Results 1 to 23 of 23
  1. #1
    Join Date
    Mar 2005
    Posts
    540

    * Need help to Secure my Server

    Hello

    My server is hacked and I need urgent help :-s

    I have found the holes the hacker has entered , now I need help on how I can clear my server and get rid of the hackers files?

    He just get some files on server.

    Thanks

  2. #2
    Join Date
    Jan 2004
    Location
    UK
    Posts
    1,346
    Run CHKrootKit and RKhunter, make sure there are no backdoors. The only true way to make sure that its clean however is to do an OS reload. Just make sure you run the files as I said and install a firewall like APF.

    To stop it happening again make sure folders are CHMOD'd properly and also that your TMP partition is secure.
    Seeksadmin.com Owner: Providing Security, Administration and Optimization since 2001

    Now Offering Windows Serivces.

  3. #3
    Join Date
    Mar 2003
    Location
    Singapore
    Posts
    763
    Hi,
    I'm sorry to hear the bad incident that you encountered. I believe your server was defaced, which the hacker added all the funky web pages to your hosted accounts.

    Have you tried restoring the accounts from its backup? It is going to be a lot of hassle if you were to go through one by one to remove them, as to how to remove it, I believe only by logging into your server and have a look in SSH as root, then only the method can be found.

    Anyways, prevention is better than cure. Do try the methods suggested by TR Seeks, however, I know there are definitely more to do to secure a web server.

    Perhaps to avoid this problem from happening again in future, you should consider paying someone to secure your server for you. I know Steve from rack911.com has good reputation here. Other than him, sprintserve.net is another guy who has high reputation here.

    Anyways, besides them, you can consider www.seeksadmin.com. I can see one of the representatives has replied here. Personally I deal with Tris and Matt before. They helped me to secure and optimize my webserver.

    They are still managing my server right now, just to help to reduce my own admin's burden as well as to cover the true 24x7 manned server monitoring and management.

    I would rank them 5/5, especially the responsiveness of Tris and Matt.

    Thanks!
    SecureAX Singapore - Virtualization, Private Cloud Computing & Managed Datacenter in Singapore
    - Managed Virtual Private Servers, Dedicated Servers & Colocation Services in Singapore
    - Gigabit backbone at Equinix Singapore, Telstra SGCS2 & Telin Datacenters with Private Link for Disaster Recovery setup

  4. #4
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    What is up?? I helped you for about hour and half free the other night, told you how to install modsecurity gave you a rule set showed you how to grep log files for the holes they were using then I offered to let you use one of my system admins to work on your server and clean it up for you.

    You got on IM with him and asked if he was going to charge you and he said yes but you could tell him how much you could pay and he would work something out with you.

    Then you logged off and never talked to him again.

    Did you think he was going to spend a few hours cleaning your server for free or something?

  5. #5
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,175
    Too many people want something for nothing these days. shocking.
    Do not meddle in the affairs of Dragons, for you are crunchy and taste good.

  6. #6
    Join Date
    Mar 2005
    Location
    Derby, UK
    Posts
    221

  7. #7
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    Quote Originally Posted by Neoboffin
    If Techark helped you and you rejected free help. Go Rack911.
    No he didn't reject free help. Please re read .. I helped him for free for a hour or so, I had already to told him to contact Steven over at rack911 but he was in a panic so I told one of my sys admins he could take off a few hours from his duties with me and help the guy out if he wanted. My sys admin was going to charge him $50.00 or so to clean his server and secure it for him and when he told him that over IM the guy hung up on him and ran away.

    I guess he figured since I helped him for free my sys admin would too.

    IRLAMP are you looking for someone to do this for free? If not contact rack911.com and see if they can help, if you are looking for only free, good luck, and you better hurry before your data center pulls the plug on you.

  8. #8
    Join Date
    Mar 2003
    Location
    Singapore
    Posts
    763
    Quote Originally Posted by Techark
    What is up?? I helped you for about hour and half free the other night, told you how to install modsecurity gave you a rule set showed you how to grep log files for the holes they were using then I offered to let you use one of my system admins to work on your server and clean it up for you.

    You got on IM with him and asked if he was going to charge you and he said yes but you could tell him how much you could pay and he would work something out with you.

    Then you logged off and never talked to him again.

    Did you think he was going to spend a few hours cleaning your server for free or something?
    Thanks for sharing your experience dealing with him. How kind of you that you're willing to offer the help to him for free!

    IRLAMP: Just my advice to you. Instead of making yourself worry and panic like that, why not save all the trouble by asking someone to fix everything and secure your server for you? I feel $50 for all the work is reasonable, afterall the server that you're paying is certainly a few times more expensive than the $50. You won't want the same incident to happen again, would you?

    Thanks.
    SecureAX Singapore - Virtualization, Private Cloud Computing & Managed Datacenter in Singapore
    - Managed Virtual Private Servers, Dedicated Servers & Colocation Services in Singapore
    - Gigabit backbone at Equinix Singapore, Telstra SGCS2 & Telin Datacenters with Private Link for Disaster Recovery setup

  9. #9
    Join Date
    May 2002
    Location
    Kansas City, USA
    Posts
    75
    I did that "help for free" thing about 15 times before I finally learned my lesson. I hate freeloaders!
    Midwest Dedicated
    Content Management Solutions, Design, Managed Servers
    http://www.midwestdedicated.com
    Providing the highest quality IT services since 1999.

  10. #10
    If it was a none profit website then it would of been kind to lend some free support, but in this situation I am guessing its a hosting website (Judging by a post above), so I don't see no reason why he/she should not pay.

  11. #11
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    404
    Ugh, you know everyone now adays wants everything for free. What i genreally tell these leaches are as follows;

    "Ok, so let me get this straight, I went to school and paid $15k for that, busted my hump and got all my certifications, and planted my foot down , gave it all up to become a person who reads and reasearched day in and day out, and creates solutions...so i could help you, one who knows nothing for free?"


    They tend to either pay, or go away. Either choice works well. No wasted time if you let them know up front.

  12. #12
    Join Date
    Mar 2005
    Posts
    540
    Hello

    sorry but I can not pay now and just trying and then tel someone to secure my server
    Techark thanks for your help , I would surely order my next server from your company, you helped me great

    i have run chkroot kit and the below was the result :
    root@itaco [/etc/cron.daily]# ./chkrootkit.sh
    /proc/21451/fd: No such file or directory
    /proc/23541/fd: No such file or directory
    /proc/27558/fd: No such file or directory

    what are these folders that are not found?
    shoudl i create them?

    Thanks

  13. #13
    Join Date
    Jul 2004
    Posts
    873
    A Beginner's Guide to Securing Your WHM/cPanel Linux Server
    http://www.webhostingtalk.com/showthread.php?t=327478


    http://www.webhostgear.com/cid_6.html

  14. #14
    Join Date
    Mar 2005
    Posts
    540
    where should I add these command in httpd.conf for installing mod_evasive ?
    <IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 6
    DOSSiteCount 100
    DOSPageInterval 2
    DOSSiteInterval 2
    DOSBlockingPeriod 600
    </IfModule>

    and if there is any need for changes please help me.

    Thanks

  15. #15
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    Quote Originally Posted by IRLAMP
    Hello

    sorry but I can not pay now and just trying and then tel someone to secure my server
    Techark thanks for your help , I would surely order my next server from your company, you helped me great

    i have run chkroot kit and the below was the result :
    root@user[/etc/cron.daily]# ./chkrootkit.sh
    /proc/21451/fd: No such file or directory
    /proc/23541/fd: No such file or directory
    /proc/27558/fd: No such file or directory

    what are these folders that are not found?
    shoudl i create them?

    Thanks
    You are not following.. You are hacked there are still processes and scripts running on your server that are not supposed to be. Your server needs to be checked over and cleaned. Installing mod_evasive is not going to help your current problem all good for once you get your server cleaned but first you have to get rid of the hacks that are already there.

  16. #16
    Quote Originally Posted by Techark
    You are not following.. You are hacked there are still processes and scripts running on your server that are not supposed to be. Your server needs to be checked over and cleaned. Installing mod_evasive is not going to help your current problem all good for once you get your server cleaned but first you have to get rid of the hacks that are already there.
    He's trying to get something for nothing. Everyone should just ignore his posts so that he gets frustrated and ends up paying for professional help so that we don't have another zombie'd box spewing spam, phishing emails, and everything else.

  17. #17
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    404
    Agreed. People never seize to amaze me.
    Quote Originally Posted by blackstone
    He's trying to get something for nothing. Everyone should just ignore his posts so that he gets frustrated and ends up paying for professional help so that we don't have another zombie'd box spewing spam, phishing emails, and everything else.

  18. #18
    Join Date
    Sep 2005
    Posts
    551
    I would choose Rack911.com for this.

  19. #19
    Join Date
    Mar 2005
    Posts
    540
    OK! it seems that i shoudl do what you have suggested me,
    but what will trust it that the site I ask for security will do all the sucurity for server and do not leave soe login for himself for furter .?

    Please help me!

    thanks

  20. #20
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    You can trust Steve over at rack911 he has done stuff for me in the past and has never abused the access to the server.

  21. #21
    Join Date
    Mar 2005
    Posts
    540
    some scripts are running as nobody

    9564 nobody 22 0 0 0 0 Z 0 0.0 0:00.00 sh <defunct>

    what are these? how can i trace and stop them ?

    Thanks

  22. #22
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,175
    nobody is the user that the apache process runs as. I really think you need to either get someone to repair your server, as you obviously do not have enough knowledge to do this yourself (of course, use google and the heap of information on the web to obtain this knowledge for yourself, its how I still learn), or reformat and reinstall your server.

    All the reputable companies that you have been recommended to use are just that - reputable. None of them will harm your server, or install backdoors for their own use.

    Here is a link to a first guide to securing a linux server.
    Do not meddle in the affairs of Dragons, for you are crunchy and taste good.

  23. #23
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,783
    Right now someone is probably running a IRC bot your server and down loading your pssword files etc.. You need to get with rack911 or someone before they get root on your server and really mess it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •