i find a site hacked all the sites are vbulletin and has no protection .. i think it hacked by Fourm home
i mad a search for SSH and i didnt find any thing
can you advice me how to stop this way of hacking plz?
I'm an owner and manager of a server running about a year ago, and everything was fine till three months ago.
Many VBulletin forums hacked from one hacer.
i hired a technical to re-setup security of the server
upgrading for ( OS , php , apache ) done. and other setting...
after that he said every thing is ok now.
3 weeks later , hack back again from another hacker on 3 VBulletin forums
put in your concideration all hacked forums are secured enough and using 3.6.8 patch level 2.
what possible reasons assist the hacker to reach config file?
is this a gab from the server or VB version?
OS : Fedore 5 .. upgraded from Fedora 4
php Version : 5.2.4
Apache Version : 1.3.39
PERL version 5.8.8
I'm on a dedicated server and the httpd service of the server keeps going down which results in downtime for the number of hours until i dont realise that the site is down.
So when I realise the site is down, I ask the hosting support to look into the issue, they tell me the server loads are high and ask me to upgrade even when I just upgraded the server last month.
Generally the forum has around (250 - 300 members) + guests visitors online and is in the alexa top 20k sites.
The first thing I would want to do is hire a person who specializes in server optimization but then I have heard a lot of bad things like the server admin stealing databases and selling it in open market.
The second thing I wanted to do is contact vbulletin for server optimization but they need me to give them server specs and I dont know how to obtain them.
What is the best way to setup a server for a vbulletin forum with 500-600 concurrent users.
I am torn between going with 1 large box, or a webserver,database server split.
I am trying to transfer my Vb database to another server but I am getting error.
Here's what I did.
1. I exported my old database to my old server to my PC.
2. I imported my database to my new server (different domain)
Now I cannot continue because different errors occur. Please tell me the correct process to do this.
I run a large adult vBulletin community with 70,000 members, 1/2 million posts, 186,000 attachments (a lot video), and closing in on 100 million downloads since our start some odd years ago. I've been battling keeping the site up for quite some time, and I am starting to wonder whether we shot too low on the server setup. I figure I would ask the pros here at WHT for some advice.
This is our current setup:
Site server:
Quote:
CPU: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz
4 Gig ram
250 Gig sata harddrive
Unix FreeBSD 6.2
Apache
MySQL server:
Quote:
CPU: Pentium III/Pentium III Xeon/Celeron (2666.62-MHz 686-class CPU)
Cores per package: 4
4 Gig ram
750 Gig SATA harddrive
Unix FreeBSD 6.4
Apache
Do you think the site would perform better under one server and maybe a more powerful processor? What should I be looking at exactly as far as hardware goes for this type of site. I should note we push about 2.5TB of bandwidth monthly.
i get this error after installation my vb in my site
View 14 Replies View RelatedI just added a database server in private network and moved the database for Vbulletin Forum to this server.
But some how, the Forum is loading extremely slow compare to before ( when it was on the localhost). Also, Compare to another website on server (using local database) it is much slower.
One thing good is the load is lower
2 servers are connected via 10mbs private link, both servers are at Softlayer.
webserver: Opteron 170, 2GB RAM, 73GB SCSI 15K
database: Quad Xeon 3220, 2GB RAM, 73GB SCSI 15K.
I've problem with my system (Dell vostro200) I've Mcafee security center and it will block some scripts running in the system during the browsing. I can't use any of vBulletin forums ( registration and posting ) I can't do even Mcafee online registratation also. I'm not an expert in os configurations.
View 0 Replies View RelatedSOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
- How I can remove them?
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"
What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.
[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.
Now, I'm looking into the log file /var/log/messages and I have few questions:
1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235
Do these messages mean that hacker trying to enter the server under root?
2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND
What does this mean? Virus on my server or something else?
3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND
Does someone read my emails?
My server just got hacked i just bought it!!
and they was going to charge me anouther $35 to reset the password how stupid...
in the end we got it done free
My server was hacked night before last and here is the log
Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.
I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?
send(4, "@206113irc10quakenet3org1"..., 34, MSG_NOSIGNAL) = 34
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(4, FIONREAD, [162]) = 0
recvfrom(4, "@2062012001103irc10quakenet3org1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(4) = 0
open("/etc/protocols", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
My websites worked very well some days ago. I've touched nothing on my server since then and now every website I have on it is down!
I have a VPS and have root access.
When I restart my apache web server, my websites are working for about 3 seconds! Then it doesn't work any longer!
I've talked to my host but they may find the error if their technicians look at my server but this will cost!
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.
When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.
I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.
During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.
As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.
I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.
Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.
I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.
I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.
I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).
I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.
I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,
I'm using windows 2003 Server to host my website.
I was on vacation for 2 weeks so I wasn't able to log onto the server. Nor was there any need to log onto the server as the website was up and running and was fine!
However, when I logged into today, there were extra icons on my desktop.
My server was turned into a spam e-mail remailer. There were applications installed that dissected/generated e-mail addresses.
In my system logs in event viewer, starting from January 30th, there is a whole list of failed log on events where the user tried logging on with different usernames and passwords.
I'm guessing they got into my server by brute force.
I was wondering, does anyone know if windows 2003 automatically logs the IPs of users trying to login remotely and where they are stored?
Today while i run some commands like ls this error appeared segmentation falt
any way the reason is my server's hacked now i reinstall it but my question
How could my server hack while i have disabled Compilers for unprivileged users
i admited that i have found cgi-telnet scripts but how could he used it to install rootkit
We have a dedicated server with a well known company here in the UK, its running Windows 2003 server std. This runs an application that was developed by our company and accessed by around a max number of users per day of around 50 - max.
Over the last few months the server has got slower and slower, although we do have periods when its really fast, there seems to be nothing we can point our finger at as to why it speeds up and slows down, we checked number of users accessing etc and it does not seem to effect speed (users access by a secure logon)
This week server was nearly at a stand still, I rang hosting company who informed me that they thought our server had been hacked. They said they could see exe files running that they had not installed, mentioned the following -
Dxplay.exe
Dameware.exe
Tree.exe
They said these exe files were listening to a TCP port (excuse my ignorance, not that techically minded)
They also said two users were accessing our server from Canada and California.
They also said because we had loaded our own software on the server it was not their responsibility if our server was hacked, that we were also running PCAnywhere and this was notorious for allowing a server to be hacked.
I pointed out that we paid them to host the server, it was behind their firewall, would that not stop unauthorised access, the response was no.
I have a few questions I wonder somebody might help me with the answers to,
1, Does it appear our server was hacked? - do the exe files look suspicious?
2, What is our hosting companys responsibility?
3, Is PCA secure
4, How can we stop this in future?
I am also told by our guys there is evidence of someone using our server to surf the web, could this be internal, i.e our hosting company, or maybe a hacker?
We can see when users are logged into our application, but nothing else, is there some reporting software we can install to let us view who is accessing our server?
What can we do to make the server more secure?
We are currently scanning it with spyware software and although we have anti virus we are scanning again, this new scan picked up 7 virus, I'm not sure yet what these were.
I have worked with rack911 but he does not answer my emails. is there anyone who can start it immediately?
How can I secure php?
my server is hacked but not so deep.
how does one know if their server is being or has been attacked / compromised / DOSed / DDOSed / hacked / you name it?
View 2 Replies View Relatedmy server was just hacked.
basically every index.htm/html/php in all my accounts (/home/*) have been replaced by some hack page.
i have backups, so not too concerned. problems though are:
1) opening any subfolder in an account causes an endless loop
2) putting any other page and trying to load it from the home directory yields a 500 error message
most likely going ot have to rebuild the entire server... but any ideas what i could look for first?
for e.g. the loop thing is nearly like there's some "global .htaccess file" that's controling every single domain to keep reloading a subfolder called index, which does not exist...
I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..
How can I find their doorway?
I am running not so big hosting and do not have much customers. One of our customers have complied to me, that registration mails from his website goes to spam. I searched my IP and found it blacklisted in two databases.
I started to analyze logs, and noticed that from 25th of April something started to happen. Tons of mails are sent, but I do not have such many customers. My mail server is in .lv zone and I have customers witth .lv domains, but mostly some .es mail addresses are there in maillog.
Maillog is full of this records: .....
One of my personal servers has been compromised. It is the tornkit v8 rootkit. I tried to follow the instructions here http://www.webhostgear.com/101.html but I dont have write permissions on /etc/rc.d/rc.sysinit to save changes or even delete the file.
I am logged in as root and the file has rwx permissions for owner which root. But I still cant do anything to that file. I get the following message: cannot remove `rc.sysinit': Operation not permitted.
I need to get this server online asap. I am running centos4.2 and logged in as root in recovery mode.
the data center tell me we use a lot of bandwidth,
and i check from the mrtg they offer to check,it reach about 80M,
my server really used a lot of bandwidth,
but i login whm to check the bandwidth of accounts,
and it looks likely my customers did not use a lot of bandwidth,
i worry if my server is hacked to attack others or other things,
how can i check this?
My hosting provider will shut down my server because it was used by a hacker for DoS attacks.
((outging 2090kbits/sec, incoming 29kbits/sec )
Server got Freebsd 6.2 , apache 2.2, php4.4.7 ,ipfw installed
To be more specific, somehow the hacker can upload a script "udp.pl" into the /tmp directory and then execute it through "perl udp.pl".
The script "udp.pl" does mass flooding on the IP they specify.
The header of udp.pl code is attached at the bottom.
After I deleted "udp.pl"
secured /tmp (noexec,nosuid,rw)
chkrootkit/ rootkit hunter, Checked /etc/passwd for new users and users with UIDs of 0 other than root. Checked for the presence of SUID/SGID root files. nothing found.
installed mod_security2
installed Suhosin
Currently Still have lots of outgoing traffic via port 80 (outging 390kbits/sec, incoming 19kbits/sec )
find nothing suspicius process by using "lsof, top" .....
my server hacked and when I trying to login to cpanel and after enter username and password show the hacked page.
help me to change the cpanel page.
and what section I should check?