Security Breach On A Server
Dec 17, 2007
I found a random proxy site running out of /var/www/temp. It seems to have been created yesterday, and I found about it via a DMCA notice from the planet. Is this apache's temporary directory? There was even an entry for it in the apache configuration and was running as a perl script out of its own cgi bin. I killed it and chmod'd it to 0. In the future, would setting permissions on this directory to non executable prove to be effective? Any idea if this type of breach is serious enough to warrant an OS reinstall?
View 9 Replies
ADVERTISEMENT
Oct 1, 2006
somewhere on my cpanel server a script has been able to be used by a spammer and im now getting tonnes of returned mails from aol etc. 1000's are coming in every hour.
I think i have found the culprit, but i can't be sure. how can i find out for sure which script this was? the email headers dont even show the user from what i can see!
View 6 Replies
View Related
Jun 17, 2008
I got an email saying that there was a security breach at steadfast. At the same time I got an email saying that my account was suspended because I am sending spam from one of my domains. I NEVER SEND SPAM. I opened a support ticket and they apologized saying it's not my fault and they restored my account. Apparently spam was sent by a php script but they don't want to give me details. The next day they suspended my account again on the same reason.
View 13 Replies
View Related
Oct 16, 2008
I got this email earlier today, surprised to see there isn't already a 10-page thread about it. Did anyone else get this from The Planet?
In the course of the last two days, our Computer Security Incident Response Center team has identified suspicious activity in our customer management portal. Through their vigorous investigation, we have identified what appears to be a security breach that may have affected your customer portal account and server passwords. We have identified the methods by which the systems were compromised and have closed those holes. In addition to those actions, we will be implementing additional security measures to further strengthen the infrastructure and systems.
We are taking this action to alert you to this potential malicious activity. At this juncture, we are aware of only two incidents whereby log-in and server passwords were accessed. Based upon our security review of access logs, we do not believe any credit card information was compromised. We have contacted the authorities and are working with them to identify the perpetrator and to pursue appropriate legal action.
We are taking a proactive approach by contacting you directly, which we believe is the best course of action. We strongly suggest you implement a security best-practices approach by immediately taking four steps to mitigate risk:
1) Change your Orbit log-in passwords immediately and do so again every 60 days.
2) Change your server passwords and do so again every 60 days.
3) Be alert to any suspicious activity on your account.
4) If you suspect any unusual activity, please retain your access logs along with
View 11 Replies
View Related
Nov 5, 2009
We have found (thanks to CSF warning us) in /tmp 4 suspicious files. One is a perl script (probably a backdoor) and the other 3 files are binaries. They were probably uploaded by some vulnerability a customer's website (now suspended) because they are under his ownership.
The server seems ok, nothing out of the ordinary (the root logins are disabled, we su - from another account).
We have run rkhuner and chkrootkit (fresh installs) and found nothing.
One of the binaries contained this (retrieved with strings): chown root:root /tmp/suid; chmod +s /tmp/suid (suid being one of the other binaries). This /tmp/suid has no suid set and is not under root ownership:
-rw-r--r-- 1 user user 759 Jan 25 2008 dc.pl
-rwxr-xr-x 1 user user 2404 Nov 4 22:10 libno_ex.so.1.0*
-rwxr-xr-x 1 user user 4945 Nov 4 22:10 suid*
-rwxr-xr-x 1 user user 6209 Nov 4 22:10 udev*
dc.pl seems to be from January but it's apparently fake:
# stat dc.pl
File: `dc.pl'
Size: 759 Blocks: 8 IO Block: 4096 regular file
Device: 901h/2305d Inode: 62820496 Links: 1
Access: (0644/-rw-r--r--) Uid: (userid/username) Gid: (userid/username)
Access: 2009-11-05 13:52:37.000000000 +0100
Modify: 2008-01-25 19:49:43.000000000 +0100
Change: 2009-11-05 13:55:41.000000000 +0100
I hope all this means that the command was either not successful or it didn't run in the first place.
The kernel is: 2.6.18-128.1.6.el5PAE
Control Panel: cPanel
View 7 Replies
View Related
Mar 4, 2008
we have a server that was breeched and is being used to send ddos attacks to another website and we need to stop it permanently and secure our server to avoid it from happening again.
My tech has already been able to track down the bot/script that was sending it and seemed to stop it for about a week, but they have gained access to the server again.
He is not an expert at security issues so I'm looking to hire someone for a one time job to correct this issue.
Can someone offer me some referrals of someone to take care of this. Please do not recommend Rack911 as I waited nearly a week for their assistance and had no luck.
View 6 Replies
View Related
Apr 18, 2008
I dont know how but the passwords keeps getting changed on the emails on my cpanel. Its no one who has acess and no files are being delted to the problem is only with the email.
View 6 Replies
View Related
Jan 8, 2008
I just received a fairly scary WHMCS notice, you can view the details here:
<<please don't paste the file names, there are accounts that may have these on them>>
What are your thoughts on the entire situation? Personally, I'm a tad fearful (luckily, I hadn't upgraded to the next version yet as I was letting the other users play beta-testers) given the fact that there wasn't any versioning / modification 'notification' system in place on their end.
I'm fearing further updates. In essence, my concern is that the WHMCS development team isn't entirely certain how they were backdoored or to what scale they were backdoored.
Are their own billing systems & servers hosted in the same environment, were our billing details also released? etc. I want to know the scale of the attack.
View 14 Replies
View Related
May 21, 2009
I'm running CentOS 5.x and DirectAdmin and wondering how to do the following:
- Disable compilers and other known binaries. Should I chown WGET 550?
- Prevent Shell Fork Bombs
- Best way to create partitions for tmpfs, tmp since my host forgot them?
- Any other tips on securing a DA based server? (I already have taken care of the whole SSH side of things)
View 3 Replies
View Related
Feb 27, 2007
One one of our (linux) servers spammers are king. they apparently can control anything and place spam links throughout the files.
For example spammer inserts Iframes either above or below HTML tags. (some step57 related type of virus/trojan as it seems)
Our programmer did not find where the problem is in our applications, yet he is not a security expert.
Our server admin company made us install phpuexec, we apparently have been checked on the server end and have mod_security, but we still don't know what's going on...spam continues.
View 6 Replies
View Related
Oct 9, 2007
Trying to determine what I want to put on my server for security. I have secured my /tmp, /var/tmp, and /dev/shm. I am now contemplating mod_evasive, mod_security, and/or APF Firewall.
1.) Should I install all three, or will APF Firewall, provide the same or similar security as mod_security, or vice versa?
2.) Will they all work together without conflicts?
3.) Does installing these services have any affect on overall server performance?
4.) Any other services you might recommend installing and why?
View 7 Replies
View Related
Aug 26, 2007
I have recently installed and configured my webserver. Since I think security is very important I am curious for recommendations, tips, etc.
My server:
-CentOS 4.4 (installed by provider)
-Apache 2.0.52
-Php 4.3.9
-MySql 4.1.20
-No FTP
-Mod_security is running
The firewall that comes with CentOS is switched on and allows the following ports: http, ssh, smtp.
I have installed sendmail, but it is turned off by default. I need it approx. 3 times a week for 15 minutes or so and will turn it on then.
I have barely any budget so hardware firewalls etc. aren't an option.
Furthermore it's a basic server, just like my knowledge, so advanced things like IDS aren't an option.
View 14 Replies
View Related
May 8, 2007
i want to know how can they make the directory ( u--------- )
take a look on this php shell
[url]
what i mean is they make the directory secure against any phpshell with that trick and they hide the hard disk space
how can i make this
my apache is 1.3.37 and i using fc5 and i have mod_security and cfs
View 6 Replies
View Related
Aug 31, 2008
I am considering renting a server, but got one question first.
If I sign up for one unmanaged root server with a control panel, from a provider. And just put my website on the server, and let it run there.
Is that a security risk? Is it easy for people to hack into my server, or anything like that?
View 5 Replies
View Related
Nov 6, 2009
My server has been hacked, I need you please to help learn about Unix server security to protect my server.
View 6 Replies
View Related
Jun 7, 2008
I have a dedicated server which I access via remote desktop.
The firewall is not enabled. What kind of security should I have on my server?
Ive read that if I enable Windows Firewall my remote desktop connection will be blocked & this will mean me having to contact the server company via phone etc.
View 9 Replies
View Related
Nov 20, 2008
Does any body recommend we3cares server management services?
I need a very simple server management and hardening job and dont want to pay much. (not for a hosting company)
View 8 Replies
View Related
Jan 4, 2008
Currently working on securing my server and i think I'm doing quite well until I asked myself the question, have I done it right? Is there anyway to actually test how secure my server actually is? I'd rather not just wait and see if someone can hack me to bring to light what I did wrong...I was also thinking of hiring someone to secure my server but then how do I know that they've done anything different to me?
Are there any scripts or programs I can run to test server security?
View 10 Replies
View Related
Jun 3, 2008
Is there any script or method where I can test my server security?
View 2 Replies
View Related
Aug 10, 2008
after following the perfect server setup - centos5.2 guide I have setup a home server on my dsl connection and installed openfire with relative ease. I have a paid hosting server which runs my website but I want to have it access the userservice plugin of openfire to add/remove users (which is installed on my new home webserver).
After trying fopen and CURL to post GET data to my home server without any luck I did some reading and came accross the snoopy php class. The snoopy class now allows me to get the default apache test page on my home server but when i try to point snoopy to my openfire admin on port 9090 it throws up a timeout error (but i think this may be an error in the snoopy class?).
CURL and fopen allowed me to get data from google and some other sites but not from my home server.
View 2 Replies
View Related
Jun 15, 2007
what the way to protect dedicated server?
At present, My dedicated server have firewall and setting permision for each user/ data.
I have installed a anti-virus software.
I wonder that whenever my server can be hacked/ attached.
View 8 Replies
View Related
Feb 13, 2007
I'm in an environment where we have hundreds of users uploading content to a web site.
With the current system, someone could potentially run a command that would wipe out hundreds of files (and it has recently happened). We are currently looking at ways to improve security and prevent "accidents" by separating the public server into to parts.
A public server and a quality assurance server. Everyone would have access to the QA server, and the QA server would upload all changes to production.
I personally see the benefit, but don't see the problem being completely solved. Does anyone have any advice on this or link to articles or books that might help to set up a secure web server structure?
View 5 Replies
View Related
Sep 1, 2007
i have a dedicated server , some one else made the security for me, how could to be sure of its security? how could to be sure of all php functions contain risk are closed or disabled? how could to be sure of there are not any security gap?
way to understand and implement the steps.
View 5 Replies
View Related
Jul 19, 2007
Which methods is need to protect a hosting server?
View 10 Replies
View Related
Nov 12, 2007
If I understand correctly, on the main physical server, we cannot install any firewall, so customers in VPS can open any port on their VPS. So, I am wondering about the security of the main server? What if someone can *hack* into the main server, and delete all VPS there? Is there any case like that before?
View 6 Replies
View Related
Dec 4, 2007
i've set up an FTP server in my basement for me and a couple people i know to store files on. everything was good for the first couple days. Every day now i do a "netstat -a" to check whos connected and i always get a couple weird IP's that i dont know like 64.x.x.x or 215.x.x.x so i block them in various places (ftp settings,firewall,router) just to have another address pop up the next day. im running windows 2003 and i have the sygate personal firewall running along with the windows firewall. i also am behind 2 routers (i have one acting as a switch). ive gone to the point of denying every address on any port on any protocol on the second router. after that i obviously allowed our private addresses to access everything. even with that i still get random public ip's that i dont know. how do i block everyone i dont want? what are common things they would be doing to the computer when connected?
View 6 Replies
View Related
Apr 4, 2008
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
View 10 Replies
View Related
Mar 30, 2009
I am trying to setup the trial of Exchange 2007, everything is installed. However, I am unable to connect to the SMTP server
Quote:
452 4.3.1 Insufficient system resources
Connection to host lost.
After googling around, I found the solution, I changed the settings xml file and now I have to restart the service but I can't seem to find the "Restart Service" option in the EXCHANGE MANAGEMENT CONSOLE?
Also, how secure is exchange by default - any guides/tips so I can secure this test environment?
Any 3rd party Anti-virus/worm/spam solutions for Exchange that are affordable instead of MS Forefront?
View 1 Replies
View Related
Apr 28, 2009
develop and deploy a security strategy to make my single dedi and two VPSes (all with similar hardware configuration and running Linux Centos 5.2+ w/DirectAdmin CP and Xen virtualization), as secure ass possible, both internally and externally.
I hope you'll freely share your best practices, recognizing that is the kind of thread multiple members will read for a long time to find out WHO the WHT experts are and what they recommended this newb do. While I hope you'll read the whole post because I may raise issues either you've never thought about or legitimate security issues you've tried to make others aware of but to no avail, I don't expect everyone to respond to every word of this long post. Please feel free to provide solutions-oriented comments and/or constructive direction, based on your area of expertise, only to the specific issues you want to address.
A little background is helpful:
I'm not a reseller nor will I be running anything that needs DDOS-like protection. I'll be running some virtual OS instances, trying out VoIP software and installing and running a virtual Linux desktop from my dedi and creating a mirror for the VPS for my websites, blogs, and email. One VPS will be the slave server to the dedi. I will be running my own DNS, mail and virtual servers on both VPS and the dedi as well. I'll also be backing up data on one of the VPS. All of these activities, I know, present security issues I need to confront.
I'm looking for primarily open source solutions to protect my small server network since first, it fits my budget and, second, I find most proprietary software restrictive and easier to exploit with backdoors, etc. I'd prefer an open source alternative that's of the same high quality and security as a proprietary service. But, if you think a proprietary product or service far outstrips anything open source and you've deployed it for clients or used it for your own servers, let me know. (I prefer to hear actual, first person, end-user accounts/suggestions.)
I'm a quick study--in fact, warp speed--so can learn what I need to do if I have good direction, (which is why I came here to ask). But, since I'm not yet an expert, please expect clarification questions.
So, here's what I want to know:
1) I will be logging in via secure, encrypted SSH to run commands and manage software but what's the best secure file and data transfer method/software to use? Can I make SSH more secure? Should I run a VPN from one of the boxes? Is using a secure web interface safe for managing or monitoring my server?
2) What's the best firewall for a dedi and will that firewall work for a VPS?
3) Same question for anti-malware (antispyware/antivirus/antispam) software. I see Kasperky and Dr. Web a lot as well as Spamassassin (which is open source) but what are some other options? Aren't server hackers expecting most servers to have the same protection software and doesn't that make them easier to hack?
4) What are some of the ways my servers can be exploited? For example, can others use my email servers to send spam or other servers to commit illegal acts? (I want to avoid getting my server taken down or my IPs blacklisted for someone else's activities). How do I prevent such exploitation?
5) What's the best and safest way to backup and/or sync my servers? What kinds of encryption should I use for the data on my servers? My internal servers like mail, file and virtual servers and appliances?
6) Other than software, what are some of the best methods for protecting my servers from DNS attacks, spam, viruses, hacking, etc.? Should I write specific commands into certain files or run them on a bash shell?
7) Are their GOOD websites or blogs that cover this subject? I can't afford to buy a library of books and wouldn't have time to read them. Also, by the time I do, the information would be outdated. I need to keep up. Finally, I learn best by doing and need to hit the ground running; information needs to be somewhat noob friendly and definitely actionable.
Also, what about implementing general server privacy practices? For example, I invest in truly private domain name registration (read: privacyprotect.org) and, in addition, private DNS for my website and blog domain names. I will be employing other (legal) techniques that prevent to much info from being revealed in my email headers without getting my email sent to spam. In some case, I use encrypted email.
If I'm taking those steps, so, doesn't make sense to implement a strategy that prevents as many people as possible from physically locating my servers in the first place--to force them to spend significant time (and money if they're serious) trying to figure out where my IP addresses goes by using some kind of stealth DNS?
The analogy that comes to mind is using a correctly configured, encrypted and anonymous VPN, SSH tunnel or proxy server to mask the IP address that leads to your home ISP and, ultimately, to your house. Not to protect yourself from law enforcement because if you're doing illegal stuff online, you SHOULD be caught. But to protect myself from nefarious individuals, nosy neighbors, stalkers or ISPs logging your every internet move. Is there a way to do this with my dedi and VPSes, prevent unnecessary location thus targeting, logging, sniffing, etc?
What other things should I be thinking about? Tell me what I'm missing but please don't just share potential nightmare scenarios without telling me HOW to avoid them.
Again, the advice that's most helpful to me focuses on constructive, actionable solutions; what I CAN do, use, implement, deploy, etc. to develop and execute a strong security strategy for my servers. Again, if you share a negative scenario, please share a positive, effective solution. Tell me how I CAN effectively implement best security practices, even as a noob (since we ALL start as noobs, right?),
I already know this won't be easy but I'm up for the challenge and like the control I'll have managing my own servers. So, I'm also not looking to pay anyone else to manage my digital assets (including my DNS) or for average end-user (retail) solutions designed for truly non-technical folks but ineffective for power users. Been there, done that, lost a lot of data, especially lately.
Finally, though I won't totally cheap out, I don't have thousands of dollars to invest in enterprise level services I don't need for just one dedi and two small VPSes. To me, in terms of scale, this is not unlike securing my home network of a couple of laptops and a desktop workstation from drive by hacking and other threats. In addition to open source software, if I can do something myself, I'd rather, than paying someone else.
If I can rebuild my Windows desktop from bare metal (more than once, in fact) and install a home network and secure both as well as any service can, I can do this.
View 6 Replies
View Related
Jun 1, 2009
any free tools or affordable tool online to check if a server is secure enough?
View 5 Replies
View Related
Apr 28, 2008
i have managed server. just i want sure if it is secured.
i want company to test my server, Security Scanner.
and give me report about my bugs.
View 7 Replies
View Related