Results 1 to 25 of 25

Thread: Server hacking

  1. #1
    Join Date
    Sep 2007
    Posts
    195

    Server hacking

    My server was hacked by "Tunisian Hacker"

    Some one here can help me???

    When I discovery, I restore all backups accounts and I put the tunisiam IP range in firewall. But today new client contact with me reporting new hacked.

    Some one can help me???

  2. #2
    Join Date
    Jun 2008
    Location
    Los Angeles, CA
    Posts
    237
    what type of server is it? what are you running on it?
    www.betteresolution.com
    █ Dedicated Servers & More...

  3. #3
    Join Date
    Nov 2010
    Location
    Arizona
    Posts
    297
    Did you change all your passwords and run rootkit hunter? What kind of hack?

  4. #4
    Join Date
    Feb 2006
    Location
    Boston, MA
    Posts
    58
    What software are you running on it? Some of your software probably has a vulnerability in it, allowing the hacker to get in. Restoring a backup would have restored the vulnerability.
    Akliz, Inc.
    www.akliz.net | 617-475-3266

  5. #5
    Join Date
    Sep 2007
    Posts
    195
    Guys,

    Is a linux server with cPanel/WHM running apache, php, mySQL.

    I will run rootkit hunter

  6. #6
    You may also wanna install CSF - www.configserver.com

  7. #7
    Join Date
    Sep 2007
    Posts
    195
    I am using APF + BFD. But I will consider to change to CSF also.

    Thanks

  8. #8
    Do you have any idea how much time has passed till you discovered it's actually hacked ?

  9. #9
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Quote Originally Posted by vpsbackup View Post
    You may also wanna install CSF - www.configserver.com
    That's not the solution here. Firewalling someone who keeps gaining access to your server is like putting a bandaid on a sinking ship. You need to plug the hole once and for all!

    @Formas:

    Did every site get hacked or only a few sites? That's very important in determining your next course of action. If every site on your server was hacked, it's probable that you were "rooted" in which case your next course of action is to reload the operating system, restore /home from backup and hire a server management company to provide ongoing security updating.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  10. #10
    Was it specific website which got hacked? If yes, find out ftp logs. Also, install suPHP.
    You can take following steps to prevent your server to be hacked in future.
    1. Secure /tmp
    2. Install rkhunter & chkrootkit.
    3. Disable root logins & ssh port.

    Best way to prevent hacking to be happened in future is to know the way it hacked now and secure your server accordingly.

  11. #11
    Join Date
    Dec 2005
    Location
    The Netherlands
    Posts
    107
    Quote Originally Posted by InoxHost View Post
    Was it specific website which got hacked? If yes, find out ftp logs. Also, install suPHP.
    You can take following steps to prevent your server to be hacked in future.
    1. Secure /tmp
    2. Install rkhunter & chkrootkit.
    3. Disable root logins & ssh port.

    Best way to prevent hacking to be happened in future is to know the way it hacked now and secure your server accordingly.
    In addition to tip 1, symlink /var/tmp to /tmp.
    Also make sure you secure /dev/shm.

  12. #12
    Join Date
    Mar 2011
    Posts
    31
    Hi,

    There are different types of hacking. Have you found the hacking technique used by the hacker?

    Then only I can tell you a solution. Installing a firewall is a must.

    Good Luck

  13. #13
    Join Date
    Sep 2007
    Posts
    195
    Quote Originally Posted by peterbra View Post
    Do you have any idea how much time has passed till you discovered it's actually hacked ?

    1 or 2 days

  14. #14
    Join Date
    Sep 2007
    Posts
    195
    Quote Originally Posted by Patrick View Post
    That's not the solution here. Firewalling someone who keeps gaining access to your server is like putting a bandaid on a sinking ship. You need to plug the hole once and for all!

    @Formas:

    Did every site get hacked or only a few sites? That's very important in determining your next course of action. If every site on your server was hacked, it's probable that you were "rooted" in which case your next course of action is to reload the operating system, restore /home from backup and hire a server management company to provide ongoing security updating.

    Hi. The server was not "rooted". I am sure about that. I have 400 accounts (sites). Only 30 sites get hacked.

    At now I am running ClamAV and maldetto see what i will find.

  15. #15
    Join Date
    Sep 2007
    Posts
    195
    Guys,

    I can to see: hacker access and upload file using file manager of Cpanel. I Know because I see hacker IP and actions in "/usr/local/cpanel/logs/access_log".

    But I dont know HOW hacker get access to file manager of cPanel. This is the question that I need discovery.

  16. #16
    Join Date
    Jul 2010
    Location
    Singapore
    Posts
    775
    hi,

    is it necessary to install afd + bfd when you already have csf + mod_security ?

  17. #17
    Join Date
    Mar 2011
    Posts
    31
    Hi,

    Do you mean APF + BFD?....If so, I will say CSF + LFD is better than APF + BFD.

  18. #18
    Join Date
    Jul 2010
    Location
    Singapore
    Posts
    775
    sorry typo error...

    so, u were saying there is no need to install apf + bfd if we already installed csf + lfd right ?

  19. #19
    Join Date
    Mar 2011
    Posts
    31
    yeps....I am correct...Let someone else make a post if they disagrees
    I work in Linux for a living, Going from windows to Linux is like buying a Rolls Royce for zero dollers

  20. #20
    Join Date
    Dec 2005
    Location
    The Netherlands
    Posts
    107
    No need? CSF states it's incompatible for use together with APF!
    So better not do, it's highly unrecommended (because both do firewall rules, which can overlap).

    Besides that: both use iptables (ip6tables also for CSF), and so on the defense level should be exactly the same if you configure it properly.

  21. #21
    Join Date
    Jul 2010
    Location
    Singapore
    Posts
    775
    ok thanks..

  22. #22
    These look like application level attacks so a network firewall is not going to help much you might want to look at putting something more robust in front of your websites.
    You can also restrict access to the cPanel console only to IP addresses that you come from.

  23. #23
    Join Date
    Feb 2010
    Location
    Worldwide
    Posts
    60

    Arrow

    Hi,
    And you have changed the FTP password on all accounts in question, as well as checking all of your computers to see if they harbor malware (try malwarebytes.org for free malware checking software).

    Best Wishes,
    Jim Walker
    The Hack Repair Guy

  24. #24
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Is your O/S kernel patched and up to date? There have been some nasty root exploits. 30 accounts is enough that you are likely to have been rooted, unfrotunately; possibly they were just smart enough not to tip yuou off by exploiting every account on the server. If there's nothing in common between all 30 accounts, then it's even more likely you have been rooted.

    Except of course if you weren't running suphp (or similar better performer) in which case compromising one account could have given them access to all the other accounts.

    Probably worth hiring someone like configserver.com to harden your server and get rid of the intruder. Up to you, but you're currently stumbling around in the dark and this is expert territory, there's no way a newbie can recover from this. That's not bad, it's just a statement on the way it is.

  25. #25
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    one more thing - you can check for ftp intrusions via the following - a little primitive but does the job:

    grep ftp /var/log/messages | less

    look for uploaded files in the hacked accounts; to check a specific account 'victim1' try:

    grep victim1 /var/log/messages | grep ftp | less

Similar Threads

  1. Is someone hacking my server?
    By TheTop in forum Hosting Security and Technology
    Replies: 2
    Last Post: 04-25-2007, 02:16 PM
  2. Some one is hacking my server
    By zoomx in forum Hosting Security and Technology
    Replies: 6
    Last Post: 09-20-2005, 07:04 PM
  3. Hacking server !!! not hacking accounts anymore
    By AndyJ in forum Hosting Security and Technology
    Replies: 22
    Last Post: 01-24-2005, 04:53 PM
  4. Server Hacking
    By tubcan in forum Web Hosting
    Replies: 27
    Last Post: 01-02-2004, 12:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •