Results 1 to 7 of 7
  1. #1
    Join Date
    May 2004
    Location
    chicago
    Posts
    174

    server hacked for spamming.

    Hi,

    one of my clients server got serverly hacked..and was used for spamming..

    now what exactly is happening is..

    i think that due to some vunerebilty in phpbb the hacker got access to the tmp directory and was sending emails using nobody through my clients domain
    from multiplenames@domain.com

    now i tried to find a file which said that .. by phpHS and removed it..
    i had permisison i set on it so the root user was non even able to remove it. I changed the permisison and it was removed.

    but still the emails are being send using the server;s smtp.

    does anybody has any idea how to deal with me.



    the file i deleted had the starting contents as under

    A powerful php shell program by Hacker Vietnam Association



    * Coded for HVA member and Luke's friends to exploit shell



    * commands in Unix server. If you have any trouble or suggetion



    * contact Luke at hainamluke@hotmail.com or http://hackervn.net



    * Special thanks to :



    * dodo@****microsoft.com



    * con_qua@yahoo.com



    * trancongminh@yahoo.com



    * HVA Groups



    * and people who made PHP Explorer, PHP RemView etc..




    if anybody had this kind of thing please help me to get my clients server from being spammed.

    thanks
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  2. #2
    Hire a server administrator to clean and secure your server:

    www.rack911.com

  3. #3
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Hello,

    I am assuming exim is your mail server force another queue run, and flush all frozen messages.

    exim -qff
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  4. #4
    Join Date
    May 2004
    Location
    chicago
    Posts
    174
    I have done that. now slowly all bounce messages have stopped.

    it works..


    that means the problemed lied in the tmp folder in that file.

    great...
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  5. #5
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Hello,

    Please paste the output of `mount`

    and
    `cat /etc/fstab`

    Also please attach the output of ls -al /tmp | grep -v sess_
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  6. #6
    Join Date
    May 2004
    Location
    chicago
    Posts
    174
    out put of mount
    /dev/hda5 on /tmp type ext3 (rw,noexec,nosuid,nodev)
    output of ls -al /tmp | grep -v sess_


    -rw-rw---- 1 harshil harshil 13 Jul 26 08:00 harshil-session-0.645833088158728

    regards
    CEO - Alakmalak Technologies www.Alakmalak.com
    Web Application Development : Website Development Web Designing
    Support Toll Free +1-800-789-9620 Skype : rushik Operating Since 2003 || Team size of 35+ Web development center at INDIA

  7. #7
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Hello,

    Both seem fine. Make sure your /dev/shm is almost mounted with noexec. Since this basically limits everything to execute from perl only.

    I suggest also installing mod_security

    http://www.hostgeekz.com/guides/cPan...d_security.htm
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •