. injection and similar threats.
Does any tool (for example bash script with grep) exist that would parse the raw apache logs and report if something is suspicious. Apache logs don't show the POST data so I am talking to admin to setup dump_io apache mod that enables this.
Or am I going into wrong direction here and there is whole another way to do this? I searched the web and forums for anything like this and didn't find anything.
View 4 Replies
View Related
Jul 25, 2007
Is there a tool for intrusion detection where a central machine is responsible for requesting clients for file and directory information and reporting changes?
Do you know of any open source package preferable are available for RHEL4 and 5?
View 1 Replies
View Related
May 19, 2009
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_files file: './db/rootkit_files.txt'
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_trojans file: './db/rootkit_trojans.txt'
How can i 'fix' this?
View 3 Replies
View Related
Aug 2, 2009
other options over chkrootkit and rkhunter since they are pretty outdated, and so far have found:
Curuncula:
[url]
Unhide:
[url]
View 2 Replies
View Related
Nov 14, 2008
how i can install rootkit hunter on centOs?
and is it different with CHKROOTKIT?
View 5 Replies
View Related
Jan 21, 2004
What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
View 14 Replies
View Related
Jun 26, 2009
how to correct it?
Code:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites [ Warning ]
The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
View 2 Replies
View Related
Jun 19, 2008
I was following this guide: url]
It's very nice but, 4 years old. So now I am wondering what is best rookit detector, and what is best firewall for centOS 5.
View 9 Replies
View Related
Dec 22, 2007
I was thinking of getting one of our server admins to install the Rootkit Hunter.
Would this have any effect on our server resources and stability.
Im trying to be more security minded after afew weeks ago when our server was hijacked, and I dont want to go through this again.
View 1 Replies
View Related
Nov 15, 2008
trying to secure my new server that will be opening for shared hosting.
So far I've found:
CHKRootKit, RKHunter, and ClamAV
As for Firewall, I've setup CSF but my question is, what is a good setting for blocking SYN Floods without blocking clients who might be browsing their site and, using DA, and FTP.
In the past I've used:
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 3/s --limit-burst 5 -j DROP
and took down some pretty big attacks, but it was very touchy.
View 0 Replies
View Related
Apr 4, 2008
How can I get rootkit hunter to email me the results?
I tried
MAILTO=me@mydomain
0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
and
MAILTO=me@mydomain 0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
But it is not sending the email, nothing even show up in my exim_mainlog.
View 2 Replies
View Related
Aug 24, 2007
For securities purposes whats best to install?
Feel free to suggest any others.
Server is running cpanel
View 4 Replies
View Related
Apr 22, 2008
How can I stop the rootkit hunter false positives?
It is alerting on these, on a fresh OS install:
Checking for prerequisites [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
View 2 Replies
View Related
Jun 30, 2007
Possible root kit, what can I do?
Sorry for the long post, but I need some feedback.
One of the main reasons that I went from a windows dedicated server to a VPS was because I had several attacks on my server that cost lots of time and money. The only reason to these attacks was that it has to be a root kit in one of the programs I used on my server.
I have used SolarVPS for over 6 months now, and have used most of the same software I used on my dedicated server. I have not had any attacks or somebody gaining access to my VPS.
Last week I got a new Windows VPS from JaguarPC. I installed the same software as always (I will list the software later) and day two of my new VPS somebody had full access, had created a new admin user, installed Utorrent, downloaded and uploaded over 10 GB of movies and music before I discovered the security issue.
Beside my normal software I had downloaded a free downloadmanager, so I could download my plesk backup files faster than on a single download connection. That was the only other software beside my normal software.
But I never used that download manager on my dedicated server, but the same thing happened there also. A user got full access, created a new admin user for remote desktop, etc. I also use different password for the different VPS/DS/hosting plans, but some parts of the main level password is the same.
Last time the user was names support, this time the user was named Dave
I change password often, this year I have changed my password 4-5 times. I have different password for different levels on my VPS/servers. On password for Admin, one for Plesk, one for FTP access to my sites, one for e-mail, one for MySQL etc etc.
I have changed OS at home from XP to Vista, and have only installed 100% secure programs at my home computer. I have not installed one free program or any cracks, warez etc. I also use different antivirus and anti spyware software at home. So the problem can most likely not be at my home computers.
My current software I use on my VPS’s are: (I have some more, but that was the software I used on new VPS)
WinRar 3.61 from [url]
Bandwidth monitor Pro from [url]
Weblog Expert 4.1 from [url]
And the only software I don’t use on my VPS at SolarVPS:
Free Download Manager from [url]
The strange thing is that last time, over 6-7 months ago when I had all the problems with my dedicated server, I traced the IP the hackers had used to login to my DS to Germany.
This time on my new VPS the person has to be from Germany or on country they speak German. The mp3s and the movies where almost all in German.
My plan for the future:
I think I will buy a new VPS plan to test my software. Install one and one software, and see when somebody get access to my VPS. I have to use a provider that offer free OS reloads, so I can reload the OS after I have tested one and one of my programs.
Do anybody know about any companies that allow me to get free OS reloads and provide a Windows 2003 server?
Or will the backup function in VZPP work as OS reload if I take a backup of my new clean VPS and then install software. If it is a rootkit, and I restore, will the rootkit go away? If yes, I can use all providers with VZPP.
And do I have to tell the company what I have planned to do? A rootkit on my VPS will not affect other VPS, so they can get the same rootkit, or the main server?
View 3 Replies
View Related
Oct 2, 2008
I was actually curious about this since Windows 2008 version came out.
What is the difference between Windows media services on Windows 2003 and Windows 2008?
View 5 Replies
View Related
Nov 17, 2008
Any company rent Windows Server 2003 Web Edition ?
SPLA and External licenses ?
With Micfrosoft need pay 2,000$
I wait your answerds.
View 3 Replies
View Related
May 26, 2009
With Windows 2003 server, there are comprehensive lists of what you need to do to secure the server before use. For Windows 2008, I wonder is there such a list? Or is it true as what I heard from Microsoft that it is already secured out of the box?
Anyone has any resources on the hardening or preparation of 2008 for server hosting uses?
View 1 Replies
View Related
Nov 11, 2014
FTPS is not working after upgrade from plesk 11. On plesk 11 windows and linux worked fine, after upgrade my windows server, it stopped working.
Code:
PS C:Windowssystem32> & "C:Program Files (x86)ParallelsPleskadmininpmm-ras.exe" --check-repository --dump-storage=ftps://****:****@***.***.***.***:21 --debug --verbose
[2014-11-11 21:16:12.981| 4688] INFO: pmm-ras started : "C:Program Files (x86)ParallelsPleskadmininpmm-ras.exe" --check-repository "--dump-storage=ftps://****:****@***.***.***.***:21" --debug --verbose
[2014-11-11 21:16:12.997| 4688] INFO: Repository 'ftps://***.***.***.***:21': Initializing...
[code]....
View 19 Replies
View Related
May 8, 2008
I'm making a reasonably uninformed comparison here. Since Windows Vista is noted to be more resource intensive and slower than Win XP, are we right in assuming that Windows 2008 is slower than Windows 2003?
For instance, with two boxes with an identical hardware setup but the two different server OSes, will the same application like, say MySQL run slower on the Win 2008 machine?
View 14 Replies
View Related
Dec 10, 2008
There seem to be strong forum rules in place about the kinds of posts that hosters can make.
But from my perspective it is somehow leaving a large gap in useful information I would like to know that I can't quite put my finger on right now.
So I would like to get responses from Windows hosters in this thread without violating any forum spam guidelines and I sure hope I'm not wasting my time here with this concept but here goes...
So, the topic:
Ultimately, the thing Windows Web Hosters are providing is the delivery of information that has been constructed by developers using program code they have assembled using a large array of mostly .NET technology.
The reason the Hoster is providing Windows hosting is that a sufficiently large enough population of Web Developers have been attracted to some aspect of the Windows technology stack.
And there is certainly lots of innovative and interesting technology that attracts developers to focus on .NET in just the same way that there is also interesting technology in the Linux world.
So here's the problem. It appears as if the Windows hosting companies with the odd exception have almost no interest in Windows and .NET technology.
But if they actually did have such an interest, it is not clear how they would communicate it for discussion here at WHT because of the spam rules and of course trying to communicate anything at all about hosting on the general internet is just swamped by spam. The noise level is just insane!
So I am hoping that such a discussion can take place in this thread by asking some very specific questions:
1. What interesting Microsoft technology have you researched, tested or played with lately?
2. What programs or scripts have you personally developed lately to investigate .NET 3.5 features?
3. What do you think of XBAP delivery from the net and why do you think it hasn't caught on in a larger way since it sure delivers a richer client experience than Flash or even Silverlight.
4. What do you think of Azure and will Microsoft let hosters be part of the cloud anytime soon? Can you think of useful or interesting Azure mashups from a hosting perspective?
5. Have you tried any totally silly and insane things with the .NET runtime inside of SQL Server 2005/2008 that would give your DB guys a heart attack?
6. Have you tried out the Google systems where you give your employees 20% of company time to play around with personal projects like this?
View 7 Replies
View Related
Aug 11, 2014
Latest Update 12.0.18 Update 12 appears to have removed PHP 5.4 and PHP 5.5 from my dropdown under hosting settings.
The only PHP that is left is PHP 5.3
Yet, the updates and upgrades page still lists PHP 5.4 and PHP 5.5 as installed.
Also PHP is still working on the virtual websites that were previously enabled with either 5.4 or 5.5, but not able to change using the Plesk Panel.
Given that Parallels has broken the Panel in that latest automatic update I'd hope it can be resolved ASAP.
I can't even find any references in the KB about Plesk 12 on Windows regarding PHP versions
I can even give feedback about the broken patch as every feedback channel requires paid support.
View 1 Replies
View Related
Jan 22, 2014
I have faced the following ftp backup error in windows plesk 11.5.30
Transport error: unable to send directory to repository: Transport error: unable to put local file C:Program Files (x86)ParallelsPleskPrivateTemp/repo_transport_tmp_01cf171bcedd7710ackup_1401220130.zip to backup_1401220130.zip: Curl error: Failure when receiving data from the peer
View 7 Replies
View Related
Sep 19, 2012
Prior to using plesk, I had a few sites that had SSL certificates installed, the old fashioned way (manually through IIS). I have now setup those domains in plesk, and I need to somehow make PLESK aware of these SSL certificates.Right now, I setup the domain in plesk, give it a dedicated IP, and allow SSL connections. It chooses the default certificate and my already installed in IIS SSL certificate isnt listed.
Is there any way I can get it listed? I went to the add an SSL area, and it seems that this area is only good for generating new SSL certificates, but mine is good for another 1+ years.The bummer is that for some reason, anytime I make any type of change to the site in plesk, that it seems to overwrite the SSL bindings and changes my manual changes to the correct certificate (through iis) back to the default certificate.
View 1 Replies
View Related
Oct 30, 2008
Is there hosting that use windows xp rather than windows server 2003? What is the advantage of using windows server2003 anyway?
Most of the time I just need to run some programs that need huge bandwidth. If I want to host sites, I'll just use xamp.
I think windows xp license is cheaper.
View 12 Replies
View Related
Aug 19, 2008
Does someone know what that means? I can sometime choose this option if I want to buy a server.
View 14 Replies
View Related
Mar 6, 2007
Is there a registry key that can distinguish between Windows 2000 and Windows 2000 server?
In
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProductName
That key is Windows 2000 for both Win 2k and Win 2k server so if there's anything else that would be GREAT.
View 2 Replies
View Related