Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Someone Hacked my Servers!!!

[Rezaa]

Hello

yesterday, I received an email from someone. he said he hacked my both windows and linux servers and also sent my passwords to me !
He hacked my linux and windows servers and also whmcs.
gladly, I still have access to my servers. but I don't know how he hacked my servers.
I'm sure, he is one of my customers, but I don't know which one.

How can I find that, how he hacked my servers? and how can I increase my servers security.
I configured php.ini and disabled some functions, but how can I prevent updloading shells and other malicious applications on my servers?

also how can I secure windows server? I'm new in windows security and need some help


Regards

[wdteam]

If you still have access to both servers, I would suggest you to change root passwords immediately. It would be better if you change them from another computer.

He can control you via trojans or other viruses that probably running on your pc.

[Rezaa]

I changed my passwords and ssh port yesterday.

How can I find trojans and viruses on my pc?

[Rezaa]

I believe he can find my passwords again, how can I prevent him ?

[cpanellover]

Quote:

Originally Posted by Rezaa

How can I find trojans and viruses on my pc?

hmmmm don't you know that ?

[wdteam]

I would suggest you to switch on Linux or Mac os which provides 99% protection against trojans and viruses. That's general suggestion to prevent such issues in the future.

Regarding current situation, install Kaspersky and make full scan.

[Rezaa]

I scaned my pc with kaspersky yesterday, but no infected files found!
do you know any powerful trojan killer?

[wdteam]

Quote:

Originally Posted by Rezaa

I scaned my pc with kaspersky yesterday, but no infected files founded!
do you know any powerful trojan killer?

If this guy true hacker, he probably was able to create unique trojan that wasn't detected by Kaspersky due to its fresh and unknow status for virus database. I was in such situation years ago.

However if you scanned yesterday and it doesn't show viruses, its good sign.

[Rezaa]

I guess he is one of my customers, and he usedl shell applications to access root. How can I find which customer he is?

[bear]

Quote:

Originally Posted by seosuperhero

I would suggest you to switch on Linux or Mac os which provides 99% protection against trojans and viruses.

No, it doesn't. The only reason there are less infections is that less people use them so less are written for those platforms. It's not protection, it's lack of market share.

Quote:

Originally Posted by Rezaa

I guess he is one of my customers, and he usedl shell applications to access root. How can I find which customer he is?

Find the shell script(s), and then comb the logs to see where and how it was added to the server.

[Chris_M]

On the linux box, you should install http://www.rfxn.com/projects/linux-malware-detect/ and ClamAV and do a scan. This should help you locate any shell apps.

[Rezaa]

Quote:

Originally Posted by Chris_M

On the linux box, you should install http://www.rfxn.com/projects/linux-malware-detect/ and ClamAV and do a scan. This should help you locate any shell apps.

I have clamav installed on my server but it didn't show any virus on my server. just some files in /mail/news directory of my main domain. do you think they are shell apps?

Quote:

Originally Posted by bear

No, it doesn't. The only reason there are less infections is that less people use them so less are written for those platforms. It's not protection, it's lack of market share.

Find the shell script(s), and then comb the logs to see where and how it was added to the server.

thank you, I'll try it tonight

[Chris_M]

Quote:

Originally Posted by Rezaa

I have clamav installed on my server but it didn't show any virus on my server. just some files in /mail/news directory of my main domain. do you think they are shell apps?



thank you, I'll try it tonight

Install the app I linked to and rescan. It will help you locate many things that may be on the system. Shell apps can land anywhere if the attacker has already compromised the system. Why not open the files in an editor and see what the contents are?

[Scott.Mc]

Quote:

Originally Posted by Rezaa

he hacked my both windows and linux servers and also sent my passwords to me !
He hacked my linux and windows servers and also whmcs.

I take it you stored the passwords to the servers in whmcs? Somewhere that you stored the auth details was compromised, most likely whmcs, hence why your servers were then compromised. Pretty basic firewalls + authentication methods could have prevented that from escalating to all your systems.

[TexasCrane]

Am I the only person that finds the lack of server admin/security knowledge among many people providing hosting services to be frightening and possibly even negligent?

I mean if you don't know how to secure a server (or even scan your own pc for malware), why would you think you're qualified to offer hosting services?

To the OP, you need to contact somebody like Rack911 and pay them to fix this for you and lock down your servers so this doesn't happen again in the future. Based on your posts there is virtually no chance you're going to figure out what happened on your own, much less fix it.