Results 1 to 7 of 7
  1. #1
    Join Date
    Aug 2012
    Posts
    93

    what is reason of hack?

    hi everybody
    i have a ded server with centos 5.8
    i use cpanel and hosted 275 sites on this server

    last night 1 site of server hacked
    i want understand reson of hack this site
    how can i check log this site and find that it how hacked?

    please help me

  2. #2
    Join Date
    Jan 2013
    Location
    Virginia Beach, Va
    Posts
    52
    Hey ertebat7,

    Sorry to hear a site got compromised. Some good steps to follow would first be reviewing the FTP logs for the account. If the name of the cPanel account was (userna5) you'd use this command:

    Code:
    grep userna5 /var/log/messages
    If you see any FTP uploads in there for the user, it could just be they had their FTP password compromised, in which case you should update their cPanel password which updates the FTP one as well.

    It would also show you any files they uploaded, and then you can go inspect those paths to ensure the files are removed if they're still there.

    Next you should review your Apache access log for that site, this can be tricky, but usually you'd look for 1 IP address that has more requests than any other with this command:

    Code:
    cat /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n | sed 's/[ ]*//'
    That should spit out how many hits each IP address has, let's say that 123.123.123.123 stood out with 5,000 requests. Then you'd want to see if they were hitting duplicate requests with this command:

    Code:
    grep 123.123.123.123 /home/userna5/access-logs/example.com| cut -d\" -f2 | awk '{print $1 " " $2}' | sort | uniq -c | sort -n | sed 's/[ ]*//'
    If you notice that they have a bunch of duplicate requests to one particular PHP script such as (timthumb.php), then that could have been their entry point. A lot of times hackers will exploit PHP scripts to then in turn inject or hack your other files.

    There are a few other things you can do as well, but it would be helpful to know what type of software the site is running to give you better help. Such as, is it running WordPress, Joomla, Drupal, or another CMS, or just custom written scripts?

    - Jacob

  3. #3
    Join Date
    Aug 2012
    Posts
    3,100
    Have you installed any kind of third party scripts like WordPress, Joomla etc?

    It may also be possible that some plugins have Vulnerability and breached the security of your website.
    BestServerSupport | Outsourced Hosting Support and Server Management Service Provider
    WHM/CPanel | HyperV Virtualization | Plesk | WebsitePanel | Windows VPS | OnAPP Cloud | Virtuzoo
    Helpdesk Support | Cloud Administration | Dedicated Support | VPS Support

  4. #4
    Join Date
    Jul 2002
    Location
    World Wide Web
    Posts
    1,632
    Perform a full virus scan on the machines that had ftp access to this site. It may be a trojan - stolen ftp password.
    Michael Vlastos
    HostWired.com - Innovative Hosting Solutions since 2005 | cPanel, Softaculous
    Personalized support | No site suspensions | No overloaded servers | Green Hosting
    Multiple Backups | Average Response Time: 20 min | Toll Free: 1-855-ECO-HOST

  5. #5
    Join Date
    Nov 2011
    Location
    Nasik, MH,INDIA
    Posts
    850
    You need to check with the FTP logs as JacobN has suggested. If its due to the FTP, Change the password of your cpanel account and keep it a complicated one. Also check the Ip's connection currently on the server...

  6. #6
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,023
    Follow the instructions JacobN gave you (good to see new users make useful posts). Furthermore you should install maldet and set it to monitoring mode, install and configure mod_security using the ASL ruleset and follow these suggestions.
    r00t-Services.net | DDoS Protected VMs & Remote DDoS Protection, Security, Optimization.
    In business since 2011 | Contact us: support[at]r00t-services.net
    Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  7. #7
    Join Date
    Aug 2012
    Posts
    3,100
    Do not download softwares from un reliable source since it may download virurs/trojans/keyloggers in your local system.
    BestServerSupport | Outsourced Hosting Support and Server Management Service Provider
    WHM/CPanel | HyperV Virtualization | Plesk | WebsitePanel | Windows VPS | OnAPP Cloud | Virtuzoo
    Helpdesk Support | Cloud Administration | Dedicated Support | VPS Support

  8. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. Br0keN-Pr0xy hack - FIX (the popular index defacement hack)
    By layer0 in forum Hosting Security and Technology Tutorials
    Replies: 5
    Last Post: 09-09-2006, 01:23 PM
  2. Any reason for that?
    By sleidia in forum Running a Web Hosting Business
    Replies: 20
    Last Post: 07-15-2006, 01:24 PM
  3. What is your reason?
    By Amish_Geek in forum Running a Web Hosting Business
    Replies: 13
    Last Post: 05-04-2004, 11:57 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •