Help Please. I've been hacked and I dont know where the hacker/spammer stored the site that he used to fraud Banking customers.
It's a typical Phishing site that asks for login & pw, mimicking a banking website.
The perp found a way to bind ports 7950 on 3 of my ip's to his site. My question is, where are these sites stored? I checked all of /home and the ..htdocs and I'm at the end of my rope. Any help is appreciated, thank you.
Moved, better handled in technical and security issues where us 'propellerheads' hang out
Your best bet is going to either be one of the following 2:
1) Find a good security consultant/company and hire them. Get them to look through your system and (try to) disinfect it.
2) Backup your data, have your datacenter restore the server, and have someone secure it (including any scripts you're running) properly.
If you insist on going it alone, don't expect a step-by-step fix for it. Not all hacks/rootkits have the same patterns, affected files, and such. If you miss one little thing, you'll likely end up re-hacked. Here's a good starter place for you: http://www.webhostingtalk.com/showth...ght=chkrootkit
Read, research, and search these forums for some of the terms/concepts in this.
which gives you a comprehensive list of services/processes that are running and who/what is running them & where. If you have reoccuring processes that don't die, you've got something sitting in cron, which will more than likely lead you right to the problem.
Running chkrootkit is also a good idea, along with searching for all suid binaries on the system.
Best course of action would be to backup, reinstall and then get a security "expert" to tell you what is vulnerable. Although they will most likely charge you way too much for just nmap'ing your computer. I'd be more than happy to help you out with this at no charge.
Best of luck.
ventowtf - you better backup all your clients data, like yesterday!
Go buy some backup space with a provider like Transaction Global, take all your users accounts in compressed form and FTP them to the backup servers. Make sure you get it all backed up.
Once that has been done then you need to change the backup FTP space passwords and restore the server. After it has been restored then secure it, by hiring someone or hiring someone else
Once it has been secured and is ready to roll then FTP back all your clients and restore them.
We just went through a large server migration our servers because we moved data centers. I learned a few tricks with Cpanel while doing it and it's no easy task, especially for the faint of heart or those with pace makers