I'm an owner and manager of a server running about a year ago, and everything was fine till three months ago.
Many VBulletin forums hacked from one hacer.
i hired a technical to re-setup security of the server upgrading for ( OS , php , apache ) done. and other setting... after that he said every thing is ok now. 3 weeks later , hack back again from another hacker on 3 VBulletin forums put in your concideration all hacked forums are secured enough and using 3.6.8 patch level 2.
what possible reasons assist the hacker to reach config file? is this a gab from the server or VB version?
OS : Fedore 5 .. upgraded from Fedora 4 php Version : 5.2.4 Apache Version : 1.3.39 PERL version 5.8.8
I'm on a dedicated server and the httpd service of the server keeps going down which results in downtime for the number of hours until i dont realise that the site is down.
So when I realise the site is down, I ask the hosting support to look into the issue, they tell me the server loads are high and ask me to upgrade even when I just upgraded the server last month.
Generally the forum has around (250 - 300 members) + guests visitors online and is in the alexa top 20k sites.
The first thing I would want to do is hire a person who specializes in server optimization but then I have heard a lot of bad things like the server admin stealing databases and selling it in open market.
The second thing I wanted to do is contact vbulletin for server optimization but they need me to give them server specs and I dont know how to obtain them.
I run a large adult vBulletin community with 70,000 members, 1/2 million posts, 186,000 attachments (a lot video), and closing in on 100 million downloads since our start some odd years ago. I've been battling keeping the site up for quite some time, and I am starting to wonder whether we shot too low on the server setup. I figure I would ask the pros here at WHT for some advice.
This is our current setup:
Site server:
Quote:
CPU: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz 4 Gig ram 250 Gig sata harddrive Unix FreeBSD 6.2 Apache
MySQL server:
Quote:
CPU: Pentium III/Pentium III Xeon/Celeron (2666.62-MHz 686-class CPU) Cores per package: 4 4 Gig ram 750 Gig SATA harddrive Unix FreeBSD 6.4 Apache
Do you think the site would perform better under one server and maybe a more powerful processor? What should I be looking at exactly as far as hardware goes for this type of site. I should note we push about 2.5TB of bandwidth monthly.
I just added a database server in private network and moved the database for Vbulletin Forum to this server.
But some how, the Forum is loading extremely slow compare to before ( when it was on the localhost). Also, Compare to another website on server (using local database) it is much slower.
One thing good is the load is lower
2 servers are connected via 10mbs private link, both servers are at Softlayer.
I've problem with my system (Dell vostro200) I've Mcafee security center and it will block some scripts running in the system during the browsing. I can't use any of vBulletin forums ( registration and posting ) I can't do even Mcafee online registratation also. I'm not an expert in os configurations.
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not? and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.
Now, I'm looking into the log file /var/log/messages and I have few questions:
1. There are a lot of messages like: Apr 2 02:53:09 host sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.196.151.235
Do these messages mean that hacker trying to enter the server under root?
2. There are messages like these: Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND
What does this mean? Virus on my server or something else?
3. Also, I can see a lot of messages like this one: Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND
My server was hacked night before last and here is the log
Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58" Oct 28 10:30:47 server1 [19705]: User root's local password accepted. Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted. Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.
When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.
I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.
During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.
As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.
I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.
Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.
I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.
I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.
I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).
I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.
I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,
I was on vacation for 2 weeks so I wasn't able to log onto the server. Nor was there any need to log onto the server as the website was up and running and was fine!
However, when I logged into today, there were extra icons on my desktop.
My server was turned into a spam e-mail remailer. There were applications installed that dissected/generated e-mail addresses.
In my system logs in event viewer, starting from January 30th, there is a whole list of failed log on events where the user tried logging on with different usernames and passwords.
I'm guessing they got into my server by brute force.
I was wondering, does anyone know if windows 2003 automatically logs the IPs of users trying to login remotely and where they are stored?
We have a dedicated server with a well known company here in the UK, its running Windows 2003 server std. This runs an application that was developed by our company and accessed by around a max number of users per day of around 50 - max.
Over the last few months the server has got slower and slower, although we do have periods when its really fast, there seems to be nothing we can point our finger at as to why it speeds up and slows down, we checked number of users accessing etc and it does not seem to effect speed (users access by a secure logon)
This week server was nearly at a stand still, I rang hosting company who informed me that they thought our server had been hacked. They said they could see exe files running that they had not installed, mentioned the following -
Dxplay.exe Dameware.exe Tree.exe
They said these exe files were listening to a TCP port (excuse my ignorance, not that techically minded)
They also said two users were accessing our server from Canada and California.
They also said because we had loaded our own software on the server it was not their responsibility if our server was hacked, that we were also running PCAnywhere and this was notorious for allowing a server to be hacked.
I pointed out that we paid them to host the server, it was behind their firewall, would that not stop unauthorised access, the response was no.
I have a few questions I wonder somebody might help me with the answers to,
1, Does it appear our server was hacked? - do the exe files look suspicious?
2, What is our hosting companys responsibility?
3, Is PCA secure
4, How can we stop this in future?
I am also told by our guys there is evidence of someone using our server to surf the web, could this be internal, i.e our hosting company, or maybe a hacker?
We can see when users are logged into our application, but nothing else, is there some reporting software we can install to let us view who is accessing our server?
What can we do to make the server more secure?
We are currently scanning it with spyware software and although we have anti virus we are scanning again, this new scan picked up 7 virus, I'm not sure yet what these were.
basically every index.htm/html/php in all my accounts (/home/*) have been replaced by some hack page.
i have backups, so not too concerned. problems though are:
1) opening any subfolder in an account causes an endless loop 2) putting any other page and trying to load it from the home directory yields a 500 error message
most likely going ot have to rebuild the entire server... but any ideas what i could look for first?
for e.g. the loop thing is nearly like there's some "global .htaccess file" that's controling every single domain to keep reloading a subfolder called index, which does not exist...
I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..
I am running not so big hosting and do not have much customers. One of our customers have complied to me, that registration mails from his website goes to spam. I searched my IP and found it blacklisted in two databases.
I started to analyze logs, and noticed that from 25th of April something started to happen. Tons of mails are sent, but I do not have such many customers. My mail server is in .lv zone and I have customers witth .lv domains, but mostly some .es mail addresses are there in maillog.
One of my personal servers has been compromised. It is the tornkit v8 rootkit. I tried to follow the instructions here http://www.webhostgear.com/101.html but I dont have write permissions on /etc/rc.d/rc.sysinit to save changes or even delete the file.
I am logged in as root and the file has rwx permissions for owner which root. But I still cant do anything to that file. I get the following message: cannot remove `rc.sysinit': Operation not permitted.
I need to get this server online asap. I am running centos4.2 and logged in as root in recovery mode.
My hosting provider will shut down my server because it was used by a hacker for DoS attacks.
((outging 2090kbits/sec, incoming 29kbits/sec )
Server got Freebsd 6.2 , apache 2.2, php4.4.7 ,ipfw installed
To be more specific, somehow the hacker can upload a script "udp.pl" into the /tmp directory and then execute it through "perl udp.pl".
The script "udp.pl" does mass flooding on the IP they specify.
The header of udp.pl code is attached at the bottom.
After I deleted "udp.pl"
secured /tmp (noexec,nosuid,rw)
chkrootkit/ rootkit hunter, Checked /etc/passwd for new users and users with UIDs of 0 other than root. Checked for the presence of SUID/SGID root files. nothing found.
installed mod_security2 installed Suhosin
Currently Still have lots of outgoing traffic via port 80 (outging 390kbits/sec, incoming 19kbits/sec )
find nothing suspicius process by using "lsof, top" .....