Is my server hacked?

**azrael** · 02-09-2009 11:40 PM

Every time I visit all sites of a server.. I'm redirected to this unknown russian site..
http://www.nnovauto.ru

and so as other sites that are being hosted...

anyone here who experiencd the same??

**rhenderson** · 02-10-2009 12:22 AM

Do a search on here for a javascript hack, there have been several posts about this exact same thing around 4 to 6 months ago but I cannot remember exactly what they were. If I remember correctly there was some script or test you could do.

**azrael** · 02-10-2009 05:10 AM

The server has 100 sites.

When I search sites og the server in google, google show me the link.

If i click it, it redirect to another site.

But if I copied th link, it work find.

**Voltar** · 02-10-2009 05:39 AM

Does this thread shed any light? http://forums.cpanel.net/showthread.php?t=62821

I know there are some threads over at WHT about Javascript injection in pages. Have you tried scanning your server with a rootkit hunter?

**Silver_2000** · 02-10-2009 06:52 PM

Assuming the pages have been modified by inserting iframes

if you look you will find some scripts that will clean the iframes from all the files

add a firewall and rootkit hunter

**rhenderson** · 02-10-2009 09:05 PM

Originally Posted by Silver_2000

Assuming the pages have been modified by inserting iframes

if you look you will find some scripts that will clean the iframes from all the files

add a firewall and rootkit hunter

Thanks SIlver Iframes was what I was thinking about when I posted above, just could not remember the terminaology. Gave you a rep for that one.

**brianoz** · 02-11-2009 05:48 PM

You also need to be concerned about how the iframe code got there in the first place. If you remove the code without fixing the security problem, the code will likely get put back again.

At the least you should:

change your root and/or reseller passwords
check logs to see whether ftp was used, if so, change the user passwords
if the server is yours, check for up to date kernel
add CSF firewall from www.configserver.com

From hearing about this happen before, the ways they get in to do this seem to be (choose one, usually):

user PHP scripts with weaknesses, leading to system compromise
sniffing the root/reseller password over wifi
a trojan keylogger installed on your PC/desktop/laptop
an old kernel with a known weakness
stealing passwords on a server not running suphp and using them to escalate privilege

**azrael** · 02-12-2009 11:35 AM

Here try test..

orinonga.com

Search it at google.

And copy the link from google, visit...

**maquinadigital** · 05-14-2009 06:39 PM

I had the IFRAME problem but I'm now having one other problem, similar to this one.

The websites files (several websites, on my server), are ok, and not changed but, when entering it from the browser, a javascript is there.

Restarting apache solves the issue (temporarily)

Somebody told me about code injection to the shared memory or something.

Maybe suPHP will help. Will try this weekend.

Do you have suPHP installed?

best regards

LinkBack

Thread Tools

Is my server hacked?

I can't find any scripts.

No iframe injection..

my server is hacked

server has been hacked

Server get hacked

my server got hacked?

new server got hacked