Results 1 to 5 of 5

Thread: Hacked Server

  1. #1

    Hacked Server

    An entire server was hacked and he did some massive damage. Had DC install new HD and made old HD secondary drive. Running WHM what would be the best way to see what i have on secondary drive to salvage, including accounts and their websites.

    Thank you.

  2. #2
    How could a hacker install a drive? And why leave the data from the old one? Wouldn't you have to physically be there to install hardware? Or did he just FDISK it?

  3. #3
    Sorry for the misunderstanding. After he did his buisness the datecenter installed the new drive with a fresh cpanel installed. The datacenter then set the old hard drive )with the corrupt files and account/settings on it), as the secondary drive.

  4. #4
    This may be of some use describing what the hacker did:

    We have ran chkrootkit and rootkithunter on your server to find out the infected files after the hack and we found following results.

    /usr/bin/md5sum [ BAD ]
    Rootkit 'SHV4'... [ Warning! ]
    Checking files attributes [ Special attributes found! ]


    File scan
    Scanned files: 342
    Possible infected files: 2
    Possible rootkits: SHV4 SHV5

    Application scan
    Vulnerable applications: 3

    Also we found that the user group and users information has been changed.

    The results of those 2 root kits being on the server is a bit disasterous. Many of the system tools I use to investigate what is going on are broken for one reason or another
    (ps ax and top both yeild 'Bus error (core dumped)')
    Making my investigation's usefulness limited at best.
    For some reason there are also no logs on your server, which were proboably deleted by the rootkit.

  5. #5

    My recommendation is to secure your server (and keep it secure as server security is a throughout the day activity).

    IF you have a backup made prior to the hack, then restore from that.

    Otherwise, cautiously restore data from the hard drive they moved over. Do go through the end user files to ensure you are not copying hacked / kits with you.

    Thank you.
    Peter M. Abraham
    LinkedIn Profile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts