Website Hacked, But Not Sure About The Enter Server
Feb 19, 2007
my server was hacked by Cold he/she inserted a couple of scripts that enabled remote access into a 777 permission folder.
i found the following script names:
back.pl
cpanel.php
cgitelnet.pl
cpanel.pl
gcc-cold <- shell script
i have deleted all the above files, and changed the folder chmod to 755
but the weird thing is, through shell, when i try to locate the file gcc-cold i get this:
Quote:
root@ [/tmp]# locate gcc-cold
/home/ns5f6/public_html/uploads/gcc-cold
root@ [/tmp]# rm /home/ns5f6/public_html/uploads/gcc-cold
rm: cannot lstat `/home/ns5f6/public_html/uploads/gcc-cold': No such file or directory
isn't locate NOT supposed to find that file after its been deleted? and if it was not deleted some how, isn't it supposed to delete it? am i missing something here??????
from a bit of researching the files, i found that it was a telnet script, BUT i have telnet disabled, and there's no process running along side GREP TELNET
how can i find malicious software or shell scripts that allow such hacking activities on the server?
View 6 Replies
ADVERTISEMENT
Jul 27, 2007
So I'm interviewing with a company and when I typed in the URL to their website, I was met with a nasty surprise: a "hacked by so and so" message! However, after looking closer, I see that I had accidentally appended a period (".") to the end of the domain name, for example: http://www.example.com./
When I removed the period, the site appeared as normal. I don't know anything about the server other than it's IIS. Is there anything I can suggest to them when I go in to interview? I'd like to point this out to them; it may even help my chances at landing the job! (It's not related to networking, though.)
View 0 Replies
View Related
Apr 30, 2009
Just this week, I believe one of my site has been hacked...or potentially my whole server! When accessing the website (a vBulletin forum), instead of going to the main page, we get a screen that looks like Window's "My Computer" and there is a scan running. Firefox has blocked the site for suspicion.
I am stumped. Where to begin? I have full SSH access to my server (after rebooting it). Thank you in advance.
Server: CentOS Linux 4.3
View 10 Replies
View Related
Aug 14, 2008
my site is hacked regularly
today when i checked htaccess file i found
Code:
# a0b4df006e02184c60dbf503e71c87ad
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_-]+.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24). [NC]
RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=
RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=[^&]+(%3A|%22)
RewriteCond %{TIME_SEC} <59
RewriteRule ^.*$ /admin/editor/filemanager/browser/default/images/ucohex/ex3/t.htm [L]
# a995d2cc661fa72452472e9554b5520c
in it what does this code does.
View 24 Replies
View Related
Apr 24, 2007
I have been getting a lot of abusive email lately, just deleted them and thought nothing off it. Just about to go to bed and I see my website has been hacked.
www.pic-spot.com
They also said they were after www.anotherlaugh.com and www.shinyproxy.com
View 5 Replies
View Related
Jun 27, 2009
few sites are continously been hacked, these sites i m working on, whenever i connect the sites through FTP client(i m using Flash FXP) and upload the files the very next day the index file have the Iframe code written after the body tag by someone else of some malware site.
i have tried everything, changing the password on daily basis,even reinstall my system completey(thinking if there any backdoor trojan) firewall and antivirus,
View 13 Replies
View Related
Jul 18, 2009
We have a simple flash site. Not CMS or anything of that sort.
Recently out site was hacked. Nothing malicious as the only code that seems to have changed was out index file in which they injected a malware script ....
View 13 Replies
View Related
Aug 7, 2007
One of my clients has joomla site installed on his hosting.
But recently his website always get hacked. Hacker put one index.html file in the public_html folder. luckily they not deleting file and database..
This is happen twice in one week, even he change the cpanel password to a more complex one...
anyway to prevent this? any way to harden the security?
View 16 Replies
View Related
May 11, 2007
This is the second time this week that my website was hacked. On the first hack attempt they somehow got into my cpanel and corrupted my license file which I had my host fix. Other than that the only damage done was an html file that replaced my main page. Then today, I find that my website has been further compromised, but by a completely different group. The first hacker was g3n3t1x and this second hack was done by www.turkishdefacerteam.com
Now, the problem is my sites dedicated IP is 72.36.192.150, and my domain name is gamingguilds.net, but if you resolve the domain name, it resolves to 74.53.52.66. I have checked my nameservers and everything is set properly. But the thing I don't get is that when you type in my domain name in a web browser, you see my website. How can it be resolving to the wrong IP and STILL show my website. Also note that when you type in my dedicated IP it would still show my website (before this second attack).
Now after the second attack, my dedicated IP no longer works, I cant get into cpanel using the IP, I cant get into my FTP account, and I get view my website. Yet if you use the domain name to log into cpanel or view the website it works. The strange part here is that I can't get into the FTP using the domain name.
SO, if you go to [url]you see a blank cpanel site, if you go to [url] you get a 404 error, and if you go to www.gamingguilds.net you get my website.
View 14 Replies
View Related
Jun 14, 2009
I have a small but somewhat popular space-history website. Very simple HTML that I typed into wordpad, but it has long pages full of photos. Since 2003, I've been using media3.net with their business-class Windows service.
A few weeks ago, mypages were hacked, and a one line script inserted that called an Adobe Flash file. Apparently this was a server-wise attack, not just my web pages. Media3.net cleaned this up, but now it has happened again.
This is bad, because Google blacklists my site, and folks on Wikipedia get upset because there are a lot of links to my site.
How are they breaking in to media3.net? I think I must change hosts, but I don't want to put my image-intensive site on overbooked hardware with limited bandwidth.
View 14 Replies
View Related
Jul 13, 2009
I want to ask about some tips to prevent my blog from hacker attack. My friends experience this and i dont want this happen to me. Is web hosting technical support can fix my host server if hacker break it out?
View 10 Replies
View Related
Jul 2, 2009
many visitor cannt enter my site
and many user say that browsing my vbllieten forum very slow
and there is user can crowse my site very fast
i check blocked ip in cvs and there is nothing
View 9 Replies
View Related
Apr 22, 2007
I have more than 10 servers I need to monitor that servers in one enter face like program our script our any thing
I need to monitor the load & traffic & enter to SSH its can be?
View 6 Replies
View Related
May 25, 2015
I am trying to block this whole range of IPs, all that begin with 66.249. How is is that done?
View 1 Replies
View Related
Feb 9, 2015
I've just purchased a VPS with Ubuntu 14.04 and Plesk 12 Web Admin Edition. I will use the vps to host just one domain/website. The first time I access Plesk, it asks for some info and first of all it asks form my domain. The default value is localhost.localdomain. Should I leave the default value or should I enter my domain (let's say example.com)?
View 4 Replies
View Related
Mar 17, 2007
SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
- How I can remove them?
View 14 Replies
View Related
May 18, 2009
217.67.250.41 - - [18/May/2009:15:36:08 +0100] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400 226 "-" "-"
What is mean ? Sorry for ask a fast answer. I have change my domain's IP to protect someone can run dangerous script...
View 6 Replies
View Related
Dec 21, 2006
My dedicated server was rather slow. Upon checking, I had a new cron job, (deleted now) made by apache, pinting to the following IRC bot.
[root@server50040 tmp]# cd .LiveZone/
[root@server50040 .LiveZone]# ls -al
total 384
drwxr-xr-x 10 apache apache 4096 Dec 21 12:17 .
drwxrwxrwt 3 root root 4096 Dec 21 12:15 ..
-rwxr-xr-x 1 apache apache 320 Dec 9 2004 config
-rw------- 1 apache apache 1002 Dec 9 2004 config.h
-rw-rw-r-- 1 apache apache 55 Dec 20 22:55 cron.d
-rwxr-xr-x 1 apache apache 347 Dec 9 2004 ****
drwxr-xr-x 2 apache apache 12288 May 31 2002 help
-rwxr-xr-x 1 apache apache 210216 Dec 9 2004 httpd
drwxr-xr-x 2 apache apache 4096 Jan 12 2002 lang
-rw------- 1 apache apache 492 Dec 21 12:17 livezone
-rw-rw-r-- 1 apache apache 19 Dec 20 22:55 livezone.dir
-rw------- 1 apache apache 492 Dec 21 12:09 livezone.old
drwxr-xr-x 2 apache apache 4096 Dec 21 12:10 log
-rw-r--r-- 1 apache apache 2137 Sep 26 2003 Makefile
-rw-r--r-- 1 apache apache 731 Dec 9 2004 makefile.out
-rwxr-xr-x 1 apache apache 15090 Dec 9 2004 makesalt
drwxr-xr-x 3 apache apache 4096 Jul 30 2000 menuconf
drwxr-xr-x 2 apache apache 4096 Jul 17 2000 motd
-rwxr-xr-x 1 apache apache 14306 Nov 13 2003 proc
-rw------- 1 apache apache 6 Dec 21 12:10 psybnc.pid
-rw-r--r-- 1 apache apache 10780 Dec 9 2004 README
-rwxr-xr-x 1 apache apache 68 Jun 4 2004 run
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 scripts
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 src
-rw------- 1 apache apache 3901 Jan 12 2002 targets.mak
drwxr-xr-x 2 apache apache 4096 Dec 9 2004 tools
-rwxr--r-- 1 apache apache 21516 Sep 25 2002 xh
-rwxrw-r-- 1 apache apache 194 Dec 20 22:55 y2kupdate
View 10 Replies
View Related
Apr 7, 2007
My server was hacked some time ago. I've changed passwords and scanned system for viruses, but found nothing.
Now, I'm looking into the log file /var/log/messages and I have few questions:
1. There are a lot of messages like: Apr 2 02:53:09 host
sshd(pam_unix)[29398]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.196.151.235
Do these messages mean that hacker trying to enter the server under root?
2. There are messages like these:
Apr 2 03:56:10 host clamd[4678]: stream 1255: Worm.SomeFool.P.2 FOUND
Apr 2 10:46:10 host clamd[4678]: stream 2008: Worm.Bagle.pwd-eml FOUND
What does this mean? Virus on my server or something else?
3. Also, I can see a lot of messages like this one:
Apr 2 09:38:40 host clamd[4678]: stream 1111: Email.Phishing.RB-524 FOUND
Does someone read my emails?
View 6 Replies
View Related
Nov 17, 2006
My server just got hacked i just bought it!!
and they was going to charge me anouther $35 to reset the password how stupid...
in the end we got it done free
View 8 Replies
View Related
Oct 29, 2009
My server was hacked night before last and here is the log
Oct 28 10:30:47 server1 [19705]: connection from "173.45.118.58"
Oct 28 10:30:47 server1 [19705]: User root's local password accepted.
Oct 28 10:30:47 server1 [19705]: Password authentication for user root accepted.
Oct 28 10:30:47 server1 [19705]: User root, coming from 3a.76.2d.[url], authenticated.
View 14 Replies
View Related
Jan 10, 2008
I found a process /usr/sbin/httpd was running by nobody, then I did a trace in WHM and found this. Is my server hacked ?
send(4, "@206113irc10quakenet3org1"..., 34, MSG_NOSIGNAL) = 34
poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(4, FIONREAD, [162]) = 0
recvfrom(4, "@2062012001103irc10quakenet3org1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.36.191.2")}, [16]) = 162
close(4) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
ioctl(4, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbffb3718) = -1 EINVAL (Invalid argument)
_llseek(4, 0, 0xbffb3770, SEEK_CUR) = -1 ESPIPE (Illegal seek)
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(6665), sin_addr=inet_addr("83.140.172.210")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(4) = 0
open("/etc/protocols", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
View 7 Replies
View Related
May 14, 2008
My websites worked very well some days ago. I've touched nothing on my server since then and now every website I have on it is down!
I have a VPS and have root access.
When I restart my apache web server, my websites are working for about 3 seconds! Then it doesn't work any longer!
I've talked to my host but they may find the error if their technicians look at my server but this will cost!
View 6 Replies
View Related
Dec 8, 2008
I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.
When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.
I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.
During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.
As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.
I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? ..............
View 10 Replies
View Related
Sep 1, 2007
I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.
Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.
I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.
I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.
I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).
I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.
I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop,
View 7 Replies
View Related
Feb 16, 2007
I'm using windows 2003 Server to host my website.
I was on vacation for 2 weeks so I wasn't able to log onto the server. Nor was there any need to log onto the server as the website was up and running and was fine!
However, when I logged into today, there were extra icons on my desktop.
My server was turned into a spam e-mail remailer. There were applications installed that dissected/generated e-mail addresses.
In my system logs in event viewer, starting from January 30th, there is a whole list of failed log on events where the user tried logging on with different usernames and passwords.
I'm guessing they got into my server by brute force.
I was wondering, does anyone know if windows 2003 automatically logs the IPs of users trying to login remotely and where they are stored?
View 13 Replies
View Related
Jan 2, 2007
Today while i run some commands like ls this error appeared segmentation falt
any way the reason is my server's hacked now i reinstall it but my question
How could my server hack while i have disabled Compilers for unprivileged users
i admited that i have found cgi-telnet scripts but how could he used it to install rootkit
View 6 Replies
View Related
Jan 11, 2007
We have a dedicated server with a well known company here in the UK, its running Windows 2003 server std. This runs an application that was developed by our company and accessed by around a max number of users per day of around 50 - max.
Over the last few months the server has got slower and slower, although we do have periods when its really fast, there seems to be nothing we can point our finger at as to why it speeds up and slows down, we checked number of users accessing etc and it does not seem to effect speed (users access by a secure logon)
This week server was nearly at a stand still, I rang hosting company who informed me that they thought our server had been hacked. They said they could see exe files running that they had not installed, mentioned the following -
Dxplay.exe
Dameware.exe
Tree.exe
They said these exe files were listening to a TCP port (excuse my ignorance, not that techically minded)
They also said two users were accessing our server from Canada and California.
They also said because we had loaded our own software on the server it was not their responsibility if our server was hacked, that we were also running PCAnywhere and this was notorious for allowing a server to be hacked.
I pointed out that we paid them to host the server, it was behind their firewall, would that not stop unauthorised access, the response was no.
I have a few questions I wonder somebody might help me with the answers to,
1, Does it appear our server was hacked? - do the exe files look suspicious?
2, What is our hosting companys responsibility?
3, Is PCA secure
4, How can we stop this in future?
I am also told by our guys there is evidence of someone using our server to surf the web, could this be internal, i.e our hosting company, or maybe a hacker?
We can see when users are logged into our application, but nothing else, is there some reporting software we can install to let us view who is accessing our server?
What can we do to make the server more secure?
We are currently scanning it with spyware software and although we have anti virus we are scanning again, this new scan picked up 7 virus, I'm not sure yet what these were.
View 5 Replies
View Related
May 19, 2007
I have worked with rack911 but he does not answer my emails. is there anyone who can start it immediately?
How can I secure php?
my server is hacked but not so deep.
View 12 Replies
View Related
Oct 19, 2007
how does one know if their server is being or has been attacked / compromised / DOSed / DDOSed / hacked / you name it?
View 2 Replies
View Related