Rootkit, Someboy Get Full Access. Want To Test To Find Out What Software It Is.

Jun 30, 2007

Possible root kit, what can I do?

Sorry for the long post, but I need some feedback.

One of the main reasons that I went from a windows dedicated server to a VPS was because I had several attacks on my server that cost lots of time and money. The only reason to these attacks was that it has to be a root kit in one of the programs I used on my server.

I have used SolarVPS for over 6 months now, and have used most of the same software I used on my dedicated server. I have not had any attacks or somebody gaining access to my VPS.

Last week I got a new Windows VPS from JaguarPC. I installed the same software as always (I will list the software later) and day two of my new VPS somebody had full access, had created a new admin user, installed Utorrent, downloaded and uploaded over 10 GB of movies and music before I discovered the security issue.

Beside my normal software I had downloaded a free downloadmanager, so I could download my plesk backup files faster than on a single download connection. That was the only other software beside my normal software.

But I never used that download manager on my dedicated server, but the same thing happened there also. A user got full access, created a new admin user for remote desktop, etc. I also use different password for the different VPS/DS/hosting plans, but some parts of the main level password is the same.
Last time the user was names support, this time the user was named Dave

I change password often, this year I have changed my password 4-5 times. I have different password for different levels on my VPS/servers. On password for Admin, one for Plesk, one for FTP access to my sites, one for e-mail, one for MySQL etc etc.

I have changed OS at home from XP to Vista, and have only installed 100% secure programs at my home computer. I have not installed one free program or any cracks, warez etc. I also use different antivirus and anti spyware software at home. So the problem can most likely not be at my home computers.

My current software I use on my VPSís are: (I have some more, but that was the software I used on new VPS)

WinRar 3.61 from [url]
Bandwidth monitor Pro from [url]
Weblog Expert 4.1 from [url]
And the only software I donít use on my VPS at SolarVPS:
Free Download Manager from [url]

The strange thing is that last time, over 6-7 months ago when I had all the problems with my dedicated server, I traced the IP the hackers had used to login to my DS to Germany.

This time on my new VPS the person has to be from Germany or on country they speak German. The mp3s and the movies where almost all in German.

My plan for the future:

I think I will buy a new VPS plan to test my software. Install one and one software, and see when somebody get access to my VPS. I have to use a provider that offer free OS reloads, so I can reload the OS after I have tested one and one of my programs.
Do anybody know about any companies that allow me to get free OS reloads and provide a Windows 2003 server?

Or will the backup function in VZPP work as OS reload if I take a backup of my new clean VPS and then install software. If it is a rootkit, and I restore, will the rootkit go away? If yes, I can use all providers with VZPP.

And do I have to tell the company what I have planned to do? A rootkit on my VPS will not affect other VPS, so they can get the same rootkit, or the main server?

View 3 Replies


/var Is Full, Cant Find

May 10, 2008

Weve got a server where the /var is setup at 7gb, which is now %100 full.

Weve deleted the common logs we always notice, but thats only gotten us down to %94.

Anyone have any ideas what we should be cleaning or a good script that might help?

seems 5.5gb of data is in /lib

What is safe to delete from /lib and why is it taking up so much space?

View 4 Replies View Related

Find Full Path Of My Account

Mar 24, 2007

How can i find the full path of my shared account.

Example: /home2/user/public_html/

View 2 Replies View Related

Sharing Full Group Access To 3 Sites/users

Apr 19, 2009

i have 3 sites/users that all need to be able to access each other with complete read/write/exec access

Site1 Site2 and Site3

what's the best way to do this without screwing up all the premissions and access to my currently active sites. I need advice from someone who is a pro at this and not just guessing at what premissions to set. I'm assume i need to create a MasterGrp and invite all 3 sites then set/change permissions on all three sites. Also all new files created would need to have the masterGrp set as the group automatically

View 4 Replies View Related

Rootkit :: No Rootcheck_files

May 19, 2009

2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_files file: './db/rootkit_files.txt'
2009/05/19 03:15:01 ossec-rootcheck: No rootcheck_trojans file: './db/rootkit_trojans.txt'

How can i 'fix' this?

View 3 Replies View Related

Other Rootkit Finders & IDS

Aug 2, 2009

other options over chkrootkit and rkhunter since they are pretty outdated, and so far have found:



View 2 Replies View Related

Rootkit Hunter

Nov 14, 2008

how i can install rootkit hunter on centOs?

and is it different with CHKROOTKIT?

View 5 Replies View Related

How-to - Rootkit Scan (trojan Etc)

Jan 21, 2004

What is a rootkit? The following link is a very good read to answer that question.

In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.


1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense

Now scan your system:

1. cd /usr/local/chkrootkit
2. ./chkrootkit

chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.

Part 2 - automated chkrootkit, and emailed results.

I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.


1. vi /etc/cron.daily/chkrootkit
2. add the following code.

(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan"
3. chmod 0755 /etc/cron.daily/chkrootkit

This will email every morning with your chkrootkit results. the -q option will only show you exploits.


If you don't like getting the emails or just want to remove this from your server:

1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit

All files will now be deleted from your server.

View 14 Replies View Related

In Rootkit Hunter Scan

Jun 26, 2009

how to correct it?

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Checking for prerequisites [ Warning ]
The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.

One or more warnings have been found while checking the system.

Please check the log file (/var/log/rkhunter/rkhunter.log)

View 2 Replies View Related

What Is Best Rootkit-detector And Firewall

Jun 19, 2008

I was following this guide: url]

It's very nice but, 4 years old. So now I am wondering what is best rookit detector, and what is best firewall for centOS 5.

View 9 Replies View Related

Rootkit Detection On A Windows VPS

May 4, 2007

My Windows VPS has come under heavy attack by hackers trying to get through MSFTPSVC for the past month and they finally managed to somehow get in 2 days ago. Somehow, the "Allow anonymous login" setting was selected in my FTP settings and they got in.

They even managed to turn off my firewall. I guessing they used a buffer overflow or some other Windows Server 2003 weakness that was fixed in SP2 (too bad SP2 is'nt supported by SWSoft yet).

The attacks began less than 1 week after I had signed up with Virpus. I did'nt even have my domain name pointing to the server or a site up when the first set of dictionary attacks began. How common is that 0_0 ?

Anyway, since I now know they've gotten in I've run a virus check and everything looks clean but I really want to run some kind of root kit detection software. I've tried everything suggested on the antirootkit website but none of them seem to work on a VPS.

View 10 Replies View Related

Rootkit Hunter Installation

Dec 22, 2007

I was thinking of getting one of our server admins to install the Rootkit Hunter.

Would this have any effect on our server resources and stability.

Im trying to be more security minded after afew weeks ago when our server was hijacked, and I dont want to go through this again.

View 1 Replies View Related

AV, Anti-RootKit, And Firewall For Dedi

Nov 15, 2008

trying to secure my new server that will be opening for shared hosting.

So far I've found:

CHKRootKit, RKHunter, and ClamAV

As for Firewall, I've setup CSF but my question is, what is a good setting for blocking SYN Floods without blocking clients who might be browsing their site and, using DA, and FTP.

In the past I've used:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 3/s --limit-burst 5 -j DROP
and took down some pretty big attacks, but it was very touchy.

View 0 Replies View Related

How Can I Get Rootkit Hunter To Email Me The Results

Apr 4, 2008

How can I get rootkit hunter to email me the results?

I tried
0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob
MAILTO=me@mydomain 0 0 * * * /root/rkhunter-1.3.2/files/rkhunter --cronjob

But it is not sending the email, nothing even show up in my exim_mainlog.

View 2 Replies View Related

Security: Rootkit/rkhunter/rootcheck

Aug 24, 2007

For securities purposes whats best to install?

Feel free to suggest any others.

Server is running cpanel

View 4 Replies View Related

How Can I Stop The Rootkit Hunter False Positives

Apr 22, 2008

How can I stop the rootkit hunter false positives?

It is alerting on these, on a fresh OS install:

Checking for prerequisites [ Warning ]
/usr/bin/groups [ Warning ]
/usr/bin/ldd [ Warning ]
/usr/bin/whatis [ Warning ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]

View 2 Replies View Related

Using Find Command With Regex To Find All Number-only Filenames

Oct 15, 2007

how can i do a search for all files (probs using regex) of files consisting purely of numbers?

for e.g. find:


(always have 5 numbers).

seems one of my accounts has had some script run which generated a bunch of these in various subfolders, and the php file basically does a callback to and, which seem to be some sort of spyware servers.

View 10 Replies View Related

Plesk 11.x / Windows :: How To Limit Access To Few IP Address To Access Port 8443 On Firewall

Aug 28, 2012

How can I allow only one ip or a list of ip addresses to access port 8443.I need to limit access this port to few ip addresses and not everyone

View 6 Replies View Related

Test VPS

Jul 17, 2008

Is there a simple windows based tool that we can test two websites on two different VPSs?

Basically just load and what not, but some of the tools we have found are a bit intimidating.. We are just looking for something easy to setup and use.

View 4 Replies View Related

Test An SSL

May 21, 2007

Is there a way to test an SSL to make sure the page really is encrypted?

View 3 Replies View Related

VPS Test

Nov 25, 2007

I have 2 VPS in 2 differents networks. One of these 2 VPS have a WHM/Cpanel load time very high to me. I already contact with my hostiing company support and I told the problem. Support saied that the problem is with my ISP connection. I agree that is possible my ISP issue, but I already test with 3 ISP connections diferents.

So I would like a help to test it. I am creating 2 dummys reseller accounts in my 2 VPSs and I inform the WHM login details here. So I would like that you access both WHMs and try to create a new account and tell me the time to finish the creation process.

From my end one account takes around 90 sec and other take onlu 13 sec.

how much time do you give in creation account on the followinf 2 dummys accounts?

View 14 Replies View Related

How To Test Squid

Apr 5, 2009

I just installed Squid V3. I set up putty to ssh socks proxy to my vps that I installed squid on.

Here is a snippet of my cache.logs, but there is no cache log of websites I have visited. The access.log is empty.

How to I tell if squid is working?


2009/04/04 22:52:37| Starting Squid Cache version 3.0.STABLE13-20090405 for i686-pc-linux-gnu...
2009/04/04 22:52:37| Process ID 9886
2009/04/04 22:52:37| With 1024 file descriptors available
2009/04/04 22:52:37| Performing DNS Tests...
2009/04/04 22:52:37| Successful DNS name lookup tests...
2009/04/04 22:52:37| DNS Socket created at, port 36048, FD 7
2009/04/04 22:52:37| Adding nameserver from /etc/resolv.conf
2009/04/04 22:52:37| Adding nameserver from /etc/resolv.conf
2009/04/04 22:52:37| Unlinkd pipe opened on FD 12
2009/04/04 22:52:37| Swap maxSize 102400 KB, estimated 7876 objects
2009/04/04 22:52:37| Target number of buckets: 393
2009/04/04 22:52:37| Using 8192 Store buckets
2009/04/04 22:52:37| Max Mem size: 8192 KB
2009/04/04 22:52:37| Max Swap size: 102400 KB
2009/04/04 22:52:37| Version 1 of swap file with LFS support detected...
2009/04/04 22:52:37| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
2009/04/04 22:52:37| Using Least Load store dir selection
2009/04/04 22:52:37| Set Current Directory to /usr/local/squid/var/cache
2009/04/04 22:52:37| Loaded Icons.
2009/04/04 22:52:37| Accepting HTTP connections at, port 8080, FD 14.
2009/04/04 22:52:37| Accepting ICP messages at, port 3130, FD 15.
2009/04/04 22:52:37| HTCP Disabled.
2009/04/04 22:52:37| Ready to serve requests.
2009/04/04 22:52:37| Done reading /usr/local/squid/var/cache swaplog (0 entries)
2009/04/04 22:52:37| Finished rebuilding storage from disk.
2009/04/04 22:52:37| 0 Entries scanned
2009/04/04 22:52:37| 0 Invalid entries.
2009/04/04 22:52:37| 0 With invalid flags.
2009/04/04 22:52:37| 0 Objects loaded.
2009/04/04 22:52:37| 0 Objects expired.
2009/04/04 22:52:37| 0 Objects cancelled.
2009/04/04 22:52:37| 0 Duplicate URLs purged.
2009/04/04 22:52:37| 0 Swapfile clashes avoided.
2009/04/04 22:52:37| Took 0.02 seconds ( 0.00 objects/sec).
2009/04/04 22:52:37| Beginning Validation Procedure
2009/04/04 22:52:37| Completed Validation Procedure
2009/04/04 22:52:37| Validated 25 Entries
2009/04/04 22:52:37| store_swap_size = 0
2009/04/04 22:52:38| storeLateRelease: released 0 objects
2009/04/04 22:59:06| Squid is already running! Process ID 9886

View 10 Replies View Related

Speed Test

Apr 23, 2009

I recently setup WAMP on my dedicated, and I'm unsure if the slow download speed is from WAMP or something else I need to remove from the dedicated. Might just be the distance I am from the dedicated because it's hitting 88.74Mb/s down and 71.19Mb/s up from a local city.

It's located in Kansas city, MO.

View 14 Replies View Related

How To Test A Port

Sep 28, 2009

How can i test to see if a port on my box is open or not, can i ping it with the ip and the port?

View 4 Replies View Related

How Can I Test Vps Speed

Jun 26, 2009

I ordered my first vps and uploaded a 1 page web site with a few graphics. I browsed to the web site and it took longer than normal to load the entire site with all graphics.

Is there a way that I can test my vps account speed?

View 11 Replies View Related

Can I Have A Speed Test

Sep 17, 2008

Can i have a speed test from different locations. [url]

View 14 Replies View Related

UK2 Speed Test

Mar 8, 2008

Can a few people try to download the test file in [url] and tell me what speeds you get and from which location?

I'm comparing UK2 and RapidSwitch. I'm interested to know the d/l speeds from East/West coast USA, Asia, Australia. I'm assuming Europe would be fast.

View 14 Replies View Related

Where Do You Have Your Test Server

Mar 3, 2008

We are a small development team mostly coding in php/mysql as an unpaid hobby. Anyways yesterday our test server had hardware problems and to get a decent new one would be $300. Well this seems a lot to ask for someone that does get any compensation for it. So we are looking for some cheap way of providing a test server. We need at least a way that provides svn, apache w/ php and mysql. We tried to use the webserver, but the head dev didnt like the idea. Any suggestions?

The three devs are in charge of .

View 17 Replies View Related

Test Robot.txt

Jul 23, 2008

I want to stop cataloging of all PDF files on my site, can this be done using wild cards through Robot.txt?

What is a good way to test to make sure that the instructions in the Robot.txt are working?

View 2 Replies View Related

Copyrights 2005-15, All rights reserved