Results 1 to 21 of 21
Thread: VPS being hacked like crazy
-
04-08-2011, 02:21 PM #1Junior Guru
- Join Date
- Sep 2010
- Location
- Ohio
- Posts
- 202
VPS being hacked like crazy
I have a major problem and do not know how to fix it. I have a VPS hosted with HostIcan, CentOS 4.5 with cPanel installed.
Now, I have been with them for 2 years now. The first year with them I wasn't hacked at all, same version of scripts. The domain getting hacked is my main domain for the VPS. I have two sites on this account in cPanel. Both sites have Joomla 1.5 installed. One has 1.5.16 and the other I just upgraded from .14 to .23 yesterday.
For the past 6 months ever since Jumpline took over and they moved us to outside columbus from Virginia I have been hacked like crazy! Every day or so I find something. Mostly phishing sites for banks. The past 3 days have been horrible!! To the point where I can't find all of them and they knocked my VPS off twice I had to call back to get it turned on.
Now, both times they knocked it off when they brought it back up I changed all cpanel passwords, and both sites Joomla admin passwords, all passes have been changed to everything. The cpanel pass is a 21 character alpha numeric (weird chars) password. And the site passwords I have changed to 16 characters alpha numerics.
I also yesterday upgraded the main site, the one getting hacked from .16 to .23 of joomla 1.5.
I have also upgraded cPanel to latest version.
Still about an hour ago I was hacked and a phishing site installed once again. I wasn't in front of the server at the time so they didn't give me any warning at all or time to fix it, but just knocked me off again.
I have upgraded firewall to latest version. One month ago I had them (hostican) log into my VPS and check security in the server itself and this account. They themselves said, nope everything seems to be good. The firewall is configured right and your account has the right permissions and everything looks good.
So what are some suggestions? What's my next move?? I'm really getting tired of this to be honest. My personal opinion is it's HostIcans fault, since they moved us this started happing, could it be the servers firewall breaking down and letting them in before they get to my VPS, or something else on their end? Do I have a leg to stand on in this area or is it all my fault?
If it's all my fault, what the heck!!??
How in the world do I patch this? And how do I find out how in the heck they are getting in?
Thanks for any advice you can give me in this problem of mine.
-
04-08-2011, 02:31 PM #2Managed VPS Experts
- Join Date
- Nov 2007
- Location
- New Jersey, USA
- Posts
- 4,740
I am not sure if I missed it, but what kind of website are you running on this VPS? Multiple of websites or just one? Wordpress, joomla?
- Daniel
-
04-08-2011, 02:36 PM #3Junior Guru
- Join Date
- Sep 2010
- Location
- Ohio
- Posts
- 202
Yeah it was up there in the post. This VPS many, since it's for hosting and I have a lot of clients on there running their own things. But they never get hacked, just me ha ha.
And I think I put this in the post above, Joomla 1.5 on the two sites on my account the main domain that keeps getting hacked. But as stated this didn't start happening till 6 months ago, and I didn't change anything when it started. Since then, I've changed passwords 7 times in 6 months and upgraded Joomla twice for each site! Still they get in.
-
04-08-2011, 02:39 PM #4Managed VPS Experts
- Join Date
- Nov 2007
- Location
- New Jersey, USA
- Posts
- 4,740
-
04-08-2011, 02:47 PM #5Junior Guru
- Join Date
- Sep 2010
- Location
- Ohio
- Posts
- 202
Yes actually, but haven't upgraded them since most of them don't have upgrades a lot. One that might be is the Fabrik component for forms. But I have this on clients sites and it has never been hacked.
I have JStats installed and a couple from Yoo and what else, hmm, oh and Joomfish. But as always with all these modules and components they are on other sites that I have created for clients in the past with no problems.
Do you have any ideas of plugins that have caused problems in the past or a place, besides their forum, where this might be listed problems?
Also if so, is there a simple way to test each of the plugins that you know of??
I know two weeks ago I caught someone on the site running fabrik into a bunch of URL's that don't exist ha ha, but I watched, they never did anything but just run those URL's.
-
04-08-2011, 02:49 PM #6Managed VPS Experts
- Join Date
- Nov 2007
- Location
- New Jersey, USA
- Posts
- 4,740
-
04-08-2011, 03:09 PM #7Junior Guru
- Join Date
- Sep 2010
- Location
- Ohio
- Posts
- 202
I'm going to try that amount a few other things I have found searching. I did find that RSMonials component is on the list of the most exploited, so it's gone ha ha.
-
04-08-2011, 06:07 PM #8Junior Guru Wannabe
- Join Date
- Nov 2010
- Posts
- 87
Hi,
Joomla is a hijack magnet. Try TmzHosting's advice and also check:
1.Permisive folder permissions
2.Scripts you don't recognise in the account
3.Try using cxs or something like it(unfortunately it's about 50$) to check all the acconts for exploits, executables, premission slips etc(it has a very big list of options)
4.Who else has access to the passwords?
5.Try checking for viruses/exploits on the computers you use on a regular bases when working with those two accounts.
In my experience, in 99% of the cases, either the client's computer got hijacked and the hijacker had access to all the passwords saved in browsers and FTP clients, or the account had 777 permissions on public_html folders.
P.S. Try not to save you passwords in browsers and FTP clients or any other third party software because they're usually saved as plain text.
-
04-08-2011, 07:03 PM #9Retired Moderator
- Join Date
- Feb 2005
- Location
- Australia
- Posts
- 5,849
Sorry, but... it's all your fault.
You need to keep open source apps (and their plugins) updated, otherwise sooner or later they will be hacked. Having already been hacked there may well be backdoors left in your websites - extra hidden admin users, extra files etc. Can you be absolutely sure they didn't get root access to your VPS too? I bet they tried.
As to what to do now, I'd start with a full clean install of the latest versions of everything and then very carefully import your old data.Chris
"Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter
-
04-08-2011, 07:10 PM #10The Linux Specialist
- Join Date
- Mar 2003
- Location
- /root
- Posts
- 23,990
Specially 4 U
Reseller Hosting: Boost Your Websites | Fully Managed KVM VPS: 3.20 - 5.00 Ghz, Pure Dedicated Power
JoneSolutions.Com is on the net 24/7 providing stable and reliable web hosting solutions, server management and services since 2001
Debian|Ubuntu|cPanel|DirectAdmin|Enhance|Webuzo|Acronis|Estela|BitNinja|Nginx
-
04-08-2011, 07:35 PM #11Web Hosting Master
- Join Date
- Jul 2010
- Location
- Close 2 U
- Posts
- 567
add a .htaccess to the administrator file, this may help a bit ..
One more good question: does the hacker hack the site data base or change a page "I mean: file replacement ? "
Not as that Much Expert
I'm just a "LostEagle"
_-_-_-_-_-_-_-_-_-_-_-_-_
-
04-08-2011, 07:41 PM #12Junior Guru
- Join Date
- Apr 2009
- Location
- India
- Posts
- 182
Are you using default name of SQl table prefix? if yes you have to change it and can also password protect your administrator directory as well move your configuration file and temp directory file out side of public folder and use permission 0444.
One more thing if you can just install any live monitoring software on your website and regularly monitor your visitors activity if you find something wrong just block them by firewall. It will take few days but its can help.
-
04-09-2011, 10:00 AM #13Junior Guru
- Join Date
- Sep 2010
- Location
- Ohio
- Posts
- 202
One more thing if you can just install any live monitoring software on your website and regularly monitor your visitors activity if you find something wrong just block them by firewall. It will take few days but its can help.
I'm yes positive that they don't have root. I have changed root pass quite a few times and to connect to SSH I have keys installed and only allow an off port with SSL. Plus, this is the only site they hack, so if they had root, why aren't they more productive??
Now strangely I keep finding iptables stopped. Like right now I found it stopped again. I can't find any process running using htop or checking root cron that disables automatically iptables. I can't find anything running that isn't normal.
Then this morning after doing all these changes, I found another one of their dirs on my site, this time under the administrator dir, the one I just changed. I checked timestamp it was installed last night after all changes. So, is my pass now compromised once again??!!
I just replaced last night all my files for Joomla with originals since I upgraded to .23 on both installs. So I know Joom files are not compromised nor components since I did them also.
One more good question: does the hacker hack the site data base or change a page "I mean: file replacement ? "
I have checked my htaccess and that never changes.
Yes all dirs are 755 and all files are 644, that has been for a long long time.
And to rest the comments I never ever since I started using the net I never let my browser save passwords, ever. I don't trust them to do it, so that has never been a problem. And FTP software doesn't save my passes either since I don't use, I use WINSCP with keys pre installed on the server through SSL.
-
04-10-2011, 07:46 AM #14Web Hosting Master
- Join Date
- Jul 2010
- Location
- Close 2 U
- Posts
- 567
As I guess your have a SHELL file on this VPS ... try to locate c99.sh
Not as that Much Expert
I'm just a "LostEagle"
_-_-_-_-_-_-_-_-_-_-_-_-_
-
04-10-2011, 10:08 AM #15Junior Guru
- Join Date
- Sep 2010
- Location
- Ohio
- Posts
- 202
Nop, can't find any on the box. I first did updatedb, then I locate c99.sh. Not there on the box.
So then I went into the account in question and did:
Code:find . -type f -iname '*.php' -exec grep -qi 'C99Shell' '{}' \; -print find . -type f -iname '*.txt' -exec grep -qi 'C99Shell' '{}' \; -print find . -type f -iname '*.gif' -exec grep -qi 'C99Shell' '{}' \; -print
Code:find . -type f -iname '*.php' -exec grep -qi 'r57' '{}' \; -print find . -type f -iname '*.txt' -exec grep -qi 'r57' '{}' \; -print find . -type f -iname '*.gif' -exec grep -qi 'r57' '{}' \; -print
-
04-10-2011, 10:11 AM #16Web Hosting Master
- Join Date
- Jul 2010
- Location
- Close 2 U
- Posts
- 567
check /tmp dir + scan the VPSs chroot + calmAV
Not as that Much Expert
I'm just a "LostEagle"
_-_-_-_-_-_-_-_-_-_-_-_-_
-
04-13-2011, 09:12 AM #17Junior Guru
- Join Date
- Sep 2010
- Location
- Ohio
- Posts
- 202
Well I have clam running everyday on my home dir and once a week on the whole VPS. But I did find something yesterday and removed it. I also ran rkhunter and found nothing.
Now after all of that, I went and setup two days ago scan once a day of my home dir for C99 and r57. I also blocked in htaccess the ... dir that they seem to be using. I have had this setup for two days now, and I know that they aren't using scripts like c99 or r57 but they are getting in somehow.
So yesterday at 2PM my VPS got blocked again!!
Got an email from HostIcan and was told to take care of it or don't bother coming back basically!
So I removed the dir in question and once again changed all passwords. I am getting sick of this, what is this junk and how do I stop it!?
There is no single script in the entire user folder left to cause this. TMP dir is emptied automatically every 2 hours. And I have removed all bad joomla plugins and such that I found on the NVD. Nothing left
-
04-13-2011, 10:22 AM #18Web Hosting Master
- Join Date
- Jul 2010
- Location
- Close 2 U
- Posts
- 567
I would suggest OSreloading ...
lets have a new VPS .. secure it .. then move ur data
Not as that Much Expert
I'm just a "LostEagle"
_-_-_-_-_-_-_-_-_-_-_-_-_
-
04-13-2011, 10:33 AM #19Web Hosting Master
- Join Date
- Jan 2003
- Location
- U.S.A.
- Posts
- 3,928
Have you considered hiring a 3rd party support person to review the integrity of your VPS? If your still running an obselete version of CentOS 4.5 (Current Version 5.6), it makes it sound like security isn't the highest priority.
-
04-13-2011, 12:04 PM #20Junior Guru
- Join Date
- Sep 2010
- Location
- Ohio
- Posts
- 202
Yes I have thought about it, but most of them are $70 an hour and I can afford that. Plus if they are just going to tell me well looks like we can't find it or it's a script. Then two weeks later without any changes but what they told me it happens again
That's what I don't want to waste my dough. Yes I am running CentOS 4.5. Even though HostIcan has promised for MONTHS since ever to upgrade all old containers to 5+ they continue to put us older customers off, and keep doing it.
So I haven't been able to upgrade container yet. That's why in another thread here I posted Joe won't answer my sales inquiries , I'm trying to switch to a Dedi at Joe's.
HostIcan has just sucked since Jumpline took over and they refuse to look into the firewall issue even though 2 years ago when I bought this VPS it was fully managed 100%, they refuse to honor that and look into the firewall and cpanel security to make sure I got it right. Heck VPSLatch does anything I ask ha ha, great service from them.
That's the deal, I have a VPS running at VPSLatch for over a year now with CentOS 5 and the same version of WHM. I have 3 sites on there all running the same version of Joomla that I am, and 90% of the same plugins. Zero hacks!!
That's what's got me. I have the other one configured the exact same way as this one, and all those domains have more exposure than this one, so in theory if anything was going to be hacked it should be those ha ha
Thanks for all the advise and help guys.
-
04-13-2011, 02:09 PM #21Web Hosting Master
- Join Date
- Jan 2003
- Location
- U.S.A.
- Posts
- 3,928
This is what I suggest... If you have another VPS with VPSLatch, then migrate over the accounts to that VPS account. I would then request that the VPS be rebuild and secured (top ----> down). You can then remigrate all the accounts over to the new VPS. I would make sure you do the normal security checks for these websites (update software to recent version and update all passwords). This is the best way to hopefully fix the issue if your on a budget. This isn't a fully proof method, but a great way to help eliminate a root cause to the problem.
Similar Threads
-
[ASIA - Malaysia VPS] 2 x Quad core xeon VPS | Raid-10 | Free Setup | Crazy Sales
By limwei in forum VPS Hosting OffersReplies: 0Last Post: 03-06-2010, 08:47 AM -
AxisHOST - CRAZY CRAZY CRAZY - BUY 1 MO. ***GET 6 MONTHS FREE!!!!***
By Tina J in forum Reseller Hosting OffersReplies: 5Last Post: 12-04-2007, 11:30 AM -
AxisHOST - CRAZY CRAZY CRAZY - BUY 1 MO. ***GET 11 MONTHS FREE!!!!***
By Tina J in forum Reseller Hosting OffersReplies: 3Last Post: 11-26-2007, 10:51 AM -
*** Ubiquity VPS *** Crazy VPS Deal 45% off !!@!!!!!
By blahrus in forum VPS Hosting OffersReplies: 7Last Post: 11-18-2007, 03:36 AM -
AxisHOST - CRAZY CRAZY CRAZY - BUY 1 MO. ***GET 11 MONTHS FREE!!!!***
By Tina J in forum Shared Hosting OffersReplies: 3Last Post: 11-17-2007, 04:48 PM