Results 1 to 28 of 28
  1. #1
    Join Date
    Jun 2010
    Posts
    33

    * Someone Hacking my Index Page again and again

    Hello,

    I have my own server for personal use and added a trail cPanel/WHM on it. I have applied many security measures. Also I have configured firewall. Also tried hardening of php as I have wordpress. Added very secure password. Still I don't know how one hacker is able to change my index.html page again and again. Please help me how can I restrict him from hacking index page again? I tried to find out logs of his activity but didn't find any. I don't have enough bucks to appoint a system admin for this task. Please help me how can I add more security to my server.

  2. #2
    Join Date
    Mar 2013
    Location
    Texas, USA
    Posts
    173
    First thing I would do is check the files and the dates they were last modified. Usually they like to inject code into existing files, check for encrypted code (base64/etc.).

    Second, make sure you have the latest version of Wordpress. If you have any plugins make sure they are up to date and Google the name of each one to see if there are any vulnerabilities.

    Lastly, double check your current theme. If it's a premium theme make sure it was obtained by the distributor. Many hackers like to give these premium themes for free with injected code.

  3. #3
    Join Date
    Jun 2010
    Posts
    33
    I checked the file modification date and even I opened the index file to which he replaced there was just a clean HTML coded template and named my html page as index1.html and added his template as default index.html.

    The Wordpress installation is up to date and wordpress is added to my sub domain main website is based on html/css. The wordpress installation is new and with no theme and addons and plugins. Using default wordpress theme.

    I am still confused how he can just change the index.html page.

  4. #4
    Join Date
    Apr 2009
    Location
    New York City
    Posts
    5,054
    He must of set a back door when he got in the first time. I am not that good with hakers but is this a unmanaged server and if so from what provider may I ask?

    Look for anything out the ordinary in your file system for like files that you never placed there. Change all passwords this means passwords to your email , computer and server. ALL PASSWORDS MUST BE CHANGED. install anti virus software on your computer or any computer you have been using for the last couple of days. run a pc check on your system and server and check for any root kits or Trojans or back doors that is allowing this hacker to keep an eye on you.

  5. #5
    Join Date
    Jun 2011
    Posts
    2,286
    You need a qualified system administrator to look over your system. There could be any number of issues with the machine now that it has been compromised once.

  6. #6
    Join Date
    Jun 2010
    Posts
    33
    I tried installing rootkit hunter and chkrootkit to check whether anything is added to server and even checked file system didn't find any traces on the server. He is able to hack only 1 account to which my website is hosted. even I secured /tmp and also other things.
    I forget to mentioned I am working on nginx and varnish tool on that server. I have CSF with strict security but still no suspicious process I got with it. I don't know how can he just change the index page of my default site. Noother account is getting harmed.

  7. #7
    Join Date
    Sep 2013
    Posts
    35
    Never ever use cPanel!

    There are lots of exploits and someone might hack your site via other site on the same host, cPanel is C.R.A.P., learn stuff, protect vps/dedi and you are good.

    And also you should never keep panel to be running, if you need it, just in ssh start it, but when going out of ssh stop panel! Its more secure.

    Block some ports (ssh,ftp,etc...), and allow ONLY your IP (ssh,ftp,etc...)!
    Last edited by todd001; 11-16-2013 at 03:00 PM.

  8. #8
    Join Date
    Mar 2013
    Location
    Texas, USA
    Posts
    173
    cPanel is good when utilized correctly.

    Anyways, it sounds more like it could be local malware. Run a local malware scan using malwarebytes and then update all of your passwords.

  9. #9
    Join Date
    Jun 2010
    Posts
    33
    I tried running malware scan but nothing found. All files are clean just he upload new index.html always. And I modified all passwords too but still he again modified index page. I am now worried!

  10. #10
    Join Date
    Mar 2013
    Location
    Texas, USA
    Posts
    173
    Quote Originally Posted by saurabhnsonar View Post
    I tried running malware scan but nothing found. All files are clean just he upload new index.html always. And I modified all passwords too but still he again modified index page. I am now worried!
    If that's the case then close all your FTP/SSH ports and get with a security team to see what can be done to resolve the issue. A full proper investigation has to be done.

  11. #11
    Join Date
    Jun 2010
    Posts
    33
    SSH is blocked FTP password changed again and again every day.

  12. #12
    Join Date
    Jun 2011
    Posts
    2,286
    Millions of website owners and server administrators would disagree. It wouldn't be the world's most widely used Linux Control Panel if it was full of exploits.

    Sure cPanel is not immune from vulnerabilities, and there's been issues found with it this year, like last year, and the year before -- it's how cPanel developers deal with the issue that counts.

    Would be interested to hear what one of the Rack911 guys have to say about this..



    Quote Originally Posted by todd001 View Post
    Never ever use cPanel!

    There are lots of exploits and someone might hack your site via other site on the same host, cPanel is C.R.A.P., learn stuff, protect vps/dedi and you are good.

    And also you should never keep panel to be running, if you need it, just in ssh start it, but when going out of ssh stop panel! Its more secure.

    Block some ports (ssh,ftp,etc...), and allow ONLY your IP (ssh,ftp,etc...)!

  13. #13
    Join Date
    Mar 2013
    Location
    Texas, USA
    Posts
    173
    Quote Originally Posted by saurabhnsonar View Post
    SSH is blocked FTP password changed again and again every day.
    If it keeps changing and changing then chances are they have your WHM or cPanel credentials. Update those and change your WHM's remote access key. WHM >> Remote Access

  14. #14
    Join Date
    Jun 2010
    Posts
    33
    Did that too, there is no logins via cPanel, WHM and SSH. I checked all the last login ips all are mine.

  15. #15
    Join Date
    Sep 2013
    Posts
    35
    Install other panel, kloxo probably, hide php version, hide versions of sotware you use (apache, varnish etc ...)

  16. #16
    Join Date
    Jun 2010
    Posts
    33
    Thank you todd001, but I want to use this server for commercial purpose so need cpanel on it. Now I just kept the server for testing purpose till i find all bugs and make it as secure as I can.

  17. #17
    Join Date
    May 2004
    Posts
    1,663
    There is a fair possibility it is not a rootkit but simply that you have not fixed the original method of intrusion. You said you looked at the logs: you looked at the domlogs (/usr/local/apache/domlogs/) of the account in question and you see absolutely nothing suspicious there? Post the contents of the log between the time you fix the index.html and the time it is reverted to the injected version.

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by todd001 View Post
    Install other panel, kloxo probably, hide php version, hide versions of sotware you use (apache, varnish etc ...)
    You say avoid cpanel yet recommend kloxo? Your credibility just went out the window.
    That is like saying zPanel is secure.

    Really cPanel is not 'insecure' as you seem to claim it is. We have done very extensive auditing, and have been working with the cPanel security team for almost a year (if you don't believe me go read the cPanel TSR disclosures). It is progressing to be one of the most secure panels in the industry. There are very few functions that even run as root anymore (and we have tools that prove it), compared to other control panels its very impressive.

    Thats not to say, you don't need to secure it -- you need to secure every server regardless of what is installed on it.

    The OP's server is likely rooted and has a backdoor that occurred through a old kernel or something -- completely unrelated to cPanel. Does not really sound like a symlink based exploit if its just the index.html being affected.
    Last edited by Steven; 11-17-2013 at 01:04 AM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Run maldet on your server: http://www.rfxn.com/projects/linux-malware-detect/
    For sanity sake check for malicious symlinks: find /home/*/public_html -type l
    What kernel are you running: uname -r
    Show us the output for: rpm -V openssh-server
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  20. #20
    Join Date
    May 2004
    Posts
    1,663
    Quote Originally Posted by Steven View Post
    The OP's server is likely rooted and has a backdoor that occurred through a old kernel or something -- completely unrelated to cPanel. Does not really sound like a symlink based exploit if its just the index.html being affected.
    It seems a bit strange for a rooted server to have only one account being affected by this. Do you find this to be the situation commonly?

  21. #21
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    It happens, yeah.
    Sometimes people have servers that are rooted for 1 year+ and they don't even know it because none of the sites are modified but instead the server is being used for less than desirable reasons.

    Its really hard to speculate what is going on without seeing logs / etc from the server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  22. #22
    Join Date
    Jun 2010
    Posts
    33
    Hi Steven,

    Kernal version is: 2.6.32-042stab076.8
    Openssh output:

    rpm -V openssh-server
    .......T. c /etc/pam.d/ssh-keycat
    S.5....T. c /etc/pam.d/sshd
    S.5....T. c /etc/ssh/sshd_config

    I have found something some cgi.pl script under cgi-bin file:
    CGI-Telnet Unit-x Team Connected

    And I am still scanning the whole system now. I will notify you if any major bug is found. Please you also advice me and help me resolving the issue.

    Thank you!

  23. #23
    Join Date
    Apr 2012
    Location
    United States
    Posts
    86
    I'd start looking to see if your personal system has been compromised. If someone has access to your computer, everything you do will be in vain.

  24. #24
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    Do you see any traffic to that file? If not, that is not the backdoor. Do you have your access logs activated? In cPanel in the section titled "Statistics" click on the icon for: Access Logs and be certain the top check box is checked. At least that way you can get the activity moving forward.

    Do you have a known, clean backup of the site and database? If so, rename the current folder for that website, restore the backup and see if the issue returns.

    Check the access logs for activity to a file that matches the date/time stamp of the infected index file. That would also tell you how they're getting in.

    Be advised, the hackers often times add php code to .jpg, .gif and other graphic files. It's usually a base64_decode string that allows them to send a carefully crafted string to that file and it will automatically infect all index files or other such infectious activity.

    Your best bet is to restore a known, clean backup and update it immediately.

    Also as some have suggested, you might have a virus on a local computer that is stealing the WordPress password. Check your log files for activity to the wp-login.php file from IP addresses not normally associated with legitimate traffic. Then as suggested previously run Malwarebytes on your local computer. Not on the website files. It's not designed to scan website files. But it should find any password stealing trojans on your local computer.

    Keep the group here updated with what you find please.

  25. #25
    Join Date
    Nov 2013
    Posts
    34
    CGI-Telnet looks like it could be a back door, example of a site with it: http://fhucichoccy.pl/cgi-bin/as.pl

    I did a quick google search and it seems to allow telnet access right from CGI...

    http://www.cleanup.org.au/files/cgi-telnet.pl also shows the code here.

    Is it malicious or?
    Attached Thumbnails Attached Thumbnails cgi-telnet.png  

  26. #26
    Join Date
    Oct 2013
    Location
    Pennsylvania
    Posts
    92
    Quote Originally Posted by SamLison View Post
    CGI-Telnet looks like it could be a back door, example of a site with it: http://fhucichoccy.pl/cgi-bin/as.pl

    I did a quick google search and it seems to allow telnet access right from CGI...

    http://www.cleanup.org.au/files/cgi-telnet.pl also shows the code here.

    Is it malicious or?
    I would have to say yes, that is where your problem is most likely coming from considering I don't know who would write something like this but someone looking to do damage.

  27. #27
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    It's definitely malicious. You still have to determine how it happened.

  28. #28
    Join Date
    Apr 2011
    Location
    Core Files
    Posts
    7,794
    Quote Originally Posted by Steven View Post
    You say avoid cpanel yet recommend kloxo? Your credibility just went out the window.
    That is like saying zPanel is secure.

    Kloxo


    Why would anyone suggest using that as a panel or a form of security.

Similar Threads

  1. Replies: 11
    Last Post: 11-29-2012, 11:54 AM
  2. 301 redirect index-i.html to index.php?page=i
    By Cyber-A in forum Hosting Security and Technology
    Replies: 8
    Last Post: 05-06-2012, 04:27 PM
  3. Setting index.html as default page instead of index.php?
    By Joel Theodore in forum Hosting Security and Technology
    Replies: 1
    Last Post: 06-23-2008, 11:53 AM
  4. index page hacking
    By thewebhostingdir in forum Hosting Security and Technology
    Replies: 3
    Last Post: 12-04-2007, 03:00 AM
  5. Making index.htm an index page
    By NVB in forum Dedicated Server
    Replies: 3
    Last Post: 08-13-2001, 11:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •