Results 1 to 25 of 25
  1. #1
    Join Date
    Apr 2010
    Posts
    260

    Someone Hacked my Servers!!!

    Hello

    yesterday, I received an email from someone. he said he hacked my both windows and linux servers and also sent my passwords to me !
    He hacked my linux and windows servers and also whmcs.
    gladly, I still have access to my servers. but I don't know how he hacked my servers.
    I'm sure, he is one of my customers, but I don't know which one.

    How can I find that, how he hacked my servers? and how can I increase my servers security.
    I configured php.ini and disabled some functions, but how can I prevent updloading shells and other malicious applications on my servers?

    also how can I secure windows server? I'm new in windows security and need some help


    Regards

  2. #2
    Join Date
    May 2007
    Posts
    85
    If you still have access to both servers, I would suggest you to change root passwords immediately. It would be better if you change them from another computer.

    He can control you via trojans or other viruses that probably running on your pc.

  3. #3
    Join Date
    Apr 2010
    Posts
    260
    I changed my passwords and ssh port yesterday.

    How can I find trojans and viruses on my pc?

  4. #4
    Join Date
    Apr 2010
    Posts
    260
    I believe he can find my passwords again, how can I prevent him ?

  5. #5
    Join Date
    Aug 2005
    Location
    behind my screen
    Posts
    402
    Quote Originally Posted by Rezaa View Post
    How can I find trojans and viruses on my pc?
    hmmmm don't you know that ?

  6. #6
    Join Date
    May 2007
    Posts
    85
    I would suggest you to switch on Linux or Mac os which provides 99% protection against trojans and viruses. That's general suggestion to prevent such issues in the future.

    Regarding current situation, install Kaspersky and make full scan.

  7. #7
    Join Date
    Apr 2010
    Posts
    260
    I scaned my pc with kaspersky yesterday, but no infected files found!
    do you know any powerful trojan killer?

  8. #8
    Join Date
    May 2007
    Posts
    85
    Quote Originally Posted by Rezaa View Post
    I scaned my pc with kaspersky yesterday, but no infected files founded!
    do you know any powerful trojan killer?
    If this guy true hacker, he probably was able to create unique trojan that wasn't detected by Kaspersky due to its fresh and unknow status for virus database. I was in such situation years ago.

    However if you scanned yesterday and it doesn't show viruses, its good sign.

  9. #9
    Join Date
    Apr 2010
    Posts
    260
    I guess he is one of my customers, and he usedl shell applications to access root. How can I find which customer he is?

  10. #10
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,948
    Quote Originally Posted by seosuperhero View Post
    I would suggest you to switch on Linux or Mac os which provides 99% protection against trojans and viruses.
    No, it doesn't. The only reason there are less infections is that less people use them so less are written for those platforms. It's not protection, it's lack of market share.
    Quote Originally Posted by Rezaa View Post
    I guess he is one of my customers, and he usedl shell applications to access root. How can I find which customer he is?
    Find the shell script(s), and then comb the logs to see where and how it was added to the server.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  11. #11
    Join Date
    Oct 2004
    Location
    Ohio
    Posts
    1,641

  12. #12
    Join Date
    Apr 2010
    Posts
    260
    Quote Originally Posted by Chris_M View Post
    On the linux box, you should install http://www.rfxn.com/projects/linux-malware-detect/ and ClamAV and do a scan. This should help you locate any shell apps.
    I have clamav installed on my server but it didn't show any virus on my server. just some files in /mail/news directory of my main domain. do you think they are shell apps?

    Quote Originally Posted by bear View Post
    No, it doesn't. The only reason there are less infections is that less people use them so less are written for those platforms. It's not protection, it's lack of market share.

    Find the shell script(s), and then comb the logs to see where and how it was added to the server.
    thank you, I'll try it tonight

  13. #13
    Join Date
    Oct 2004
    Location
    Ohio
    Posts
    1,641
    Quote Originally Posted by Rezaa View Post
    I have clamav installed on my server but it didn't show any virus on my server. just some files in /mail/news directory of my main domain. do you think they are shell apps?



    thank you, I'll try it tonight
    Install the app I linked to and rescan. It will help you locate many things that may be on the system. Shell apps can land anywhere if the attacker has already compromised the system. Why not open the files in an editor and see what the contents are?

  14. #14
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Quote Originally Posted by Rezaa View Post
    he hacked my both windows and linux servers and also sent my passwords to me !
    He hacked my linux and windows servers and also whmcs.
    I take it you stored the passwords to the servers in whmcs? Somewhere that you stored the auth details was compromised, most likely whmcs, hence why your servers were then compromised. Pretty basic firewalls + authentication methods could have prevented that from escalating to all your systems.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  15. #15
    Join Date
    Jan 2011
    Posts
    33
    Am I the only person that finds the lack of server admin/security knowledge among many people providing hosting services to be frightening and possibly even negligent?

    I mean if you don't know how to secure a server (or even scan your own pc for malware), why would you think you're qualified to offer hosting services?

    To the OP, you need to contact somebody like Rack911 and pay them to fix this for you and lock down your servers so this doesn't happen again in the future. Based on your posts there is virtually no chance you're going to figure out what happened on your own, much less fix it.

  16. #16
    Join Date
    Nov 2010
    Location
    /
    Posts
    228
    Well, i know how he hacked it....

    As i opened a Topic about this some time ago..

    He uset a Hmbrw57 Shell.. that acessed your ROOT, and he can get User and pass Of cpanel and some other stuff.

    This happend to me 1 month ago but i fixed it
    Dot.AL - .AL Domain Name Registration
    .AL - Register your .AL Domains at. Get a Premium Domain NOW.
    Shard Hosting - cPanel - Backup - 24/7 Monitoring Over 200 Ready Scripts
    Awesome Promotions for you, check our announcements page.

  17. #17
    Join Date
    Apr 2010
    Posts
    260
    how did you fixed it ?

    anyone has any idea about this shell app?

  18. #18
    Join Date
    Nov 2010
    Location
    /
    Posts
    228
    Quote Originally Posted by Rezaa View Post
    how did you fixed it ?

    anyone has any idea about this shell app?
    Doing some Security Stuff in Linux..

    Hmm as about shell, i send you a PM with URL
    Dot.AL - .AL Domain Name Registration
    .AL - Register your .AL Domains at. Get a Premium Domain NOW.
    Shard Hosting - cPanel - Backup - 24/7 Monitoring Over 200 Ready Scripts
    Awesome Promotions for you, check our announcements page.

  19. #19
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    On properly hardened server using shell script you could not get root privileges. If your server rooted you need:

    1) check version of your s/w. like kernel, exim etc.
    2) check suid binaries

    That's actually enough to prevent server rooting. Everytime when i seen rooted server it was result of old kernel and/or old software. One of known to me scenarios was: - using vulnerabilities in old exim getting access to /etc/sudoers file and allow root privileges there to ordinary user.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  20. #20
    Join Date
    Nov 2010
    Location
    /
    Posts
    228
    Quote Originally Posted by rustelekom View Post
    On properly hardened server using shell script you could not get root privileges. If your server rooted you need:

    1) check version of your s/w. like kernel, exim etc.
    2) check suid binaries

    That's actually enough to prevent server rooting. Everytime when i seen rooted server it was result of old kernel and/or old software. One of known to me scenarios was: - using vulnerabilities in old exim getting access to /etc/sudoers file and allow root privileges there to ordinary user.
    Well, this is not using any bug on kernel, this make symlinks, and other commands.

    Even if you secure php, he can make it back again, even if you fix the httpd.conf he will get it back using htaccess, + there are some problems on Cron's that can again hack your server again..

    I faced this problem 1 month ago, and made me sleepless for 2-3 days.
    Dot.AL - .AL Domain Name Registration
    .AL - Register your .AL Domains at. Get a Premium Domain NOW.
    Shard Hosting - cPanel - Backup - 24/7 Monitoring Over 200 Ready Scripts
    Awesome Promotions for you, check our announcements page.

  21. #21
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by sady92 View Post
    Well, this is not using any bug on kernel, this make symlinks, and other commands.

    Even if you secure php, he can make it back again, even if you fix the httpd.conf he will get it back using htaccess, + there are some problems on Cron's that can again hack your server again..

    I faced this problem 1 month ago, and made me sleepless for 2-3 days.
    There has to be a vulnerability in one of the server softwares to be able to gain root from a php script.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  22. #22
    Join Date
    Dec 2010
    Posts
    312
    Quote Originally Posted by Rezaa View Post
    I changed my passwords and ssh port yesterday.

    How can I find trojans and viruses on my pc?
    What the.......

    You host servers, yet you don't know how to scan for viruses?!

  23. #23
    Join Date
    Dec 2010
    Posts
    312
    Quote Originally Posted by TexasCrane View Post
    Am I the only person that finds the lack of server admin/security knowledge among many people providing hosting services to be frightening and possibly even negligent?

    I mean if you don't know how to secure a server (or even scan your own pc for malware), why would you think you're qualified to offer hosting services?

    To the OP, you need to contact somebody like Rack911 and pay them to fix this for you and lock down your servers so this doesn't happen again in the future. Based on your posts there is virtually no chance you're going to figure out what happened on your own, much less fix it.
    Yeh, it does. That is why you should never use some of the smaller basement type hosting companies.

  24. #24
    Join Date
    Apr 2010
    Posts
    260
    Thanks everybody
    I have a small hosting in my country. we are not a world class company. as I said I'm new in network security and I'm learning
    I need someone to help me to fix this issue at this time
    please don't blame me anymore, blaming means spamming in this topic.
    helps are appreciated only

  25. #25
    Join Date
    Nov 2010
    Location
    /
    Posts
    228
    Quote Originally Posted by Rezaa View Post
    Thanks everybody
    I have a small hosting in my country. we are not a world class company. as I said I'm new in network security and I'm learning
    I need someone to help me to fix this issue at this time
    please don't blame me anymore, blaming means spamming in this topic.
    helps are appreciated only
    Hmm well as i said, if you have access on your Servers check all your users for some wired scripts.

    What it will look ?

    Well it shuld have a php.ini near, something like r57.php or other kind .. then delete it..

    I am sure 100% your problem is this that i am describing to you..

    <<snipped>>
    Last edited by bear; 05-26-2011 at 06:54 AM.
    Dot.AL - .AL Domain Name Registration
    .AL - Register your .AL Domains at. Get a Premium Domain NOW.
    Shard Hosting - cPanel - Backup - 24/7 Monitoring Over 200 Ready Scripts
    Awesome Promotions for you, check our announcements page.

Similar Threads

  1. Help I think my servers been hacked`
    By Kmaid in forum Hosting Security and Technology
    Replies: 5
    Last Post: 11-14-2007, 02:16 PM
  2. Hacked servers and your business
    By ICALIV in forum Dedicated Server
    Replies: 18
    Last Post: 04-01-2004, 05:52 PM
  3. servers down? all windows servers hacked with ddos
    By atjeu in forum Dedicated Server
    Replies: 38
    Last Post: 01-28-2003, 11:59 AM
  4. Hacked RS servers? What happens to them.
    By jic in forum Dedicated Server
    Replies: 18
    Last Post: 11-13-2002, 04:52 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •