we have a server that was breeched and is being used to send ddos attacks to another website and we need to stop it permanently and secure our server to avoid it from happening again.
My tech has already been able to track down the bot/script that was sending it and seemed to stop it for about a week, but they have gained access to the server again.
He is not an expert at security issues so I'm looking to hire someone for a one time job to correct this issue.
Can someone offer me some referrals of someone to take care of this. Please do not recommend Rack911 as I waited nearly a week for their assistance and had no luck.
We have found (thanks to CSF warning us) in /tmp 4 suspicious files. One is a perl script (probably a backdoor) and the other 3 files are binaries. They were probably uploaded by some vulnerability a customer's website (now suspended) because they are under his ownership.
The server seems ok, nothing out of the ordinary (the root logins are disabled, we su - from another account).
We have run rkhuner and chkrootkit (fresh installs) and found nothing.
One of the binaries contained this (retrieved with strings): chown root:root /tmp/suid; chmod +s /tmp/suid (suid being one of the other binaries). This /tmp/suid has no suid set and is not under root ownership:
-rw-r--r-- 1 user user 759 Jan 25 2008 dc.pl -rwxr-xr-x 1 user user 2404 Nov 4 22:10 libno_ex.so.1.0* -rwxr-xr-x 1 user user 4945 Nov 4 22:10 suid* -rwxr-xr-x 1 user user 6209 Nov 4 22:10 udev*
dc.pl seems to be from January but it's apparently fake:
I found a random proxy site running out of /var/www/temp. It seems to have been created yesterday, and I found about it via a DMCA notice from the planet. Is this apache's temporary directory? There was even an entry for it in the apache configuration and was running as a perl script out of its own cgi bin. I killed it and chmod'd it to 0. In the future, would setting permissions on this directory to non executable prove to be effective? Any idea if this type of breach is serious enough to warrant an OS reinstall?
I can't get access to a certain site. I always get the page with:
network time out - server at *** takes to long to respons. More people have noticed this and apparently it only happens to people with certain specific providers. And not all the time. Some times they DO get access eventy to they belong to the same ISP. So I guess an ISP isn't blocking access to it otherwise it would be permenantly/The site administrator insists that certain ISP's are blocking his site. He's hosting it on his own server. The domain belongs is registered at namecheap.com.
If an ISP is blocking this site (if that's possible?), that would lead to that 'network timeout' page wouldn't it?
What is the most likely reason for getting a timeout page anyway?
The server is going down from time to time, every 12 days or so the site hosted there is no longer accesible, everything starts with the site slowing don and down and then is not longer reachable, what we do is to request a power cycle, and with this we start all over again till next power cycle, so on so on, of course, here are my server details and more info on this:
- MySQL - 5.1.41-3ubuntu12.10 - Apache - 2.2.14-5ubuntu8.4 - PHP - 5.3.2-1ubuntu4.9 - operating system: Ubuntu Server 10.04 LTS
After some time emailing the support guys to barely check about what's going on, we received an email with a few things:
1.- found a few errors that likely would cause issues with Apache. The first error is: [Mon Feb 04 05:03:10 2013] [error] mod_fcgid: fcgid process manager died, restarting the server and the next error is: [Mon Feb 04 14:32:34 2013] [error] server reached MaxClients setting, consider raising the MaxClients setting ...
Both these errors seem to indicate that you have a process that is running out of control on your server. We were unable to determine what script on your site is running caused your connections to be maxed out however it does appear that before these errors were generated there was a WordPress plugin referenced in your access logs...
2.- Additionally during our review we did find that your error log for mercadodedinerousa.com is 45 GB's which is excessively large and can cause problems when Apache is trying to write a such a large file.
3.- The majority of the errors being logged are: [Wed Feb 06 12:12:31 2013] [error] [client 200.76.90.5] Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden: /var/www/vhosts/mercadodedinerousa.com/httpdocs/index.pl, referer: [URL]
somewhere on my cpanel server a script has been able to be used by a spammer and im now getting tonnes of returned mails from aol etc. 1000's are coming in every hour.
I think i have found the culprit, but i can't be sure. how can i find out for sure which script this was? the email headers dont even show the user from what i can see!
I got an email saying that there was a security breach at steadfast. At the same time I got an email saying that my account was suspended because I am sending spam from one of my domains. I NEVER SEND SPAM. I opened a support ticket and they apologized saying it's not my fault and they restored my account. Apparently spam was sent by a php script but they don't want to give me details. The next day they suspended my account again on the same reason.
I dont know how but the passwords keeps getting changed on the emails on my cpanel. Its no one who has acess and no files are being delted to the problem is only with the email.
I just received a fairly scary WHMCS notice, you can view the details here:
<<please don't paste the file names, there are accounts that may have these on them>>
What are your thoughts on the entire situation? Personally, I'm a tad fearful (luckily, I hadn't upgraded to the next version yet as I was letting the other users play beta-testers) given the fact that there wasn't any versioning / modification 'notification' system in place on their end.
I'm fearing further updates. In essence, my concern is that the WHMCS development team isn't entirely certain how they were backdoored or to what scale they were backdoored.
Are their own billing systems & servers hosted in the same environment, were our billing details also released? etc. I want to know the scale of the attack.
I got this email earlier today, surprised to see there isn't already a 10-page thread about it. Did anyone else get this from The Planet?
In the course of the last two days, our Computer Security Incident Response Center team has identified suspicious activity in our customer management portal. Through their vigorous investigation, we have identified what appears to be a security breach that may have affected your customer portal account and server passwords. We have identified the methods by which the systems were compromised and have closed those holes. In addition to those actions, we will be implementing additional security measures to further strengthen the infrastructure and systems.
We are taking this action to alert you to this potential malicious activity. At this juncture, we are aware of only two incidents whereby log-in and server passwords were accessed. Based upon our security review of access logs, we do not believe any credit card information was compromised. We have contacted the authorities and are working with them to identify the perpetrator and to pursue appropriate legal action.
We are taking a proactive approach by contacting you directly, which we believe is the best course of action. We strongly suggest you implement a security best-practices approach by immediately taking four steps to mitigate risk:
1) Change your Orbit log-in passwords immediately and do so again every 60 days.
2) Change your server passwords and do so again every 60 days.
3) Be alert to any suspicious activity on your account.
4) If you suspect any unusual activity, please retain your access logs along with
I am using putty to get SSH access to my server. What I need to do is create a backup of a directory on my server and then get that file on my computer somehow.
I do not have FTP access and don't know how to set this up.
I do have HTTP on the server but i get a 403 forbidden error when I try to access the file via my browser. I need help ASAP. If you can help I may be able to reward you.
Name your price if you can't do it for free or want some incentive
The faster the better. If you can get on AIM or MSN right now please get a hold of me. My aim is bikerjeg and MSN is bikerjeg -at- sbcglobal.net
Just been thinking and currently i host all my services with other hosting companies like my web hosting accounts etc...but was thinking of buying a DA licence and installing it onto one of my linux servers.
On DA's website it says one licence per IP or something along them lines...does this mean if i was to install a licence on say 99.99.99.999 and it was working ok etc but then if i changed my IP range to 99.99.99.998 would that mean the DA licence would no longer be valid?
Which free server admin tool do you prefer? As far as I can tell Webmin and DirectAdmin are the major players (correct me if I am wrong). I am the only one with access, so their is no need for other accounts or hosting sites from others.
Has anyone used Attacker.net for server admin work, especially on FreeBSD? My other Admin team bailed on me, so I am looking for a new team to Secure and Harden my box. I have searched the boards, and have not found a review on them yet.
I have experiencing strange behaviour of Plesk admin panel. Actually there were a lot of issues similar with 500 Internal Server error but mine is a bit different..
This is the log came from the '/var/log/sw-cp-server/error_log'
As you can see there is a line starts with /bin/sh: /usr/share/sw-cp-server/applications-conf.sh: Permission denied and i tried to change this one for permission like 0755 or alternatives for a run but nothings changed. Btw i have plenty of disk space, it wasn't also the case.
I cannot even login with my domain name without 'https' and with the port 8880. It's again giving me the same issue.
BTW i want to give a little extra information; it was a long time that Plesk admin panel working but after today it's stuck in 500 Internal server error. What i tried today that to follow 'How to generate custom self-signed SSL certificates and apply it to Postfix: [URL] ....' , but after 6th step i was decied to stop because i couldnt find the root.pem file a minute and than i wanted to try on plesk and i saw the bad news I don't know it was related but i wanted to share.
Health Monitor Module is installed and running on server, but not visible under Server Administration Panel > Home > Server Health on Plesk Panel 11.0.9 update #7. Is there a trick to configuring home to show it and/or a direct way to launch view of server health?
I have big problem, In my HyperVM i've change time to EUROPA/Sarajevo but in WHM still going 24 hours in forward. Please help me to resolve this. This is very important...
i have 1 decent server hosted by netriver, managed by PSM, for the past 3 weeks, my server down every night at the same time, during the day the load was really low ( below 1 ) and suddenly just before 3 oclock in the morning it goes up upto 2000 and the system crash, and need to reboot, then it will back to normal again, PSM doesnt know what causing it and just advised me to install PRM ( which i tried before and really give me headache ), what you guys think causing it ?
After being with KnownHost for a while, I decided to make the jump to a real Dedicated Server. KnownHost does offer a Hybrid Server -- but it isn't a real Dedicated Server. So I gave up my Hybrid at KH to experience the real thing.
After much research, I selected ManageMyBox (MMB)-- their current special is awesome with a managed Dual Core AMD with lots of disk space and generous bandwidth. My only concern about MMB was some of the discussion threads about their support, but if you read long enough, you will find the same support issues at all hosting companies.
I just wanted to let you guys know that so far in day two with MMB, I'm ecstatic to report that my server was set up correctly from the very beginning in less than the 24-48 hours they advertise (mine was less than 24 , and I have alrerady opened a support ticket to get another software installed -- and within 30 minutes, the software was installed and the ticket closed. This all happened tonight -- a Saturday night.
I'm not getting paid to post this -- but I do believe in giving credit where credit is due. I will report followups if things do take a turn for the worse, but so far, its not just good -- it's GREAT!
Week ago I decided to rent another dedicated box , install CentOS 5 64Bit and use LiteSpeed as a web server. What seemed to be trivial at start became nightmare later.
I was unable to compile PHP 5 with --with-litespeed and --with-curl directives. If I removed one of them it was ok but together it didn't work.
Tried to search forums but nothing helped, so I decided to go back to Centos 5 32bit and try there. It compiled OK. So I'm in trouble now. I wanted to have server with 64bit OS + LiteSpeed because of its speed, system resources consumption and good DOS protection. I asked several questions about advantages of 64bit over 32bit OS and the most important thing was how much issues can I expect on 64bit OS (libraries availability). Almost every reply said that it's without issues to go with 64bit OS. My experiences say it's not as easy as I expected.
I didn't find any good protection against DOS for Apache so far, mod_evasive doesn't work as I expected. What do you recommend ? Should I stay with apache on Centos 64bit + apache with everything installed via yum (should work OK) or go with CentOS 5 32bit + LiteSpeed there ? LiteSpeed I'm talking about is Enterprise edition.
i have a reseller package with a small company for like almost a year but now is full so decide to get a 2 servers from The Planet and now i all ready have 2 servers one is for sell hosting and my other is for install a script like youtube for a site videos .
Ok now im new with servers and i need to setup my domain with the server now can you guys tell me step by step how i can get it work because i all ready try to do it and don't work im very frustrate
First i get the domain from godaddy now lets work with this example domain [ mydomain.com ] how i can add this domain to setup my servers i have 2 servers
server1 this is for star selling hosting
server2 this is for my video script
Now how i can setup this 2 server with my domain and the dns step by step and this things so i can star selling hosting
I have to reboot this server each day. It seems to crash (or freeze if you call it) around 11:55 pm server time (central US). How do I trace the cause of this? I installed CSF / LFD in replacement of APF/BFD.
This is a centos 3.9 / cpanel 11 box.
crontab -e shows nothing out of the default ordinary
/var/log/messages shows this
Nov 23 19:14:00 server sshd(pam_unix)[29523]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:02 server sshd(pam_unix)[29533]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com user=gopher Nov 23 19:14:02 server sshd(pam_unix)[29541]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com user=gopher Nov 23 19:14:02 server sshd(pam_unix)[29553]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com user=gopher Nov 23 19:14:02 server sshd(pam_unix)[29570]: check pass; user unknown Nov 23 19:14:02 server sshd(pam_unix)[29570]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:05 server sshd(pam_unix)[29580]: check pass; user unknown Nov 23 19:14:05 server sshd(pam_unix)[29580]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:08 server sshd(pam_unix)[29584]: check pass; user unknown Nov 23 19:14:08 server sshd(pam_unix)[29584]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:11 server sshd(pam_unix)[29588]: check pass; user unknown Nov 23 19:14:11 server sshd(pam_unix)[29588]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:13 server sshd(pam_unix)[29592]: check pass; user unknown Nov 23 19:14:13 server sshd(pam_unix)[29592]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:16 server sshd(pam_unix)[29596]: check pass; user unknown Nov 23 19:14:16 server sshd(pam_unix)[29596]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:19 server sshd(pam_unix)[29600]: check pass; user unknown Nov 23 19:14:19 server sshd(pam_unix)[29600]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:22 server sshd(pam_unix)[29605]: check pass; user unknown Nov 23 19:14:22 server sshd(pam_unix)[29605]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:25 server sshd(pam_unix)[29614]: check pass; user unknown Nov 23 19:14:25 server sshd(pam_unix)[29614]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:27 server sshd(pam_unix)[29618]: check pass; user unknown Nov 23 19:14:27 server sshd(pam_unix)[29618]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com Nov 23 19:14:30 server sshd(pam_unix)[29622]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com user=mailnull Nov 23 19:14:33 server sshd(pam_unix)[29631]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com user=nfsnobody Nov 23 19:14:36 server sshd(pam_unix)[29635]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com user=rpcuser Nov 23 19:14:38 server sshd(pam_unix)[29639]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com user=rpc Nov 23 19:14:41 server sshd(pam_unix)[29643]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a2.f5.5646.static.theplanet.com user=gopher
