Results 1 to 21 of 21
  1. #1
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    202

    VPS being hacked like crazy

    I have a major problem and do not know how to fix it. I have a VPS hosted with HostIcan, CentOS 4.5 with cPanel installed.

    Now, I have been with them for 2 years now. The first year with them I wasn't hacked at all, same version of scripts. The domain getting hacked is my main domain for the VPS. I have two sites on this account in cPanel. Both sites have Joomla 1.5 installed. One has 1.5.16 and the other I just upgraded from .14 to .23 yesterday.

    For the past 6 months ever since Jumpline took over and they moved us to outside columbus from Virginia I have been hacked like crazy! Every day or so I find something. Mostly phishing sites for banks. The past 3 days have been horrible!! To the point where I can't find all of them and they knocked my VPS off twice I had to call back to get it turned on.

    Now, both times they knocked it off when they brought it back up I changed all cpanel passwords, and both sites Joomla admin passwords, all passes have been changed to everything. The cpanel pass is a 21 character alpha numeric (weird chars) password. And the site passwords I have changed to 16 characters alpha numerics.

    I also yesterday upgraded the main site, the one getting hacked from .16 to .23 of joomla 1.5.

    I have also upgraded cPanel to latest version.

    Still about an hour ago I was hacked and a phishing site installed once again. I wasn't in front of the server at the time so they didn't give me any warning at all or time to fix it, but just knocked me off again.

    I have upgraded firewall to latest version. One month ago I had them (hostican) log into my VPS and check security in the server itself and this account. They themselves said, nope everything seems to be good. The firewall is configured right and your account has the right permissions and everything looks good.

    So what are some suggestions? What's my next move?? I'm really getting tired of this to be honest. My personal opinion is it's HostIcans fault, since they moved us this started happing, could it be the servers firewall breaking down and letting them in before they get to my VPS, or something else on their end? Do I have a leg to stand on in this area or is it all my fault?

    If it's all my fault, what the heck!!??

    How in the world do I patch this? And how do I find out how in the heck they are getting in?

    Thanks for any advice you can give me in this problem of mine.

  2. #2
    Join Date
    Nov 2007
    Location
    New Jersey, USA
    Posts
    4,740
    I am not sure if I missed it, but what kind of website are you running on this VPS? Multiple of websites or just one? Wordpress, joomla?

    - Daniel

  3. #3
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    202
    Yeah it was up there in the post. This VPS many, since it's for hosting and I have a lot of clients on there running their own things. But they never get hacked, just me ha ha.

    And I think I put this in the post above, Joomla 1.5 on the two sites on my account the main domain that keeps getting hacked. But as stated this didn't start happening till 6 months ago, and I didn't change anything when it started. Since then, I've changed passwords 7 times in 6 months and upgraded Joomla twice for each site! Still they get in.

  4. #4
    Join Date
    Nov 2007
    Location
    New Jersey, USA
    Posts
    4,740
    Quote Originally Posted by jfreak53 View Post
    Yeah it was up there in the post. This VPS many, since it's for hosting and I have a lot of clients on there running their own things. But they never get hacked, just me ha ha.

    And I think I put this in the post above, Joomla 1.5 on the two sites on my account the main domain that keeps getting hacked. But as stated this didn't start happening till 6 months ago, and I didn't change anything when it started. Since then, I've changed passwords 7 times in 6 months and upgraded Joomla twice for each site! Still they get in.
    Do you run any plugins on Joomla? Are they updated? Usually they get in through those.

    - Daniel

  5. #5
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    202
    Yes actually, but haven't upgraded them since most of them don't have upgrades a lot. One that might be is the Fabrik component for forms. But I have this on clients sites and it has never been hacked.

    I have JStats installed and a couple from Yoo and what else, hmm, oh and Joomfish. But as always with all these modules and components they are on other sites that I have created for clients in the past with no problems.

    Do you have any ideas of plugins that have caused problems in the past or a place, besides their forum, where this might be listed problems?

    Also if so, is there a simple way to test each of the plugins that you know of??

    I know two weeks ago I caught someone on the site running fabrik into a bunch of URL's that don't exist ha ha, but I watched, they never did anything but just run those URL's.

  6. #6
    Join Date
    Nov 2007
    Location
    New Jersey, USA
    Posts
    4,740
    Quote Originally Posted by jfreak53 View Post
    Yes actually, but haven't upgraded them since most of them don't have upgrades a lot. One that might be is the Fabrik component for forms. But I have this on clients sites and it has never been hacked.

    I have JStats installed and a couple from Yoo and what else, hmm, oh and Joomfish. But as always with all these modules and components they are on other sites that I have created for clients in the past with no problems.

    Do you have any ideas of plugins that have caused problems in the past or a place, besides their forum, where this might be listed problems?

    Also if so, is there a simple way to test each of the plugins that you know of??

    I know two weeks ago I caught someone on the site running fabrik into a bunch of URL's that don't exist ha ha, but I watched, they never did anything but just run those URL's.
    What i would do is change all of your passwords and remove all of the plugins. Leave the website like that for a few days and see how it works out. Then you can add them one by one.

    - Daniel

  7. #7
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    202
    I'm going to try that amount a few other things I have found searching. I did find that RSMonials component is on the list of the most exploited, so it's gone ha ha.

  8. #8
    Join Date
    Nov 2010
    Posts
    87
    Hi,

    Joomla is a hijack magnet. Try TmzHosting's advice and also check:
    1.Permisive folder permissions
    2.Scripts you don't recognise in the account
    3.Try using cxs or something like it(unfortunately it's about 50$) to check all the acconts for exploits, executables, premission slips etc(it has a very big list of options)
    4.Who else has access to the passwords?
    5.Try checking for viruses/exploits on the computers you use on a regular bases when working with those two accounts.

    In my experience, in 99% of the cases, either the client's computer got hijacked and the hijacker had access to all the passwords saved in browsers and FTP clients, or the account had 777 permissions on public_html folders.

    P.S. Try not to save you passwords in browsers and FTP clients or any other third party software because they're usually saved as plain text.

  9. #9
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Quote Originally Posted by jfreak53 View Post
    So what are some suggestions? What's my next move?? I'm really getting tired of this to be honest. My personal opinion is it's HostIcans fault, since they moved us this started happing, could it be the servers firewall breaking down and letting them in before they get to my VPS, or something else on their end? Do I have a leg to stand on in this area or is it all my fault?
    Sorry, but... it's all your fault.

    You need to keep open source apps (and their plugins) updated, otherwise sooner or later they will be hacked. Having already been hacked there may well be backdoors left in your websites - extra hidden admin users, extra files etc. Can you be absolutely sure they didn't get root access to your VPS too? I bet they tried.

    As to what to do now, I'd start with a full clean install of the latest versions of everything and then very carefully import your old data.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  10. #10
    Join Date
    Mar 2003
    Location
    /root
    Posts
    23,990
    Quote Originally Posted by foobic View Post
    Sorry, but... it's all your fault.
    I agree.

    Getting a VPS, putting sites there is not just enough.

    Aside from securing your vps, you also need to check that your sites are secure.

    Firewall will not help on this. You need to secure mysql, php, ftp, ssh, network, etc... non-stop!

    Specially 4 U
    Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
    JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
    Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx

  11. #11
    Join Date
    Jul 2010
    Location
    Close 2 U
    Posts
    567
    add a .htaccess to the administrator file, this may help a bit ..

    One more good question: does the hacker hack the site data base or change a page "I mean: file replacement ? "

    Not as that Much Expert
    I'm just a "LostEagle"
    _-_-_-_-_-_-_-_-_-_-_-_-_

  12. #12
    Join Date
    Apr 2009
    Location
    India
    Posts
    182
    Are you using default name of SQl table prefix? if yes you have to change it and can also password protect your administrator directory as well move your configuration file and temp directory file out side of public folder and use permission 0444.

    One more thing if you can just install any live monitoring software on your website and regularly monitor your visitors activity if you find something wrong just block them by firewall. It will take few days but its can help.

  13. #13
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    202
    One more thing if you can just install any live monitoring software on your website and regularly monitor your visitors activity if you find something wrong just block them by firewall. It will take few days but its can help.
    Well right now I have livezilla running on both sites for support. So I get live updates of the exact URL's that they use. That's how I knew they had been screwing with fabrik. I removed it last night and passworded both administrator dirs using .htaccess and a new 24 character alpha numeric pass.

    I'm yes positive that they don't have root. I have changed root pass quite a few times and to connect to SSH I have keys installed and only allow an off port with SSL. Plus, this is the only site they hack, so if they had root, why aren't they more productive??

    Now strangely I keep finding iptables stopped. Like right now I found it stopped again. I can't find any process running using htop or checking root cron that disables automatically iptables. I can't find anything running that isn't normal.

    Then this morning after doing all these changes, I found another one of their dirs on my site, this time under the administrator dir, the one I just changed. I checked timestamp it was installed last night after all changes. So, is my pass now compromised once again??!!

    I just replaced last night all my files for Joomla with originals since I upgraded to .23 on both installs. So I know Joom files are not compromised nor components since I did them also.

    One more good question: does the hacker hack the site data base or change a page "I mean: file replacement ? "
    No my DB's not compromised. They never change any data in the DB, they never change any of the main files. They only add their own files to the system for phishing in weird places. I have resorted to added access rules in .htaccess to block regex files and dirs that I have been finding in the past and just keep adding new rules as I find new things. The good thing is that I have added all these new rules to htaccess and the files that they keep adding are under these new rules, so they can't run the pages.

    I have checked my htaccess and that never changes.

    Yes all dirs are 755 and all files are 644, that has been for a long long time.

    And to rest the comments I never ever since I started using the net I never let my browser save passwords, ever. I don't trust them to do it, so that has never been a problem. And FTP software doesn't save my passes either since I don't use, I use WINSCP with keys pre installed on the server through SSL.

  14. #14
    Join Date
    Jul 2010
    Location
    Close 2 U
    Posts
    567
    As I guess your have a SHELL file on this VPS ... try to locate c99.sh

    Not as that Much Expert
    I'm just a "LostEagle"
    _-_-_-_-_-_-_-_-_-_-_-_-_

  15. #15
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    202
    Nop, can't find any on the box. I first did updatedb, then I locate c99.sh. Not there on the box.

    So then I went into the account in question and did:
    Code:
    find . -type f -iname '*.php' -exec grep -qi 'C99Shell' '{}' \; -print
    find . -type f -iname '*.txt' -exec grep -qi 'C99Shell' '{}' \; -print
    find . -type f -iname '*.gif' -exec grep -qi 'C99Shell' '{}' \; -print
    I then searched for r57:

    Code:
    find . -type f -iname '*.php' -exec grep -qi 'r57' '{}' \; -print
    find . -type f -iname '*.txt' -exec grep -qi 'r57' '{}' \; -print
    find . -type f -iname '*.gif' -exec grep -qi 'r57' '{}' \; -print
    Nottin. Plus I have had mod_security installed for a long time with gotroot.com and a few other anti-script rules I have found on the net and tested.

  16. #16
    Join Date
    Jul 2010
    Location
    Close 2 U
    Posts
    567
    check /tmp dir + scan the VPSs chroot + calmAV

    Not as that Much Expert
    I'm just a "LostEagle"
    _-_-_-_-_-_-_-_-_-_-_-_-_

  17. #17
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    202
    Well I have clam running everyday on my home dir and once a week on the whole VPS. But I did find something yesterday and removed it. I also ran rkhunter and found nothing.

    Now after all of that, I went and setup two days ago scan once a day of my home dir for C99 and r57. I also blocked in htaccess the ... dir that they seem to be using. I have had this setup for two days now, and I know that they aren't using scripts like c99 or r57 but they are getting in somehow.

    So yesterday at 2PM my VPS got blocked again!!

    Got an email from HostIcan and was told to take care of it or don't bother coming back basically!

    So I removed the dir in question and once again changed all passwords. I am getting sick of this, what is this junk and how do I stop it!?

    There is no single script in the entire user folder left to cause this. TMP dir is emptied automatically every 2 hours. And I have removed all bad joomla plugins and such that I found on the NVD. Nothing left

  18. #18
    Join Date
    Jul 2010
    Location
    Close 2 U
    Posts
    567
    I would suggest OSreloading ...
    lets have a new VPS .. secure it .. then move ur data

    Not as that Much Expert
    I'm just a "LostEagle"
    _-_-_-_-_-_-_-_-_-_-_-_-_

  19. #19
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    Have you considered hiring a 3rd party support person to review the integrity of your VPS? If your still running an obselete version of CentOS 4.5 (Current Version 5.6), it makes it sound like security isn't the highest priority.

  20. #20
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    202
    Quote Originally Posted by PogiWeb View Post
    Have you considered hiring a 3rd party support person to review the integrity of your VPS? If your still running an obselete version of CentOS 4.5 (Current Version 5.6), it makes it sound like security isn't the highest priority.
    Yes I have thought about it, but most of them are $70 an hour and I can afford that. Plus if they are just going to tell me well looks like we can't find it or it's a script. Then two weeks later without any changes but what they told me it happens again

    That's what I don't want to waste my dough. Yes I am running CentOS 4.5. Even though HostIcan has promised for MONTHS since ever to upgrade all old containers to 5+ they continue to put us older customers off, and keep doing it.

    So I haven't been able to upgrade container yet. That's why in another thread here I posted Joe won't answer my sales inquiries , I'm trying to switch to a Dedi at Joe's.

    HostIcan has just sucked since Jumpline took over and they refuse to look into the firewall issue even though 2 years ago when I bought this VPS it was fully managed 100%, they refuse to honor that and look into the firewall and cpanel security to make sure I got it right. Heck VPSLatch does anything I ask ha ha, great service from them.

    That's the deal, I have a VPS running at VPSLatch for over a year now with CentOS 5 and the same version of WHM. I have 3 sites on there all running the same version of Joomla that I am, and 90% of the same plugins. Zero hacks!!

    That's what's got me. I have the other one configured the exact same way as this one, and all those domains have more exposure than this one, so in theory if anything was going to be hacked it should be those ha ha

    Thanks for all the advise and help guys.

  21. #21
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,928
    This is what I suggest... If you have another VPS with VPSLatch, then migrate over the accounts to that VPS account. I would then request that the VPS be rebuild and secured (top ----> down). You can then remigrate all the accounts over to the new VPS. I would make sure you do the normal security checks for these websites (update software to recent version and update all passwords). This is the best way to hopefully fix the issue if your on a budget. This isn't a fully proof method, but a great way to help eliminate a root cause to the problem.

Similar Threads

  1. Replies: 0
    Last Post: 03-06-2010, 08:47 AM
  2. Replies: 5
    Last Post: 12-04-2007, 11:30 AM
  3. Replies: 3
    Last Post: 11-26-2007, 10:51 AM
  4. *** Ubiquity VPS *** Crazy VPS Deal 45% off !!@!!!!!
    By blahrus in forum VPS Hosting Offers
    Replies: 7
    Last Post: 11-18-2007, 03:36 AM
  5. Replies: 3
    Last Post: 11-17-2007, 04:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •