Results 1 to 25 of 25
Thread: Server hacking
-
03-21-2011, 09:01 PM #1Junior Guru
- Join Date
- Sep 2007
- Posts
- 195
Server hacking
My server was hacked by "Tunisian Hacker"
Some one here can help me???
When I discovery, I restore all backups accounts and I put the tunisiam IP range in firewall. But today new client contact with me reporting new hacked.
Some one can help me???
-
03-21-2011, 09:02 PM #2Web Hosting Guru
- Join Date
- Jun 2008
- Location
- Los Angeles, CA
- Posts
- 272
what type of server is it? what are you running on it?
█ Lebnene
█ Consultant: Colocation, Cloud & Dedicated Servers
-
03-21-2011, 09:15 PM #3Temporarily Suspended
- Join Date
- Nov 2010
- Location
- Arizona
- Posts
- 298
Did you change all your passwords and run rootkit hunter? What kind of hack?
-
03-21-2011, 10:01 PM #4Junior Guru Wannabe
- Join Date
- Feb 2006
- Location
- Boston, MA
- Posts
- 58
What software are you running on it? Some of your software probably has a vulnerability in it, allowing the hacker to get in. Restoring a backup would have restored the vulnerability.
Akliz, Inc.
www.akliz.net | 617-475-3266
-
03-21-2011, 10:43 PM #5Junior Guru
- Join Date
- Sep 2007
- Posts
- 195
Guys,
Is a linux server with cPanel/WHM running apache, php, mySQL.
I will run rootkit hunter
-
03-21-2011, 10:47 PM #6Disabled
- Join Date
- Mar 2011
- Posts
- 9
You may also wanna install CSF - www.configserver.com
-
03-21-2011, 11:10 PM #7Junior Guru
- Join Date
- Sep 2007
- Posts
- 195
I am using APF + BFD. But I will consider to change to CSF also.
Thanks
-
03-22-2011, 08:52 AM #8Newbie
- Join Date
- Mar 2011
- Posts
- 10
Do you have any idea how much time has passed till you discovered it's actually hacked ?
-
03-22-2011, 09:38 AM #9Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
That's not the solution here. Firewalling someone who keeps gaining access to your server is like putting a bandaid on a sinking ship. You need to plug the hole once and for all!
@Formas:
Did every site get hacked or only a few sites? That's very important in determining your next course of action. If every site on your server was hacked, it's probable that you were "rooted" in which case your next course of action is to reload the operating system, restore /home from backup and hire a server management company to provide ongoing security updating.RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
03-22-2011, 09:55 AM #10Temporarily Suspended
- Join Date
- May 2010
- Posts
- 282
Was it specific website which got hacked? If yes, find out ftp logs. Also, install suPHP.
You can take following steps to prevent your server to be hacked in future.
1. Secure /tmp
2. Install rkhunter & chkrootkit.
3. Disable root logins & ssh port.
Best way to prevent hacking to be happened in future is to know the way it hacked now and secure your server accordingly.
-
03-22-2011, 11:57 AM #11WHT Addict
- Join Date
- Dec 2005
- Location
- The Netherlands
- Posts
- 107
-
03-22-2011, 12:32 PM #12Junior Guru Wannabe
- Join Date
- Mar 2011
- Posts
- 31
Hi,
There are different types of hacking. Have you found the hacking technique used by the hacker?
Then only I can tell you a solution. Installing a firewall is a must.
Good Luck
-
03-22-2011, 04:28 PM #13Junior Guru
- Join Date
- Sep 2007
- Posts
- 195
-
03-22-2011, 04:32 PM #14Junior Guru
- Join Date
- Sep 2007
- Posts
- 195
-
03-22-2011, 04:37 PM #15Junior Guru
- Join Date
- Sep 2007
- Posts
- 195
Guys,
I can to see: hacker access and upload file using file manager of Cpanel. I Know because I see hacker IP and actions in "/usr/local/cpanel/logs/access_log".
But I dont know HOW hacker get access to file manager of cPanel. This is the question that I need discovery.
-
03-25-2011, 02:12 PM #16Web Hosting Master
- Join Date
- Jul 2010
- Posts
- 797
hi,
is it necessary to install afd + bfd when you already have csf + mod_security ?
-
03-25-2011, 02:25 PM #17Junior Guru Wannabe
- Join Date
- Mar 2011
- Posts
- 31
Hi,
Do you mean APF + BFD?....If so, I will say CSF + LFD is better than APF + BFD.
-
03-25-2011, 02:32 PM #18Web Hosting Master
- Join Date
- Jul 2010
- Posts
- 797
sorry typo error...
so, u were saying there is no need to install apf + bfd if we already installed csf + lfd right ?
-
03-25-2011, 02:40 PM #19Junior Guru Wannabe
- Join Date
- Mar 2011
- Posts
- 31
yeps....I am correct...Let someone else make a post if they disagrees
I work in Linux for a living, Going from windows to Linux is like buying a Rolls Royce for zero dollers
-
03-25-2011, 03:23 PM #20WHT Addict
- Join Date
- Dec 2005
- Location
- The Netherlands
- Posts
- 107
No need? CSF states it's incompatible for use together with APF!
So better not do, it's highly unrecommended (because both do firewall rules, which can overlap).
Besides that: both use iptables (ip6tables also for CSF), and so on the defense level should be exactly the same if you configure it properly.
-
03-25-2011, 03:33 PM #21Web Hosting Master
- Join Date
- Jul 2010
- Posts
- 797
ok thanks..
-
03-28-2011, 07:01 AM #22New Member
- Join Date
- Feb 2011
- Posts
- 3
These look like application level attacks so a network firewall is not going to help much – you might want to look at putting something more robust in front of your websites.
You can also restrict access to the cPanel console only to IP addresses that you come from.
-
03-28-2011, 08:41 PM #23Disabled
- Join Date
- Feb 2010
- Location
- Worldwide
- Posts
- 61
Hi,
And you have changed the FTP password on all accounts in question, as well as checking all of your computers to see if they harbor malware (try malwarebytes.org for free malware checking software).
Best Wishes,
Jim Walker
The Hack Repair Guy
-
03-30-2011, 05:01 AM #24Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
Is your O/S kernel patched and up to date? There have been some nasty root exploits. 30 accounts is enough that you are likely to have been rooted, unfrotunately; possibly they were just smart enough not to tip yuou off by exploiting every account on the server. If there's nothing in common between all 30 accounts, then it's even more likely you have been rooted.
Except of course if you weren't running suphp (or similar better performer) in which case compromising one account could have given them access to all the other accounts.
Probably worth hiring someone like configserver.com to harden your server and get rid of the intruder. Up to you, but you're currently stumbling around in the dark and this is expert territory, there's no way a newbie can recover from this. That's not bad, it's just a statement on the way it is.
-
03-30-2011, 05:02 AM #25Web Hosting Master
- Join Date
- Nov 2004
- Location
- Australia
- Posts
- 1,737
one more thing - you can check for ftp intrusions via the following - a little primitive but does the job:
grep ftp /var/log/messages | less
look for uploaded files in the hacked accounts; to check a specific account 'victim1' try:
grep victim1 /var/log/messages | grep ftp | less
Similar Threads
-
Is someone hacking my server?
By TheTop in forum Hosting Security and TechnologyReplies: 2Last Post: 04-25-2007, 02:16 PM -
Some one is hacking my server
By zoomx in forum Hosting Security and TechnologyReplies: 6Last Post: 09-20-2005, 07:04 PM -
Hacking server !!! not hacking accounts anymore
By AndyJ in forum Hosting Security and TechnologyReplies: 22Last Post: 01-24-2005, 04:53 PM -
Server Hacking
By tubcan in forum Web HostingReplies: 27Last Post: 01-02-2004, 12:10 PM