Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : My Server Is Hacked!!

[webhostbeginner]

Hello

I have a dedicated server, it is hacked , is there anyone who can help me to investigate how they have penetrant to my server?>

Please help.

thanks

[rOCk-MaStEr]

what do u mean with hacked !!!!!!!
they got root access !!!
or just defaced a website or changed something !!!

please provide the following info :

uname -r

...................

last

is there is any logins thats not you !!
....................
history
and
cat /root/.bash_history

and also check if there is any commands executed not by you

[firestarter]

How you concluded that the server got hacked ?

[webhostbeginner]

Thanks for your help

the 2.6.9-34.0.2.ELsmp in the resul of uname -r

and teher are some command that I have not executed and don't know what they do. would you please tae a look at them?

echo /dev/null > /proc/sys/kernel/core_pattern
Modify /etc/sysctl.conf
pico /etc/sysctl.conf
mount -o remount,noexec,nosuid /proc
pico /etc/fstab



lynx -source http://go-pear.org/ | php
pear install Mail
pear install Net_SMTP



Thanks

[webhostbeginner]

Thanks for yout help

This is the uname -r result is 2.6.9-34.0.2.ELsmp

and I checked the bach history and there were some command that I have not executed.
would you please taka a look at them?

echo /dev/null > /proc/sys/kernel/core_pattern
Modify /etc/sysctl.conf
pico /etc/sysctl.conf
mount -o remount,noexec,nosuid /proc
pico /etc/fstab



lynx -source http://go-pear.org/ | php
pear install Mail
pear install Net_SMTP


Thanks

[firestarter]

Seems that someone hardened the server and installed net-snmp to monitor the server bandwidth usages to me. Ask your DC if they did anything on your server.

[tamar]

Which company do you have a dedicated server on? I don't think my dedicated server company would ever install anything without my authorization first.

What made you conclude that you were hacked? Is it because you logged in and saw that the last login IP wasn't yours? (Do you have root logins disabled?)

[besty]

Are you facing any low performance on the server or malicious activity taking place?

[layer0]

Quote:

2.6.9-34.0.2.ELsmp

Update your kernel!

[rOCk-MaStEr]

he still didn't explain .... what happend to make him say its hacked !!

[webhostbeginner]

the group that has hacked us has informed us and has upload a file on all our accounts on my server,
Thast why I think it is hacked, but I don't think wheather he has the root access because if so he would deffenetely change the password.

I just want to know how he has entered our server and uploaded that files on the server.

Thanks for your replies

[rOCk-MaStEr]

what type of files he uploaded !!!
a deface like hacked by..............
are you using PhpSuexec or running apache as nobody
are turning SafeMode on or not !!

[tamar]

Quote:

Originally Posted by IRLAMP

the group that has hacked us has informed us and has upload a file on all our accounts on my server,
Thast why I think it is hacked, but I don't think wheather he has the root access because if so he would deffenetely change the password.

I just want to know how he has entered our server and uploaded that files on the server.

Thanks for your replies

Have you confirmed that those files exist?

Honestly, most hackers won't tell you their backdoors. Just secure your system as best as you can or hire a company to do so.

[Website Rob]

Sounds like a site defacement situation for every/most accounts on the Server.

Login to shell and run this command: /scripts/hackcheck
If it returns the following you are OK, sort of.
findutils passes checksum
net-tools passes checksum

Anything else means your Server has been rooted (taken over by someone else) and your only recourse is an OS reload. If your Server has not been rooted, should take about 2 hrs. for an experienced person to find and remove the hacker files and harden your Server security.

[juangake]

Quote:

Originally Posted by Website Rob

Login to shell and run this command: /scripts/hackcheck
If it returns the following you are OK, sort of.
findutils passes checksum
net-tools passes checksum

I was wondering how this "hackcheck" script goes with every linux distribution, but not in my CentOS 4.4 What Linux/Unix do you have?