Results 1 to 23 of 23
Thread: Need help to Secure my Server
-
10-04-2006, 05:43 AM #1Web Hosting Evangelist
- Join Date
- Mar 2005
- Posts
- 540
Need help to Secure my Server
Hello
My server is hacked and I need urgent help :-s
I have found the holes the hacker has entered , now I need help on how I can clear my server and get rid of the hackers files?
He just get some files on server.
Thanks
-
10-04-2006, 06:13 AM #2Web Hosting Master
- Join Date
- Jan 2004
- Location
- UK
- Posts
- 1,346
Run CHKrootKit and RKhunter, make sure there are no backdoors. The only true way to make sure that its clean however is to do an OS reload. Just make sure you run the files as I said and install a firewall like APF.
To stop it happening again make sure folders are CHMOD'd properly and also that your TMP partition is secure.Seeksadmin.com Owner: Providing Security, Administration and Optimization since 2001
Now Offering Windows Serivces.
-
10-04-2006, 06:29 AM #3Web Hosting Master
- Join Date
- Mar 2003
- Location
- Singapore
- Posts
- 763
Hi,
I'm sorry to hear the bad incident that you encountered. I believe your server was defaced, which the hacker added all the funky web pages to your hosted accounts.
Have you tried restoring the accounts from its backup? It is going to be a lot of hassle if you were to go through one by one to remove them, as to how to remove it, I believe only by logging into your server and have a look in SSH as root, then only the method can be found.
Anyways, prevention is better than cure. Do try the methods suggested by TR Seeks, however, I know there are definitely more to do to secure a web server.
Perhaps to avoid this problem from happening again in future, you should consider paying someone to secure your server for you. I know Steve from rack911.com has good reputation here. Other than him, sprintserve.net is another guy who has high reputation here.
Anyways, besides them, you can consider www.seeksadmin.com. I can see one of the representatives has replied here. Personally I deal with Tris and Matt before. They helped me to secure and optimize my webserver.
They are still managing my server right now, just to help to reduce my own admin's burden as well as to cover the true 24x7 manned server monitoring and management.
I would rank them 5/5, especially the responsiveness of Tris and Matt.
Thanks!SecureAX Singapore - Virtualization, Private Cloud Computing & Managed Datacenter in Singapore
- Managed Virtual Private Servers, Dedicated Servers & Colocation Services in Singapore
- Gigabit backbone at Equinix Singapore, Telstra SGCS2 & Telin Datacenters with Private Link for Disaster Recovery setup
-
10-04-2006, 07:11 AM #4Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
What is up?? I helped you for about hour and half free the other night, told you how to install modsecurity gave you a rule set showed you how to grep log files for the holes they were using then I offered to let you use one of my system admins to work on your server and clean it up for you.
You got on IM with him and asked if he was going to charge you and he said yes but you could tell him how much you could pay and he would work something out with you.
Then you logged off and never talked to him again.
Did you think he was going to spend a few hours cleaning your server for free or something?
-
10-04-2006, 07:21 AM #5Retired Moderator
- Join Date
- Oct 2004
- Location
- Southwest UK
- Posts
- 1,175
Too many people want something for nothing these days. shocking.
Do not meddle in the affairs of Dragons, for you are crunchy and taste good.
-
10-04-2006, 07:25 AM #6Junior Guru
- Join Date
- Mar 2005
- Location
- Derby, UK
- Posts
- 221
If Techark helped you and you rejected free help. Go Rack911.
-
10-04-2006, 08:15 AM #7Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
Originally Posted by Neoboffin
I guess he figured since I helped him for free my sys admin would too.
IRLAMP are you looking for someone to do this for free? If not contact rack911.com and see if they can help, if you are looking for only free, good luck, and you better hurry before your data center pulls the plug on you.
-
10-04-2006, 09:57 AM #8Web Hosting Master
- Join Date
- Mar 2003
- Location
- Singapore
- Posts
- 763
Originally Posted by Techark
IRLAMP: Just my advice to you. Instead of making yourself worry and panic like that, why not save all the trouble by asking someone to fix everything and secure your server for you? I feel $50 for all the work is reasonable, afterall the server that you're paying is certainly a few times more expensive than the $50. You won't want the same incident to happen again, would you?
Thanks.SecureAX Singapore - Virtualization, Private Cloud Computing & Managed Datacenter in Singapore
- Managed Virtual Private Servers, Dedicated Servers & Colocation Services in Singapore
- Gigabit backbone at Equinix Singapore, Telstra SGCS2 & Telin Datacenters with Private Link for Disaster Recovery setup
-
10-04-2006, 02:05 PM #9Junior Guru Wannabe
- Join Date
- May 2002
- Location
- Kansas City, USA
- Posts
- 75
I did that "help for free" thing about 15 times before I finally learned my lesson. I hate freeloaders!
Midwest Dedicated
Content Management Solutions, Design, Managed Servers
http://www.midwestdedicated.com
Providing the highest quality IT services since 1999.
-
10-04-2006, 02:50 PM #10WHT Addict
- Join Date
- Mar 2006
- Posts
- 160
If it was a none profit website then it would of been kind to lend some free support, but in this situation I am guessing its a hosting website (Judging by a post above), so I don't see no reason why he/she should not pay.
-
10-04-2006, 08:39 PM #11Aspiring Evangelist
- Join Date
- Mar 2006
- Location
- New York USA
- Posts
- 404
Ugh, you know everyone now adays wants everything for free. What i genreally tell these leaches are as follows;
"Ok, so let me get this straight, I went to school and paid $15k for that, busted my hump and got all my certifications, and planted my foot down , gave it all up to become a person who reads and reasearched day in and day out, and creates solutions...so i could help you, one who knows nothing for free?"
They tend to either pay, or go away. Either choice works well. No wasted time if you let them know up front.
-
10-07-2006, 04:57 AM #12Web Hosting Evangelist
- Join Date
- Mar 2005
- Posts
- 540
Hello
sorry but I can not pay now and just trying and then tel someone to secure my server
Techark thanks for your help , I would surely order my next server from your company, you helped me great
i have run chkroot kit and the below was the result :
root@itaco [/etc/cron.daily]# ./chkrootkit.sh
/proc/21451/fd: No such file or directory
/proc/23541/fd: No such file or directory
/proc/27558/fd: No such file or directory
what are these folders that are not found?
shoudl i create them?
Thanks
-
10-07-2006, 05:07 AM #13Web Hosting Master
- Join Date
- Jul 2004
- Posts
- 873
A Beginner's Guide to Securing Your WHM/cPanel Linux Server
http://www.webhostingtalk.com/showthread.php?t=327478
http://www.webhostgear.com/cid_6.html
-
10-07-2006, 07:12 AM #14Web Hosting Evangelist
- Join Date
- Mar 2005
- Posts
- 540
where should I add these command in httpd.conf for installing mod_evasive ?
<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>
and if there is any need for changes please help me.
Thanks
-
10-07-2006, 08:59 AM #15Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
Originally Posted by IRLAMP
-
10-07-2006, 12:22 PM #16Newbie
- Join Date
- Sep 2006
- Posts
- 26
Originally Posted by Techark
-
10-07-2006, 07:08 PM #17Aspiring Evangelist
- Join Date
- Mar 2006
- Location
- New York USA
- Posts
- 404
Agreed. People never seize to amaze me.
Originally Posted by blackstone
-
10-07-2006, 07:41 PM #18Web Hosting Master
- Join Date
- Sep 2005
- Posts
- 551
I would choose Rack911.com for this.
-
10-08-2006, 04:02 AM #19Web Hosting Evangelist
- Join Date
- Mar 2005
- Posts
- 540
OK! it seems that i shoudl do what you have suggested me,
but what will trust it that the site I ask for security will do all the sucurity for server and do not leave soe login for himself for furter .?
Please help me!
thanks
-
10-08-2006, 04:22 AM #20Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
You can trust Steve over at rack911 he has done stuff for me in the past and has never abused the access to the server.
-
10-08-2006, 04:41 AM #21Web Hosting Evangelist
- Join Date
- Mar 2005
- Posts
- 540
some scripts are running as nobody
9564 nobody 22 0 0 0 0 Z 0 0.0 0:00.00 sh <defunct>
what are these? how can i trace and stop them ?
Thanks
-
10-08-2006, 07:43 AM #22Retired Moderator
- Join Date
- Oct 2004
- Location
- Southwest UK
- Posts
- 1,175
nobody is the user that the apache process runs as. I really think you need to either get someone to repair your server, as you obviously do not have enough knowledge to do this yourself (of course, use google and the heap of information on the web to obtain this knowledge for yourself, its how I still learn), or reformat and reinstall your server.
All the reputable companies that you have been recommended to use are just that - reputable. None of them will harm your server, or install backdoors for their own use.
Here is a link to a first guide to securing a linux server.Do not meddle in the affairs of Dragons, for you are crunchy and taste good.
-
10-08-2006, 08:12 AM #23Web Hosting Master
- Join Date
- Apr 2002
- Location
- USA
- Posts
- 5,783
Right now someone is probably running a IRC bot your server and down loading your pssword files etc.. You need to get with rack911 or someone before they get root on your server and really mess it.