Results 1 to 24 of 24
  1. #1
    Join Date
    Mar 2005
    Posts
    533

    * My Server Is Hacked!!

    Hello

    I have a dedicated server, it is hacked , is there anyone who can help me to investigate how they have penetrant to my server?>

    Please help.

    thanks

  2. #2
    what do u mean with hacked !!!!!!!
    they got root access !!!
    or just defaced a website or changed something !!!

    please provide the following info :

    uname -r

    ...................

    last

    is there is any logins thats not you !!
    ....................
    history
    and
    cat /root/.bash_history

    and also check if there is any commands executed not by you

  3. #3
    Join Date
    Oct 2004
    Location
    India
    Posts
    491
    How you concluded that the server got hacked ?
    ESC :wq!

  4. #4
    Join Date
    Mar 2005
    Posts
    533
    Thanks for your help

    the 2.6.9-34.0.2.ELsmp in the resul of uname -r

    and teher are some command that I have not executed and don't know what they do. would you please tae a look at them?

    echo /dev/null > /proc/sys/kernel/core_pattern
    Modify /etc/sysctl.conf
    pico /etc/sysctl.conf
    mount -o remount,noexec,nosuid /proc
    pico /etc/fstab



    lynx -source http://go-pear.org/ | php
    pear install Mail
    pear install Net_SMTP



    Thanks

  5. #5
    Join Date
    Mar 2005
    Posts
    533
    Thanks for yout help

    This is the uname -r result is 2.6.9-34.0.2.ELsmp

    and I checked the bach history and there were some command that I have not executed.
    would you please taka a look at them?

    echo /dev/null > /proc/sys/kernel/core_pattern
    Modify /etc/sysctl.conf
    pico /etc/sysctl.conf
    mount -o remount,noexec,nosuid /proc
    pico /etc/fstab



    lynx -source http://go-pear.org/ | php
    pear install Mail
    pear install Net_SMTP


    Thanks

  6. #6
    Join Date
    Oct 2004
    Location
    India
    Posts
    491
    Seems that someone hardened the server and installed net-snmp to monitor the server bandwidth usages to me. Ask your DC if they did anything on your server.
    ESC :wq!

  7. #7
    Which company do you have a dedicated server on? I don't think my dedicated server company would ever install anything without my authorization first.

    What made you conclude that you were hacked? Is it because you logged in and saw that the last login IP wasn't yours? (Do you have root logins disabled?)
    I'm female.

  8. #8
    Are you facing any low performance on the server or malicious activity taking place?
    Live Your DreamZ
    ~Besty

  9. #9
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    2.6.9-34.0.2.ELsmp
    Update your kernel!
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  10. #10
    he still didn't explain .... what happend to make him say its hacked !!

  11. #11
    Join Date
    Mar 2005
    Posts
    533
    the group that has hacked us has informed us and has upload a file on all our accounts on my server,
    Thast why I think it is hacked, but I don't think wheather he has the root access because if so he would deffenetely change the password.

    I just want to know how he has entered our server and uploaded that files on the server.

    Thanks for your replies

  12. #12
    what type of files he uploaded !!!
    a deface like hacked by..............
    are you using PhpSuexec or running apache as nobody
    are turning SafeMode on or not !!

  13. #13
    Quote Originally Posted by IRLAMP
    the group that has hacked us has informed us and has upload a file on all our accounts on my server,
    Thast why I think it is hacked, but I don't think wheather he has the root access because if so he would deffenetely change the password.

    I just want to know how he has entered our server and uploaded that files on the server.

    Thanks for your replies
    Have you confirmed that those files exist?

    Honestly, most hackers won't tell you their backdoors. Just secure your system as best as you can or hire a company to do so.
    I'm female.

  14. #14
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Sounds like a site defacement situation for every/most accounts on the Server.

    Login to shell and run this command: /scripts/hackcheck
    If it returns the following you are OK, sort of.
    findutils passes checksum
    net-tools passes checksum

    Anything else means your Server has been rooted (taken over by someone else) and your only recourse is an OS reload. If your Server has not been rooted, should take about 2 hrs. for an experienced person to find and remove the hacker files and harden your Server security.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  15. #15
    Join Date
    Nov 2005
    Location
    Palma de Mallorca, Spain
    Posts
    259
    Quote Originally Posted by Website Rob
    Login to shell and run this command: /scripts/hackcheck
    If it returns the following you are OK, sort of.
    findutils passes checksum
    net-tools passes checksum
    I was wondering how this "hackcheck" script goes with every linux distribution, but not in my CentOS 4.4 What Linux/Unix do you have?

  16. #16
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    It's a WHM/Cpanel script.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  17. #17
    /scripts/
    all those are scripts downloaded and updated by WHM/Cpanel

  18. #18
    Join Date
    Mar 2005
    Posts
    533
    I executed /scripts/hackcheck but no result

    [email protected] [~]# /scripts/hackcheck
    [email protected] [~]#

    yes, they had uploded a file containing that we have hacked .... but I deleted all of them.

    I don't know how can I check what they have done!
    Please help

  19. #19
    Join Date
    Jun 2003
    Location
    Proud She-Geek
    Posts
    1,722
    If you are having this much trouble with this you REALLY should consider hiring someone to take a look at your server. Some you can try:

    http://rack911.com
    http://linux-tech.net
    http://platinumservermanagement.com

    When they've finished looking your server over, ask them how the intruders got in, how they recognized it, and how it can be prevented.
    <?php echo "Signature here"; ?>

  20. #20
    u didn't answer my rest of questions.....

    are you using PhpSuexec or running apache as nobody
    are turning SafeMode on or not !!

    if you are not using phpSuExec...
    and using apache to run as nobody.. but not having safe mode on

    that means they can write and put files like that everywhere writeable

  21. #21
    Quote Originally Posted by layer0
    Update your kernel!
    That's good advice, if you didn't already I would upgrade that right away.

  22. #22
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Quote Originally Posted by IRLAMP
    I executed /scripts/hackcheck but no result

    [email protected] [~]# /scripts/hackcheck
    [email protected] [~]#

    yes, they had uploded a file containing that we have hacked .... but I deleted all of them.

    I don't know how can I check what they have done!
    Please help
    Hire an expert. Then you'll need to do an OS reload as well
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  23. #23
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Its very bad to delete files until you know what the actual problem is.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  24. #24
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Well yeah no kidding lol, I'm just saying don't forget to do an OS reload since once you find the source of the issue and delete files, people think they're safe.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •