HELP !!!! Website hacked by Viagara and medicine links

[host2host]

All Cpanel Guys, I really need your help. I have two servers and all the sites are getting hacked there.The hyperlink code ofr Viagara and medcine links is inersted in the index and other pages. I know this types of issues are faced by many Cpanel users, I have tried everything but cant stop it. Guys I need your help please suggest.

I have installed CSF firewall and set LFD trigger.
I have changed pure-ftpd.conf to allow only connection from one IP to one account.
I have also enabled Cpanel Hulk.
I have changed the SSH port to 4589

But still my sites are getting hacked and I am pissed off by this. I am a small reseller and loosing my small number of clients.When we tail the /var/log/messages for FTP logs I get following types of logs:

Dec 27 01:12:41 Server546 pure-ftpd: (mysiteut@66.232.126.195) [NOTICE] /home/mysiteut//public_html/images/pif0/8395364.php uploaded (13689 bytes, 212.71KB/sec)
Dec 27 01:12:42 Server546 pure-ftpd: (mysiteut@66.232.126.195) [NOTICE] /home/mysiteut//public_html/images/pif0/8441297.php downloaded (10135 bytes, 669.47KB/sec)
Dec 27 01:12:42 Server546 pure-ftpd: (mysiteut@66.232.126.195) [NOTICE] /home/mysiteut//public_html/images/pif0/8441297.php uploaded (10165 bytes, 165.37KB/sec)
Dec 27 01:12:42 Server546 pure-ftpd: (mysiteut@66.232.126.195) [NOTICE] /home/mysiteut//public_html/images/pif0/8480265.php downloaded (11031 bytes, 871.28KB/sec)
Dec 27 01:12:42 Server546 pure-ftpd: (mysiteut@66.232.126.195) [NOTICE] /home/mysiteut//public_html/images/pif0/8480265.php uploaded (11061 bytes, 177.27KB/sec)
Dec 27 01:12:42 Server546 pure-ftpd: (mysiteut@66.232.126.195) [NOTICE] /home/mysiteut//public_html/images/pif0/8491142.php downloaded (11131 bytes, 728.66KB/sec)
Dec 27 01:12:42 Server546 pure-ftpd: (mysiteut@66.232.126.195) [NOTICE] /home/mysiteut//public_html/images/pif0/8491142.php uploaded (11161 bytes, 178.38KB/sec)
Dec 27 01:12:42 Server546 pure-ftpd: (mysiteut@66.232.126.195) [NOTICE] /home/mysiteut//public_html/images/pif0/8499143.php downloaded (13371 bytes, 8828.38KB/sec)

Now if you check the logs IP 66.232.126.195 is doing FTp to the account and chaning the file in fraction of seconds, this ssame Ip is found doing FTp to many accounts. I have blocked tons of IP's still no effect.

I have read all the posts on this in Cpanel but nothing.
I have also upgared kernel, disabled php funcstions sepcified by Configserver.com
I have disabled registers_globals, enable_dl everything bot I still cant stop this, please help me on this please help.


Thanks.
CEO
Host2Host

[host2host]

Come guys, nobody here who can help me ?? Please please help me

- - - - - - - - - -

[LordZ]

What Cpanel version do you run?There was a issue with some version on Hostgator.

[Infopro]

You might read this thread or chime in there.
http://forums.cpanel.net/showthread.php?t=62821

Install mod_security.

Make sure every single script you have on the server is up to date. (ie: Joomla, Mambo, phpbb, gallery, vbulletin)

Make sure every single account is not using addons that are not safe. (ie: http://help.joomla.org/component/opt...86/Itemid,268/)

Kill anything *nuke

Change every single password for your clients that may not be smart enough to do it for themeselves.

Scour every account for out of date scripts they've forgotten they had installed. (it happens!)

To name but a few steps you can take.

[netlook]

Simply change account password to somethink hard to guess and do not put this password on your FTP program on local computer.

[cPanelDavidG]

Simply change account password to somethink hard to guess and do not put this password on your FTP program on local computer.

That doesn't account for if another account was compromised then that point of weakness was used to compromise other accounts.

Hardening your PHP installation may also be a good idea (in addition to what InfoPro recommended). Documentation on how you can do this is available at:

http://www.cpanel.net/support/docs/e...ening_php.html

[kkargel]

The sad part is that if they own some of the other accounts they probably own root. If that has happened your ONLY recourse is to wipe the box and start over. Do NOT reinstall any account with the old password.

If you absolutely cannot wipe the box then put up a second box and move accounts one at a time from the compromised box to the new box and be excessively paranoid about moving scripts you are not 100% sure of.

Shut down ftp and SSH until you get the situation resolved. Disable ALL services you are not using on the box and firewall them. Disable SSHv1.

A good check to use is chkrootkit . Google that and get the latest verifiable version from the source. That will go over the box and check for exploits.

Move your system log files off to a logserver so that the culprit cannot so easily edit the logfiles to cover his tracks. At least then you will have some forensics to work with.

Get hold of the good folks at hosts.com and let them know that they also have a compromised box.

Good luck, I feel your pain. Contact me offlist if you would like me to run a vulnerability scan against your box from the world and let you know what is open on the box.

[host2host]

Sorry I did not specified in last post, that the servers are already
phpsuexec enabled,
mod_userdir protection enabled,
SUEXEC enabled,
php open_basedir protection enabled.

Still dont know how they are hacking in. When I tail the /var/log/messages

I get ftp logs of one ip doing ftp to various accounts on the server

Please can anyone suggest how is this happening as all my tweaks and settings are finished at this point

[kkargel]

What is the user they are logging in as to accomplish the ftp's? They must be logging in as someone. Who owns the files after they are placed?

Look through your ftpusers for suspicious entries.

Look for wheel users that shouldn't be there.

Look for users with UID/GID < 100

[host2host]

They are loggin in all users, the ftp log shows they try loggin in each user for some they get authentication failed, they try again and then in few attempts they get in.

For this multiple attempts I have enabled Cpanel Hulk, I have enabled CSF lfd trigger, I have enabled the pure-ftpd setting for only one ftp connection from one IP but still they are not stopping.

Also in /etc/group wheel as only root as user.

But do you guys know one thing of cpanel:

ftp://FTPuser:Root Password@serverIP
whill make you login in that FTP account ?

I mean if you have root password then you can login to any FTp account of the server.

On the basis of this rule Ihave also disabled root login to server, I have changed root password to a 32 charachter strong password but still its not being stoped.

Can anyone help ?

[kkargel]

Have you tried running chrootkit or rkhunter on the box to check for exploits yet?

[linux7802]

you need to be sure about permission and ownership for your account is correct or not then check the database for your site where you have seems the site hack problem remove links form your database.

I hope it will help you.

bye
Linux7802

[SimplyIT]

Have you checked in the /tmp folder to see if they've managed to upload their own script? They could be bypassing everything else with that.

[host2host]

/tmp was the first thing I checked

[nyjimbo]

Is this still going on?

If you change the password on a few selected accounts do they still get in minutes later with ftp or do they get locked out at that point?. If you kill FTP for 30 minutes and restart does the attack start back up again?. If this is a bot related attack many will abandon if they cannot access their target after a short period.

Did you check your binaries to be sure you are not running a exploited service like FTP, shell, etc? Dont just run rootkit checkers but actually look at the ftp binaries date stamp and anything else that looks like its getting used. If you run pure-ftpwho do you see them connected all the time or popping in and out ?