Results 1 to 3 of 3

Thread: server hacked

  1. #1
    Join Date
    Aug 2009

    server hacked

    [[email protected] tmp]# who
    [[email protected] tmp]#

    I can not see any other users and top shows 0 users. /var/logs was removed, I have restored it changed the root password but this was removed again

    lots of scritps was removed from /tmp

    please help me

  2. #2
    Join Date
    Jul 2009
    Change all your passwords like cPanel,WHM,FTP using openssl tool

    openssl rand 12 -base64

  3. #3
    Join Date
    Oct 2007

    Are you accessing your machine remotely, if yes what I would recommend as an immediate help is to contact your DC techs and ask them to help into this or seek professional help .

    You can check using the last | less command if any one has logged in as root to the server , if no strange IPS found it can be happening through loopholes in any 3rd party softwares installed on the server ,

    Also now You should change the ssh port to another one , if it is a direct root hack

    You can do it by

    1. From your terminal session, edit /etc/ssh/sshd_config

    vi /etc/ssh/sshd_config

    2. Look for the following line:

    #Port 22

    3. Change the line so it looks like this:

    Port 2995 ( keep a custom port number as you like it )

    4. Save and close the file

    5. Load the new configuration by using the RedHat service command

    6. service sshd reload

    You can check your apache error log to see if anything unusual is noted

    Tell us your server OS version , if any control panel is installed its name ( like CPANEL , webmin ) e.t.c for further help .

    Following are the steps for server securing that you should perform once the issue is fixed to prevent hacking issue to an extent, but right now seek professional help if you feel it is really critical situation .

    1. Install chkrootkit
    2. Install rkhunter
    3. Install Firewall
    3.1. Install apf / bfd
    3.2. Install csf (for cPanel/WHM servers only)
    4. Securing /tmp
    5. Remove all insecure packages
    6. Script to Monitor Server load
    7. Secure ssh
    8. Prevent upload of Exploits
    9. Disable InSecure Commands
    10. Install Email alert script for Root Logins
    11. Install AIDE

    Install Chkrootkit on a server
    To install chkrootkit on a server

    SSH as admin to your server.

    #Change to root
    su -

    #Type the following

    # Check the MD5 SUM of the download for security:

    md5sum chkrootkit.tar.gz

    #Unpack the tarball using the command
    tar xvzf chkrootkit.tar.gz

    #Change to the directory it created
    cd chkrootkit*

    #Compile by typing
    make sense

    #To use chkrootkit, just type the command

    #Everything it outputs should be 'not found' or 'not infected'...

    Important Note: If you see 'Checking `bindshell'... INFECTED (PORTS:
    465)' read on.
    I'm running PortSentry/klaxon. What's wrong with the bindshell test?

    If you're running PortSentry/klaxon or another program that binds itself to
    unused ports probably chkrootkit will give you a false positive on the
    bindshell test
    (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp,
    3879/tcp, 4369/tcp, 5665/tcp,
    10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp,
    31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

    cd ..
    #Then remove the .gz file
    rm chkrootkit.tar.gz

    Daily Automated System Scan that emails you a report

    While in SSH run the following:
    vi /etc/cron.daily/

    Insert the following to the new file:
    cd /yourinstallpath/chkrootkit-0.42b/
    ./chkrootkit | mail -s "Daily chkrootkit from Servername" [email protected]

    1. Replace 'yourinstallpath' with the actual path to where you
    unpacked Chkrootkit.
    2. Change 'Servername' to the server your running so you know where
    it's coming from.
    3. Change [email protected]' to your actual email address where the
    script will mail you.

    Now save the file:

    Change the file permissions so we can run it
    chmod 755 /etc/cron.daily/

    Now if you like you can run a test report manually in SSH to see how it looks.
    cd /etc/cron.daily/


    You'll now receive a nice email with the report! This will now happen
    everyday so you don't have to run it manually.

    Rkhunter installation

    tar -zxvf rkhunter-1.2.9.tar.gz
    cd rkhunter-1.2.9

    Now you can run a test scan with the following command:

    /usr/local/bin/rkhunter -c

    How to setup a daily scan report?

    vi /etc/cron.daily/

    add the following replacing your email address:


    cd /usr/local/bin/
    ./rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report"
    [email protected]

    chmod +x /etc/cron.daily/

    Updating rkhunter

    gets the latest database updates from their central server and matches
    your OS better to prevent false positives.

    rkhunter --update

    I just got a false positive!! What do i do?

    False positives are warnings which indicates there is a problem, but
    aren't really a problem. Example: some Linux distro updated a few
    common used binaries like `ls` and `ps`. You (as a good sysadmin)
    update the new packages and run (ofcourse) daily Rootkit Hunter.
    Rootkit Hunter isn't yet aware of these new files and while scanning
    it resports some "bad" files. In this case we have a false positive.
    You could always have your datacenter or a system administrator check
    out the server to verify that it is not compromised.

    More information on rkhunter can be found here:

    Install APF in a Server
    APF (Advanced Policy Firewall) is a policy based iptables firewall
    system designed for ease of use and configuration. It employs a subset
    of features to satisfy the veteran Linux user and the novice alike.
    Packaged in tar.gz format and RPM formats, make APF ideal for
    deployment in many server environments based on Linux. APF is
    developed and maintained by R-fx Networks:

    This guide will show you how to install and configure APF firewall,
    one of the better known Linux firewalls available.10


    Root SSH access to your server

    Login to your server through SSH and su to the root user.

    1. cd /root/downloads or another temporary folder where you store your files.

    2. wget

    3. tar -xvzf apf-current.tar.gz

    4. cd apf-0.9.5-1/ or whatever the latest version is.

    5. Run the install file: ./
    You will receive a message saying it has been installed

    Installing APF 0.9.5-1: Completed.

    Installation Details:

    Install path: /etc/apf/
    Config path: /etc/apf/conf.apf
    Executable path: /usr/local/sbin/apf
    AntiDos install path: /etc/apf/ad/
    AntiDos config path: /etc/apf/ad/conf.antidos
    DShield Client Parser: /etc/apf/extras/dshield/

    Other Details:
    Listening TCP ports:
    Listening UDP ports: 53,55880
    Note: These ports are not auto-configured;
    they are simply presented for information purposes. You must manually
    configure all port options.

    6. Lets configure the firewall: vi /etc/apf/conf.apf
    We will go over the general configuration to get your firewall running.
    This isn't a complete detailed guide of every feature the firewall has.
    Look through the README and the configuration for an explanation of
    each feature.

    We like to use's "block" list of top networks that have exhibited
    suspicious activity.
    FIND: USE_DS="0"

    7. Configuring Firewall Ports:

    Cpanel Servers
    We like to use the following on our Cpanel Servers

    Common ingress (inbound) ports
    # Common ingress (inbound) TCP ports -3000_3500 = passive port range
    for Pure FTPD
    IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095,
    # Common ingress (inbound) UDP ports

    Common egress (outbound) ports
    # Egress filtering [0 = Disabled / 1 = Enabled]

    # Common egress (outbound) TCP ports
    # Common egress (outbound) UDP ports

    Ensim Servers
    We have found the following can be used on Ensim Servers -
    although we have not tried these ourselves as I don't run Ensim boxes.

    Common ingress (inbound) ports
    # Common ingress (inbound) TCP ports
    # Common ingress (inbound) UDP ports

    Common egress (outbound) ports
    # Egress filtering [0 = Disabled / 1 = Enabled]

    # Common egress (outbound) TCP ports
    # Common egress (outbound) UDP ports

    Save the changes: Ctrl+X then Y

    8. Starting the firewall
    /usr/local/sbin/apf -s

    Other commands:
    usage ./apf [OPTION]
    -s|--start ......................... load firewall policies
    -r|--restart ....................... flush & load firewall
    -f|--flush|--stop .................. flush firewall
    -l|--list .......................... list chain rules
    -st|--status ....................... firewall status
    -a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
    immediately load new rule into firewall
    -d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
    immediately load new rule into firewall

    9. After everything is fine, change the DEV option
    Stop the firewall from automatically clearing itself every 5 minutes from cron.
    We recommend changing this back to "0" after you've had a chance to
    ensure everything
    is working well and tested the server out.

    vi /etc/apf/conf.apf

    FIND: DEVM="1"

    10. Configure AntiDOS for APF
    Relatively new to APF is the new AntiDOS feature which can be found
    in: /etc/apf/ad
    The log file will be located at /var/log/apfados_log so you might want
    to make note of it and watch it!

    vi /etc/apf/ad/conf.antidos

    There are various things you might want to fiddle with but I'll get
    the ones that will alert you by email.

    # [E-Mail Alerts]
    Under this heading we have the following:

    # Organization name to display on outgoing alert emails
    CONAME="Your Company"
    Enter your company information name or server name..

    # Send out user defined attack alerts [0=off,1=on]
    Change this to 1 to get email alerts

    # User for alerts to be mailed to
    USR="[email protected]"
    Enter your email address to receive the alerts

    Save your changes! Ctrl+X then press Y
    Restart the firewall: /usr/local/sbin/apf -r

    11. Checking the APF Log

    Will show any changes to allow and deny hosts among other things.
    tail -f /var/log/apf_log

    Example output:
    Aug 23 01:25:55 ocean apf(31448): (insert) deny all to/from
    Aug 23 01:39:43 ocean apf(32172): (insert) allow all to/from

    12. New - Make APF Start automatically at boot time
    To autostart apf on reboot, run this:

    chkconfig --level 2345 apf on

    To remove it from autostart, run this:

    chkconfig --del apf

    13. Denying IPs with APF Firewall (Blocking)
    Now that you have your shiny new firewall you probably want to block a
    host right,
    of course you do! With this new version APF now supports comments as well.
    There are a few ways you can block an IP, I'll show you 2 of the easier methods.

    > The -d flag means DENY the IP address
    > IPHERE is the IP address you wish to block
    > COMMENTSHERENOSPACES is obvious, add comments to why the IP is being blocked
    These rules are loaded right away into the firewall, so they're
    instantly active.

    ./apf -d TESTING

    pico /etc/apf/deny_hosts.rules

    Shows the following:

    # added on 08/23/05 01:25:55

    B) vi /etc/apf/deny_hosts.rules

    You can then just add a new line and enter the IP you wish to block.
    Before this becomes active though you'll need to reload the APF ruleset.

    /etc/apf/apf -r

    14. Allowing IPs with APF Firewall (Unblocking)

    I know I know, you added an IP now you need it removed right away!
    You need to manually remove IPs that are blocked from deny_hosts.rules.

    A) vi /etc/apf/deny_hosts.rules

    Find where the IP is listed and remove the line that has the IP.
    After this is done save the file and reload apf to make the new changes active.

    /etc/apf/apf -r

    B) If the IP isn't already listed in deny_hosts.rules and you wish to allow it,
    this method adds the entry to allow_hosts.rules

    > The -a flag means ALLOW the IP address
    > IPHERE is the IP address you wish to allow
    > COMMENTSHERENOSPACES is obvious, add comments to why the IP is being removed These rules
    are loaded right away into the firewall, so they're instantly active.

    ./apf -a UNBLOCKING

    pico /etc/apf/allow_hosts.rules

    # added on 08/23/05 01:39:43

    Install BFD in a Server(Brute Force Detection)
    BFD (Brute Force Detection)is a modular shell script for parsing
    applicable logs and checking for authentication failures. There is not
    much complexity or detail to BFD yet and likewise it is very
    straight-forward in its installation, configuration and usage. The
    reason behind BFD is very simple; the fact there is little to no
    authentication and brute force auditing programs in the linux
    community that work in conjunction with a firewall or real-time
    facility to place bans. BFD is available at:

    This guide will show you how to install and configure BFD to protect
    your system from brute force hack attempts.

    - You MUST have APF Firewall Installed before installing BFD - it
    works with APF and requires some APF files to operate.
    - Root SSH access to your server

    Login to your server through SSH and su to the root user.

    1. cd /root/downloads or another temporary folder where you store your files.

    2. wget

    3. tar -xvzf bfd-current.tar.gz

    4. cd bfd-0.7

    5. Run the install file: ./
    You will receive a message saying it has been installed

    BFD installed
    Install path: /usr/local/bfd
    Config path: /usr/local/bfd/conf.bfd
    Executable path: /usr/local/sbin/bfd

    6. Lets edit the configuration file: pico /usr/local/bfd/conf.bfd

    7. Enable brute force hack attempt alerts:

    Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="[email protected]"

    Save the changes: Ctrl+X then Y

    8. Prevent locking yourself out!
    vi /usr/local/bfd/ignore.hosts and add your own trusted IPs

    Save the changes: Ctrl+X then Y

    BFD uses APF' cli insert feature
    and as such will override any allow_hosts.rules entries users have in-place.
    So be sure to add your trusted ip addresses to the ignore file to prevent
    locking yourself out.

    9. Run the program!
    /usr/local/sbin/bfd -s

    10. Customize your applicatoins brute force configuration
    Check out the rules directory in your /usr/local/bfd

    CSF Installation

    Installation is quite straightforward:

    rm -fv csf.tgz
    tar -xzf csf.tgz
    cd csf

    If you would like to disable APF+BFD (which you will need to do if you have
    them installed otherwise they will conflict horribly):


    That's it. You can then configure csf and lfd in WHM, or edit the files
    directly in /etc/csf/*

    CSF is pre configured to work on a cPanel server with all the standard cPanel
    ports open. It also auto-configures your SSH port if it's non-standard on

    You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS
    servers have this disabled and you should check /etc/init.d/syslog and make
    sure that any klogd lines are not commented out. If you change the file,
    remember to restart syslog.


    Removing csf and lfd is even more simple:

    cd /etc/csf

    Removal of insecure packages and unnecessary software from server.
    Removal of insecure packages and unnecessary software from server.

    Please check to see the packages that are not needed on a web server.
    You can use the command rpm -qa to list all the installed rpm packages
    on the server. From the list remove packages choose the packages that
    are not required.
    Some common examples of unnecessary packages are given below.


    These packages are specific to RHEL 3. It varies in different distributions

    BASH Script To Monitor Server Load
    This is a quick script written up to monitor load on a server and
    report building load to an administrator via email.

    1. Change over to /scripts.
    2. Load up your favorite editor and type in the script below, and save
    it as


    # Set your minimum value for a warning here. If the
    # load value of the box goes above the value below
    # the warning email is triggered

    ## Set the admin email here
    _adminemail="[email protected]"

    # Below we set up all our variables we will be using
    # to guage the load and build our report email
    if $(echo $uptime | grep -E "min|days" >/dev/null); then
    ut=$(echo $uptime | awk '{ print $3 $4}')
    ut=$(echo $uptime | sed s/,//g| awk '{ print $3 " (hh:mm)"}')
    avgload="$(uptime |awk -F'average:' '{ print $2}')"
    curload="$(echo $avgload | sed s/,//g | awk '{ print $2}')"
    rusedram="$(free -mto | grep Mem: | awk '{ print $3 " MB" }')"
    rfreeram="$(free -mto | grep Mem: | awk '{ print $4 " MB" }')"
    rtotalram="$(free -mto | grep Mem: | awk '{ print $2 " MB" }')"
    rtotalprocess="$($_CMD ps axue | grep -vE "^USER|grep|ps" | wc -l)"

    # Now we'll build our report variables based on the
    # values we've gotten in our checks above
    warn1="WARNING: Server load is high!"
    loadrpt="Current Load: $curload\nAverage Load:$avgload"
    ruptime="Uptime: $ut"
    ramrpt="Ram: $rusedram Used, $rfreeram Free, $rtotalram Total"
    totalprocs="Total Processes: $rtotalprocess"

    # Here we get the result of our load value check
    y="$(echo "$curload >= $loadwarn" | bc)"

    # Now if the box's load is greater than our check
    # we execute the following to build and send the report
    if [ "$y" == "1" ]; then
    touch /tmp/tmp.00
    echo -e "$str\n$warn1\n$ruptime\n$loadrpt\n$ramrpt\n$totalprocs\n$str\n"
    >> /tmp/tmp.00
    ps aux | head -1 >> /tmp/tmp.00
    ps aux | sort -rn +2 | head -10 >> /tmp/tmp.00;
    mail -s "Alert: $curload Load for `hostname` on `date` "
    $_adminemail < /tmp/tmp.00;
    # To display rather than email the report, add a comment
    # to the mail line above and uncomment the one below
    # cat /tmp/tmp.00
    rm -f /tmp/tmp.00

    # Finally, we exit the script
    exit 0

    3. chmod the file so that you can execute it.

    chmod 0755

    4. Now we want to set up a cron job to run the script every X minutes.

    cd /etc/cron.d

    5. Load up your crontab (crontab -e) and add the following:

    */2 * * * * /scripts/ > /dev/null 2>&1

    Be sure you change the directory from /scripts/ if you did not save
    loadcheck in /scripts. Also you can change the "2" at the beginning,
    as this is how often the scripts run - every 2 minutes. Increase the
    number to make the script run less often.

    That's it. You can tail -f /var/log/loadcheck to watch and make sure
    it runs. CTL-C to escape the tail.

    Securing Linux Server

    chmod 0700 `which curl` 2>&-; chmod 0700 `which fetch` 2>&-; chmod
    0700 `which wget` 2>&-


    cd /tmp; ls -loba | grep -E "x|.pl"
    cd /var/tmp; ls -loba | grep -E "x|.pl"
    cd /dev/shm; ls -loba | grep -E "x|.pl"
    cd /var/spool/mail; ls -loba | grep -E "x|.pl"
    cd /usr/local/apache/proxy; ls -loba | grep -E "x|.pl"

    Any executable files or strange directories owned by "nobody" or
    "unknown" or "apache" or perl programs *.pl found by the above process
    are almost certainly exploits and should immediately be removed and
    the server rebooted.

    Install and run the progam called rkhunter

    Rootkit Hunter is scanning tool to ensure you for about 99.9% you're
    clean of nasty tools.

    This tool scans for rootkits, backdoors and local exploits by running
    tests like:

    - MD5/SHA1 hash compare
    - Look for default files used by rootkits
    - Wrong file permissions for binaries
    - Look for suspected strings in LKM and KLD modules
    - Look for hidden files
    - Optional scan within plaintext and binary files


    Disable Insecure Commands on Linux Disable Insecure Commands on Linux
    Disable Insecure Commands on Linux

    For security, it is better to limit access to compilers and programs
    that allow file download
    to user root only. This way only user root can compile software or
    download files to the server.

    You can do this with following commands.

    chmod 700 /usr/local/bin/lynx
    chmod 700 /bin/tar
    chmod 700 /usr/bin/cc
    chmod 700 /usr/bin/gcc
    chmod 700 /usr/bin/perlcc
    chmod 700 /usr/bin/yacc
    chmod 700 /usr/bin/byacc
    chmod 700 /usr/bin/bcc
    chmod 700 /usr/bin/kgcc
    chmod 700 /usr/bin/i386*cc
    chmod 700 /usr/bin/*c++
    chmod 700 /usr/bin/*g++
    chmod 700 /usr/bin/rcp
    chmod 700 /usr/bin/wget
    chmod 700 /usr/bin/lynx
    chmod 700 /usr/bin/links
    chmod 700 /usr/bin/scp

    Email alert for Root Login Script
    Want to be notified instantly when someone logs into your server as
    root? No problem, check out this nice tutorial on email notification
    for root logins. Keeping track of who logs into your server and when
    is very important, especially when you're dealing with the super user
    account. We recommend that you use an email address not hosted on the
    server your sending the alert from.

    So lets get started!

    1, Login to your server and su to root

    2, cd /root

    3, vi .bashrc

    4, Scroll to the end of the file then add the following:
    echo 'ALERT - Root Shell Access (Your-Server-Name) on:' `date` `who` |
    mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")"
    -f1`" [email protected]

    Replace Your-Server-Name with the handle for your actual server
    Replace [email protected] with your actual email address

    5, Crtl + X to save and exit the vi editor

    Now logout of SSH, close the connection and log back in! You should
    receive an email address of the root login alert a few minutes

    Note: This is a great tool for servers that have multiple admins or if
    you give someone SSH access for whatever reason, although you should
    give out the root password to as few people as humanly possible and be
    sure to change it often.

    This will not magically alert you when a hacker runs the latest kernel
    exploit on your server and logs into SSH because they will create
    their own SSH/telnet connection. You should keep your system up to
    date, install a firewall and follow the latest security releases.

    Installing AIDE(Advanced Intrusion Detection Environment)
    AIDE(Advanced Intrusion Detection Environment)


    Securing PHP
    Securing PHP

    Securing PHP php

    # php -i |grep php.ini

    The above command will give you the path to php.ini

    Open the php.ini file

    Disable Dangerous PHP Functions

    PHP has a lot of potential to mess up your server and hack user
    accounts and even get root. I've seen many times where users use an
    insecure PHP script as an entry point to a server to start unleashing
    dangerous commands and taking control.

    Searchphp.ini file for disable_functions =

    Add the following:

    disable_functions =

    Then restart apache...

    Securing /tmp /var/tmp /dev/shm
    Securing /tmp
    1. Make a /tmp Partition
    dd if=/dev/zero of=/dev/tmpFS bs=1024 count=100000

    2. Make an ext3 filesystem for tmp
    mkfs.ext3 /dev/tmpFS

    3. Backup current /tmp
    cp -prf /tmp /tmpbackup

    4. Mount the new Partition
    mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp

    5. Change Permission
    chmod 1777 /tmp

    6. Verify by typing mount command and you get:
    /dev/tmpFS on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)

    7. Copy back the contents and remove backup
    cp -prf /tmpbackup/* /tmp/
    rm -rf /tmpbackup

    8. /etc/fstab Entry
    /dev/tmpFS /tmp ext3 loop,noexec,nosuid,rw 0 0

    Securing /var/tmp
    1. Rename the existing
    mv /var/tmp /var/tmpold

    2. Create a symbolic link to /tmp
    ln -s /tmp /var/tmp

    3. Copy the contents back & remove the backup
    cp -prf /var/tmpold/* /tmp/
    rm -rf /var/tmpold

    Securing /dev/shm
    1. Edit your /etc/fstab file
    none /dev/shm tmpfs defaults,rw 0 0
    none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0

    2. Remount /dev/shm
    mount -o remount /dev/shm

    Securing sshd
    vi /etc/ssh/sshd_config

    Locate the line with "Protocol" in it and change it so that it reads
    "Protocol 2". This will let ssh only connect on protocol 2 which is
    more secure and is compatible with any modern client. If for some
    reason your current client does not support protocol 2 Putty is free
    and supports it.

    Another very good option is to disable root logins. **NOTE** If you do
    this you need to make sure that you have added a user to the wheel
    group and have ensured that they are able to "su -" root. Do not turn
    this feature on without testing that you can first login as another
    user and gain root access, you have been warned! Look for
    "PermitRootLogin and change it to read PermitRootLogin no.

    Save and restart sshd via "service sshd restart
    Alan John

Similar Threads

  1. Server hacked : how can I find out how they are uploading files to my server?
    By listenmirndt in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-14-2007, 12:44 PM
  2. Replies: 77
    Last Post: 04-03-2007, 09:57 AM
  3. Replies: 6
    Last Post: 08-24-2006, 04:11 PM
  4. Plesk server hacked, hiring to move clients to new server
    By DaveNET in forum Employment / Job Offers
    Replies: 3
    Last Post: 07-30-2005, 09:56 PM
  5. Replies: 5
    Last Post: 08-05-2001, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts