Results 26 to 50 of 61
-
02-07-2004, 04:01 AM #26Web Hosting Guru
- Join Date
- Apr 2003
- Posts
- 271
yes , i can login now . may be my network suck
-
02-09-2004, 05:47 PM #27Russ
- Join Date
- Mar 2002
- Location
- Philadelphia, PA
- Posts
- 2,517
Great tutorial
<edit>signature removed</edit>Last edited by choon; 02-09-2004 at 09:15 PM.
-
02-23-2004, 09:27 PM #28WHT Addict
- Join Date
- Sep 2003
- Posts
- 134
Re: How to (somewhat) secure a Linux Server
How do I keep myself unblocked from SSH if my ISP assigns me a new Dynamic Ip every 36 hours ?
There's a number of other security tricks that I use , such as:
limiting ssh access
in /etc/hosts.deny
Code:sshd: ALL
Code:sshd: host.ip.number.1,host.ip.number.2,etc
Last edited by choon; 02-23-2004 at 09:32 PM.
-
02-23-2004, 09:31 PM #29Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
If your ISP issuing IP range is 123.456.789.x
Then just use 123.456.789.
Just my thoughts
-
02-23-2004, 09:33 PM #30WHT Addict
- Join Date
- Sep 2003
- Posts
- 134
I wish they were issuing Ip Ranges, my isp is cox and I'm pretty sure they don't just change ip ranges but entire blocks, Ie my last ip was 67.110.47.64 and my new one well is way differen't then the old one
<edit>signature removed</edit>Last edited by choon; 02-23-2004 at 09:37 PM.
-
02-23-2004, 09:36 PM #31Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Then no choice allow ALL?
P.S. Please turn off your signature as signatures are not allowed in all HOWTO forums.
-
02-23-2004, 09:43 PM #32WHT Addict
- Join Date
- Sep 2003
- Posts
- 134
Sorry for the sig, I did not know sigs were not allowed in the how-to forum. I'm gonna go ask cox business side to see if I can talk them into giving me a static ip, if all else fails I'll undo that edit thanks for your help
-
03-09-2004, 09:57 AM #33Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Venezuela
- Posts
- 83
I posted this on another Security thready in the How To forum, maybe you guys might find it useful too
1)Conduct a Security Audit on the box and create a report for it.
(a)Check intrusion Detection.Use chkrootkit for this purpose.Update the report with these details.
chkrootkit is very straightforward, installation is pretty simple.
Once chkrootkit is installed, run it from the command line, it should return lines like this:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0 is not promisc
Checking `wted'... nothing deleted
Checking `z2'...
nothing deleted
This is a normal, chkrootkit output, if by anychance you find an INFECTED! I suggest checking throughly the binary of the said program.
EXCEPTION: bindshell is known to say it's infected when running software like Portsentry, this is normal.
(b)Check for bugs in softwares which is currently installed on the box.
Very simple, start with checking your kernel version:
uname -r
2.4.25
Then check for your services version, start with the mailserver, ftp, apache, mysql and others:
Use, telnet to read this, or read the documentation about the software, an example should be:
'telnet localhost 21' (FTP)
telnet localhost 21
Trying 127.0.0.1...
Connected to yourserver
Escape character is '^]'.
220 yourserver Proftpd xxxxx FTP server ready.
Where xxx is your server version, next you go to a security related website (www.securityfocus.com) and run a search for any security vulnerability for that version of FTP server.
If none is found, go to the ftp server website, and see if your version is current.
Repeat with all the other processes and upgrade when necessary
(c)Scan all ports and find out which all are the unwanted ports open.Update the report with these details.
Get NMAP from www.insecure.org
Run a vanilla scan,
'nmap localhost'
A normal return should be
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on yourserver (127.0.0.1):
(The 1547 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
443/tcp open https
A really bad return should be
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on yourserver (127.0.0.1):
(The 1525 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
119/tcp open nntp
143/tcp open imap2
443/tcp open https
540/tcp open uucp
635/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
6667/tcp open irc
12345/tcp open NetBus
12346/tcp open NetBus
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k
As you can see this server is running a bunch of services we dont actually need, not to mention some trojans too , check where they come from, most of them run from inet.d (/etc/inetd.conf), some are run stand alone, find out the ones you need and the ones you dont need and kill them.
(d)Check if /tmp is secured.Update the report with these details.
chmod +t directory
That will prevent non-owners of objects in directory (excepting
superuser) from unlinking (removing, moving, etc.) objects in that
directory. In general any world writable directory should always be
protected this way (such as /tmp, /var/tmp, /var/spool/uucppublic (or
substitute usr for var if appropriate on your system)).
(e)Check for hidden processs.Update the report with these details.
ps aux should show all of the processes, remember that in order to trust this information you need to trust that the ps binary hasnt been corrupted (that's why you should run chkrootkit first)
IF you find any strange process that you dont know about, google it !
(f)Check for bad blocks in all particular partition.(this is just to make sure
that the system is ok).Update the report with these details.
e2fsck -f -p -c /dev/hdxx should scan for bad blocks, however it needs to be done with the drive ummounted.
(g)Check for file permissions.Update the report with these details.
I have used a program called sherpa: http://oregonstate.edu/~creliar/sherpa/ that checks file systems permissions and other things
(h)Check if kernel has ptrace vulnerability.Update the report with these details.
All kernels up to 2.4.20 are vulnerable, a simple uname -r should tell you which version are you running. If you are running a vulnerable version, upgrade ASAP (www.kernel.org)
<edit>signature removed</edit>Last edited by choon; 03-09-2004 at 11:37 AM.
-
03-09-2004, 09:58 AM #34Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Venezuela
- Posts
- 83
(i)Check memory(This is to make sure that the memory is ok).Update the
report with these details.
You can use software like memtest86 to check the status of your memory, issuing a
cat /proc/meminfo should return all the information available about your memory
(j)Check for open relay .Update the report with these details.
Open relays let spammers send email through your mail system without having to login to a known user.
For detailed instructions, check http://mail-abuse.org/tsi/ar-fix.html
(k)Check if the partitions have enough space.Update the report with these details.
THe linux command 'df' should tell you how much space you have available.
MY small webserver is partitioned like this:
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/sda7 9614116 19256 9106488 1% /
/dev/sda2 124443 1642 116375 2% /boot
/dev/sda5 24027628 78572 22728520 1% /var
/dev/sda6 9614116 701716 8424028 8% /usr
/dev/sda9 166888792 812360 157598936 1% /home
With /home and /var being the biggest partitions (home for the users and var for all the users logs)
(l)Check for the size of logs.Its better that the log size remains in MBs.
For this you can use programs like logrotate to rotate logs, also, a good way to keep logs in place is to burn them into a CDR/W-DVDR/W for storage
(m) Do stress test on the box .Update the report with this details.
I have heard good reviews about stresslinux, which is a bootable linux distro on a CD that it's sole purpose is to run stress tests on your system (You dont have to install it, just put the cd in the cdrom boot from it and let it run the tests)
<edit>signature removed</edit>Last edited by choon; 03-09-2004 at 11:38 AM.
-
03-14-2004, 01:50 AM #35Registered User
- Join Date
- May 2001
- Location
- Web Hosting Land
- Posts
- 73
Hey, at that host.deny and host.allow. with the recent torn root kit scare from the cpanel exploit, if you were to deny ALL from ssh but your ip address, would they be able to SSH in?
<edit>signature removed</edit>Last edited by choon; 03-14-2004 at 04:29 AM.
-
03-14-2004, 03:49 AM #36Web Hosting Evangelist
- Join Date
- Jul 2003
- Posts
- 533
Originally posted by joesmoh
Hey, at that host.deny and host.allow. with the recent torn root kit scare from the cpanel exploit, if you were to deny ALL from ssh but your ip address, would they be able to SSH in?
-
03-14-2004, 03:53 AM #37Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
they dont ssh in to plant it anyways. remove their backdoor and ur all good
<edit>signature removed</edit>Last edited by choon; 03-14-2004 at 04:30 AM.
-
03-14-2004, 06:37 AM #38Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
Please keep these steps in mind while working on security
1)Create a security policy ( Security policy is created from business requirements and risk analysis ).This is the first step one should follow while working on security.
2) Based on the security policy create a checklist
The check list is created according to the security policy
================check list ================================
Check List
#######################
Software Vulnerabilities
Kernel Upgrades and vulnerabilities
Check For any Trojans
Run chkrootkits
Checks Ports
Check for any hidden process
Use audittools to check system
Check logs
Check Binaries
Check Binaries and RPMS
Check the email relays
Check the cron entries
Check /dev /tmp /var filefolders
Checked whether Backup is maintained
Check for unwanted users,groups etc in the system
Check and Disable unwanted services
Locate malicious scripts
Querylog in DNS
Check whether Backup is maintained
Check for the suid scripts and nouser scripts
Check valid scripts in /tmp
Use intrusion detection tools
Check the system performance
Check memory performance ( conduct memtest)
Note: Please feel free to add the steps which i had missed
================end ===========================
3) With this check list .Please Conduct a security audit
Format of security audit will be like this
=====================Fromat ==========================================
Issues or softwares # Current version ( version used in the server) # Stable Version # Notes :
===============================================================
In this step we will not do any upgrades or security related work on the box.Just find out the vulnerabilities
Find out the current versions of the software and check if it has any vulnerability .if so please note it down and add it in the notes section of audit report.
Use tools like Nessus, nikto (Audit tool for web server ) , Chkrootkit ,dsa ( dns security audit tool ) ,memtest and find out the vulnerability
Notes: The below section is called Security Implementation stage
4) According to this audit report.We should first correct all software vulnerability ( can use software patches which and eliminate the bugs in the software )
(a)Upgrade kernel if its old and vulnerable.While compiling,please remove all unwanted options and reduce the size of the kernel
(b)Upgrade apache and its related software if its vulnerable
(c)Upgrade php,mysql,proftpd,pure-ftpd,named if its vulnerable.
(d)upgrade mod_ssl,openssh,openssl etc ( can be done manually or through up2date )
(e)If the control panel has any bugs .The software vendores should be contacted and they should be informed about this bug.So that they will provide a fast fix to it.
5) Now the proper security work comes :-D.
Security is divided into two sections host security and network security.And each these sections has 3 parts common
(a )Protection
(b) Detection
(c) Recovery
5.1 )Host Security
==================
(a)Please protect your system with password
(b)Check file systems ( set correct permission and ownerships to files )
eg: chmod -R 700 /etc/rc.d/init.d/*
eg: Use rpm -Va to find out the if the rpm is modified or effect
(c)Apply security patches to vulnerable softwares (eg : patch -p1 < patch file )
(d)Remove all unwanted ttys and console logins by removing the entry from /etc/securetty
(e)Check system logs ( eg : /var/log/messages , /var/log/secure etc )
(f) Set password for boot loaded ( lilo an grub supports it )
(g)Monitor the system ( nagios or big rother )
5.2) Network Security
=====================
(1)Remove all unwanted users,groups
(2)use the below script to mail the sysadmin to when another user with uid 0 is created
=========================================
The below script will mail user when another user with uid 0 is added
-------------------------script----------------------------------
#!/bin/sh
#
# This script must be owned by root or at least setuid 0
# It will scan the system and mail the root user when another user gains uid 0.
for id in `awk 'FS=":" {if(($3 == 0 && $1 != "root" )) \
print $1}' /etc/passwd`
do
echo 'ALERT Login ID' `echo ${id}` 'has uid 0 !!' `date "+Detected On Date :%D Time :%r"` | mail -s "ALERT: User `echo ${id}` has UID O" blessen@blessen.com
done
-----------------------------------------------------------------
========================================================
(3) Only allow password with 16 characters ( can be done by making changes in login.def )
(4)Disable unwanted services,use tcp warappers( unwanted service can be disabled through xinet.d or xinetd.cong ).
(5)Set timeout ,so that the ideal users will be logged out after a certain amount of time
(6)Disable all console program acess
(eg : rm -rf /etc/security/console.app/<service name > )
(7) Enable nospoof option in /etc/host.conf
(8) Specify the oder in which the domain name should be resolved ( eg : order bind hosts )
(9) Lock the /etc/service files so that no one modifies it
(10)Restrict direct root login ( comment the PermitRootLogin login option in sshd_config )
(11)Restrict su ,so that only wheel group members are able to su.
(can use pam or disable the permission of other for the su binary )
(12)Limits users resources ( can use pam,specify the limits for each user in /etc/security/limit.conf )
(13) Secure /tmp ( mount /tmp with noexec,nodev,nosuid )
(14) Hide the server details.For that removes /etc/issues and /etc/issues.net
(15) Disable unwanted suid and sgid files
find -type -perm -04000 -o perm 02000
eg : gpasswed,wall,traceroute etc....
(16)Allow only ping from a specified location( for monitoring systems to work ).Use iptables for that
(17) Take preventive measures against DOS,ping to death etc..Use the below script for that
http://www.webhostingtalk.com/showth...hlight=blessen
(18)Install firewall ( eg apf and iptables )
(policy-->allow the ports which the box needs and block all other ports )
Eg: http://www.rfxnetworks.com/
Eg: http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html
(19) Install intrustion detection ( eg install tripwaire or aide )
eg: http://www.cs.tut.fi/~rammer/aide.html
eg:http://www.redhat.com/docs/manuals/l...-tripwire.html
(20) Install sxid to keep an eye on suid and sgid script.
Link: http://linux.cudeso.be/linuxdoc/sxid.php
(21) Restrict ssh to specific ips and and user ( i suggest go for key authentication using passphrase)
(22)Install logcheck to check the logs
(23) Install tmpwatch to delete the unused files from /tmp directory
(24) Install and setup portsentry and configure it to use iptables to block ips
(25)Install mod_security and mod_dosevasive to safe gurad apache
6) Submit a Status report
========================
Notes: It will contain what all you have done on the server to secure it as per audit
7) Testing and Optimization phase
==========================
Use the tools likes nessus ,nikto,nmap etc to do a penetration test and see how well your server is .Also do a stress test etc.
Optimization
==========
1) Harddisk -->enable DMA for faster disk read
2) Limit user process
3) For mysql use these settings for good performance
=======================mysql settings in my.cnf======================
port = 3306 -- i would always suggest to change the port
skip-locking
set-variable = max_connections=100
set-variable = max_user_connections=20
set-variable = key_buffer=16M
set-variable = join_buffer=4M
set-variable = record_buffer=4M
set-variable = sort_buffer=6M
set-variable = table_cache=1024
set-variable = myisam_sort_buffer_size=32M
set-variable = interactive_timeout=100
set-variable = wait_timeout=100
set-variable = connect_timeout=10
set-variable = thread_cache_size=128
==============================================
4) For proftpd use this settings
==========================ftp settings in proftpd.conf=======================
TimeoutIdle 600
TimeoutNoTransfer 600
TimeoutLogin 300
MaxInstances 30
MaxClientsPerHost 2
==================================================================
5) Disabling the logging of access time in partition where access time always changes ( eg /var) will improve performance
for thst just mount that partition with noatime )
6) Do not create latge firewall policies ,it will delay packets.
7)Setting file sytem parameters to correct values will often provide good performance.
8) While compiling always use these options
for i686
CFLAG=-09 -for best optimization
-funroll-loops
-ffast-math
-mcpu=< your processor type >
-march=< your processor type >
-fomit-frame-pointer
For i586
======
CFLAG=-03
-funroll-loops
-ffast-math
-mcpu=< your processor type >
-march=< your processor type >
-fomit-frame-pointer
Hope this helps you....
<edit>signature removed</edit>Last edited by choon; 03-14-2004 at 09:20 AM.
-
03-14-2004, 11:51 AM #39Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
I have made the above post just because of my "PASSION FOR SECURITY"
its driven by passion.....
<edit>signature removed</edit>Last edited by choon; 03-14-2004 at 12:05 PM.
-
03-30-2004, 12:28 PM #40Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Kansas City, MO
- Posts
- 71
When you mention hosts.allow and you say:
sshd: host.ip.number.1,host.ip.number.2,etc
Do you mean
sshd: 204.1.2.1,204.1.2.3,204.1.2.3
I entered the IPS for my box, and then it wouldn't let me login. Luckily I just restarted the net svc and stayed SSH'd in. If I had rebooted, I would have been furious.
Can you show me an example on this one?
-
03-30-2004, 12:41 PM #41
skip the commas, use spaces
ie:
123.456.789.0 098.765.432.1
note, there's no commas at all.
-
03-30-2004, 01:00 PM #42Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Kansas City, MO
- Posts
- 71
Ah... that was what was wrong...
-
03-30-2004, 01:23 PM #43Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Kansas City, MO
- Posts
- 71
Still, it does not allow me to connect (SSH Telnet) when that's in.
What am I doing wrong?
-
03-30-2004, 01:31 PM #44
Make sure you've got the right ip address.
if you're trying to connect from localhost, you'll need at least 127.0.0.1 and the base ip of the machine. if you're trying to connect from your own machine, then you'll need to figure out what ip you need to use.
If you set it up as suggested, it will work. It's yet to fail me, and I've done it on numerous servers.
-
03-30-2004, 01:43 PM #45Junior Guru Wannabe
- Join Date
- Mar 2003
- Location
- Kansas City, MO
- Posts
- 71
Wait a tick, these are supposed to be the addresses of the forgien machines connecting, eh? Whoops. I was entering the addresses of my servers.
-
03-30-2004, 05:10 PM #46WHT Addict
- Join Date
- Feb 2004
- Location
- Oslo/finnmark, Norway
- Posts
- 120
Can anyone explain to me how I allow only specified IPs to ping my box?
-
04-15-2004, 03:54 AM #47Local tech for Los Angeles
- Join Date
- Feb 2003
- Location
- Panorama City, CA
- Posts
- 2,581
# disable packet forwarding
net.ipv4.ip_forward = 0
# enable source route verification
net.ipv4.conf.all.rp_filter = 1
# ignore broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable syn cookies
net.ipv4.tcp_syncookies = 1
# size of syn backlog
net.ipv4.tcp_max_syn_backlog = 512
# disable automatic defragmentation
# set max files
fs.file-max = 32768
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
when u do that.. is there a way to allow 1 port to be seen IE 80 becasue when i take a server to a LAN Party i dont know what the IP address is... and takes a long time to find it again.
so is there a way to do that? or should i just install a firewall?
-
04-19-2004, 02:00 AM #48WHT Addict
- Join Date
- Feb 2003
- Posts
- 110
after configuration, I noticed that user "nobody" is running unusual process:
5528 nobody 0 0.0 0.0 ps aux
5185 nobody 0 0.0 0.0 lpd
5665 nobody 0 0.0 0.0 2 pckt
5689 nobody 0 0.0 0.0 1 pckt
Is it normal?
Thanks
-
04-19-2004, 03:12 AM #49Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 0
that will allow you to ping your boxesSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-19-2004, 11:01 AM #50Originally posted by ymfm
after configuration, I noticed that user "nobody" is running unusual process:
5528 nobody 0 0.0 0.0 ps aux
5185 nobody 0 0.0 0.0 lpd
5665 nobody 0 0.0 0.0 2 pckt
5689 nobody 0 0.0 0.0 1 pckt
Is it normal?
Thanks
lpd is your line printer daemon, which is normal
nobody shouldn't even be logging into your server, yet it's doing a ps? 10:1 you've been hacked. Check for a rootkit and see what's going from there.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons