Server Hacked 550 Operation Not Permitted
Apr 30, 2009I own a dedi server from HFW few hours ago some hacker injected following php code in some of the domains hosted on the server as follows; ...
View 14 RepliesI own a dedi server from HFW few hours ago some hacker injected following php code in some of the domains hosted on the server as follows; ...
View 14 RepliesThis is what I got from the tech support:
Quote:
I able to manage to mount your old var, tmp, usr, and even the old root partitions but the home partition were unsuccessful.
I've tried mounting your old home partition but i was unsuccessfull which might be a bad sector of the drive.
Code:
# mount /dev/ad3s1g /mnt/oldhome/
mount: /dev/ad3s1g: Operation not permitted
I've noticed that my site has delays every few seconds when using the database. At least 2-4 seconds. Now the load is 0.05 basically.
So I did a ping from my webserver to the db server and got:
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.138 ms
ping: sendmsg: Operation not permitted
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.086 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.104 ms
ping: sendmsg: Operation not permitted
I then turned off iptables and it works fine now. How to know what's causing this?
I have WHM 11.23.2 cPanel 11.23.6-R27698
CENTOS Enterprise 4.7 i686 on standard - WHM X v3.1.0
I host people who use a certain php script. This script is updatable from their admin panel.
But now 2 of the sites are getting this error when they try to update:
[Install update]
Uncompress update: error
Tar_error.log: /bin/tar: admin/ioncube: Cannot utime: Operation not permitted /bin/tar: admin/cronjobs: Cannot utime: Operation not permitted /bin/tar: admin: Cannot utime: Operation not permitted /bin/tar: fonts: Cannot utime: Operation not permitted /bin/tar: images: Cannot utime: Operation not permitted /bin/tar: includes: Cannot utime: Operation not permitted /bin/tar: mysql_restore: Cannot utime: Operation not permitted /bin/tar: plugins: Cannot utime: Operation not permitted /bin/tar: templates: Cannot utime: Operation not permitted /bin/tar: utilities: Cannot utime: Operation not permitted /bin/tar: Error exit delayed from previous errors
I've never seen that particular error before.
I'm currently running SAMBA on one my linux servers, and wanting to connect to it from another linux server.
1. Do I need to install SAMBA on the connecting server (client-side)?
2. I can see/mount the SAMBA folder just fine, I can delete,make,etc. The only thing I can't do on the client side is change ownership of a file or folder... even if I'm logged in as root.
I Have Problem:
Code:
[root@serwer /]# /scripts/upcp --force
Updating /scripts...
Sync Source: http://httpupdate.cpanel.net/RELEASE/scripts
Fetching http://httpupdate.cpanel.net/cpanels...cpanelsync.loc
k (0)....@69.72.164.152......connected......receiving......Done
Fetching http://httpupdate.cpanel.net/cpanels...cpanelsync.bz2
(0)....@69.72.164.152......connected......receiving...26%...53%...80%...100%...
...Done
...Done
Checking and Repairing System Package Setup......Done
Setting up ip startup......Done
Configuring editors......Done
Creating symlinks for common binaries......Done
Setting Clock...rdate: rdate: could not set system time: Operation not permitted
...Done
Running Env Auto Repair...quota test: repquota exited with signal 0 (ok)
...Done
...
This is VPS server on my dedicated server
1. Dedicated server is on Debian 4.0
2. On debian is OpenVZ
3. On OpenVZ is CentOS 5
4. On CentOS is cPanel
How I will unblock rdate on my VPS ?
I run my own server me and my friend set up a server and i need to know what all i can do with running a server. Does anyone have any helpful link's?
I need something Basic and down to the Point. I knew a website called (DSLWEBSERVER) But i guess it's down now..
We are having a dedicated server with Windows 2003 and Hosting Controller on it with MS SQL 2005 Express Edition.
Since last few days, we had this problem that MDaemon mail server would go down on some pagefault and server used to get hang, and when we investigated Event Viewer, we find 100s of errors of the following message.
Quote:
An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry
We replaced HDD, and reinstalled windows 2003 and built the server back with every peice of software we had it earlier, but now the old HDD is still there as D drive, but not in use, still server got down today. We belive its no longer the HDD issue, but now problem is how to get root of this problem and how to monitor?
I had minor hint from searching on google that some trojan would create too many handles would cause system to go down this way, but here we rebuilt the entire server with fresh installations downloaded from vendors websites.
If MDaemon is creating too many handles, how to monitor and how to restart it in such an event?
I try to upload a big file between 300 and 500 MB by FTP to my dedicated server but connection is broken and when I try to do the resume it's not allowed how can I enable upload big files and resume files in ProFTPD 1.3.0a or am I missing something inthe conf file ?.
Here is the log: ..........
I've installed apache, php5 and php handler but couldn't able to the start the server and my error log is below.
stalling the Apache2 service
The Apache2 service is successfully installed.
Starting the Apache2 service
The Apache2 service is running.
ce] Apache/2.0.64 (Win32) configured -- resuming normal operations
[Mon Apr 22 21:16:59 2013] [notice] Server built: Oct 18 2010 01:36:23
[Mon Apr 22 21:16:59 2013] [notice] Parent: Created child process 1060
[Mon Apr 22 21:16:59 2013] [notice] Child 1060: Child process is running
[Mon Apr 22 21:16:59 2013] [notice] Child 1060: Acquired the start mutex.
[Mon Apr 22 21:16:59 2013] [notice] Child 1060: Starting 250 worker threads.
[code]....
I've been working on this for some time now, but I'm not sure on how the settings were transfered over to this server. I wish I was there when it was done.
Anyways, we got a new server and we transfered all the accounts to the new one. The old one is gone. When people send emails to their email accounts on the server, this is returned:
This is an automatically generated Delivery Status Notification
Delivery to the following recipient failed permanently:
admin@crewxp.com
Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 9): 550 relay not permitted ....
Whenever I try to create a user account I get the following error
Sorry, resellers are not permitted to create subdomains of the server's main domain
My server domain is www.domain.com and reseller is trying to create a user account like new.domain.com . It was working fine a few weeks back but I think since I upgraded the cpanel and whm, it doesnt allow creation of accounts anymore.
Could someone help me to fix this error please?
I own the VPS and the reseller and all other accounts.
we are getting a number of:
does not like recipient.
Remote host said: 550 relay not permitted
checked for IP stauts and it is not flagged or listed as banned, there would be no reason however I double checked and there were no issues there.
Can someone suggest if this is a server issue?
Using a custom mx entry as well
So basically it due to the MX change, it looks like it sees any incoming email (addressed to local domain) as relaying.
< gateway4.lastspam.com #5.1.1 SMTP; 550-gateway4.lastspam.com [209.172.54.237]:36995 is currently not permitted to relay>
EXIM errors:
2007-05-19 09:39:32 H=gateway4.lastspam.com [209.172.54.237]:37074 I=[xxx.xxx.67.88]:25 F=<eslight@domain.com> rejected RCPT <test@xtdv.com>: gateway4.lastspam.com [209.172.54.237]:37074 is currently not permitted to relay through this server. Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
- How I can remove them?
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"
What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.
[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.
Now, I'm looking into the log file /var/log/messages and I have few questions:
1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235
Do these messages mean that hacker trying to enter the server under root?
2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND
What does this mean? Virus on my server or something else?
3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND
Does someone read my emails?
My server just got hacked i just bought it!!
and they was going to charge me anouther $35 to reset the password how stupid...
in the end we got it done free
My server was hacked night before last and here is the log
Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.
I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?
send(4, "@206113irc10quakenet3org1"..., 34, MSG_NOSIGNAL) = 34
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(4, FIONREAD, [162]) = 0
recvfrom(4, "@2062012001103irc10quakenet3org1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(4) = 0
open("/etc/protocols", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
My websites worked very well some days ago. I've touched nothing on my server since then and now every website I have on it is down!
I have a VPS and have root access.
When I restart my apache web server, my websites are working for about 3 seconds! Then it doesn't work any longer!
I've talked to my host but they may find the error if their technicians look at my server but this will cost!
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.
When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.
I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.
During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.
As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.
I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.
Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.
I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.
I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.
I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).
I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.
I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,
I'm using windows 2003 Server to host my website.
I was on vacation for 2 weeks so I wasn't able to log onto the server. Nor was there any need to log onto the server as the website was up and running and was fine!
However, when I logged into today, there were extra icons on my desktop.
My server was turned into a spam e-mail remailer. There were applications installed that dissected/generated e-mail addresses.
In my system logs in event viewer, starting from January 30th, there is a whole list of failed log on events where the user tried logging on with different usernames and passwords.
I'm guessing they got into my server by brute force.
I was wondering, does anyone know if windows 2003 automatically logs the IPs of users trying to login remotely and where they are stored?
Today while i run some commands like ls this error appeared segmentation falt
any way the reason is my server's hacked now i reinstall it but my question
How could my server hack while i have disabled Compilers for unprivileged users
i admited that i have found cgi-telnet scripts but how could he used it to install rootkit
We have a dedicated server with a well known company here in the UK, its running Windows 2003 server std. This runs an application that was developed by our company and accessed by around a max number of users per day of around 50 - max.
Over the last few months the server has got slower and slower, although we do have periods when its really fast, there seems to be nothing we can point our finger at as to why it speeds up and slows down, we checked number of users accessing etc and it does not seem to effect speed (users access by a secure logon)
This week server was nearly at a stand still, I rang hosting company who informed me that they thought our server had been hacked. They said they could see exe files running that they had not installed, mentioned the following -
Dxplay.exe
Dameware.exe
Tree.exe
They said these exe files were listening to a TCP port (excuse my ignorance, not that techically minded)
They also said two users were accessing our server from Canada and California.
They also said because we had loaded our own software on the server it was not their responsibility if our server was hacked, that we were also running PCAnywhere and this was notorious for allowing a server to be hacked.
I pointed out that we paid them to host the server, it was behind their firewall, would that not stop unauthorised access, the response was no.
I have a few questions I wonder somebody might help me with the answers to,
1, Does it appear our server was hacked? - do the exe files look suspicious?
2, What is our hosting companys responsibility?
3, Is PCA secure
4, How can we stop this in future?
I am also told by our guys there is evidence of someone using our server to surf the web, could this be internal, i.e our hosting company, or maybe a hacker?
We can see when users are logged into our application, but nothing else, is there some reporting software we can install to let us view who is accessing our server?
What can we do to make the server more secure?
We are currently scanning it with spyware software and although we have anti virus we are scanning again, this new scan picked up 7 virus, I'm not sure yet what these were.
I have worked with rack911 but he does not answer my emails. is there anyone who can start it immediately?
How can I secure php?
my server is hacked but not so deep.