hacked server

[sphost]

Quote:

Originally Posted by Spiral

Now regarding your mentioning "you did all", I would like to sit down
with you and discuss exactly everything you can remember you did
originally as that will give me some insight as to your original configuration,
the areas you may have missed, and where you more likely got hacked,
and also would tell me what areas I may need to bring you more up to
speed on and get you to strengthen your understanding.

this was basically what i did http://forums.cpanel.net/f7/beginner...ver-30159.html

[ddmd]

Maybe they did not found your root password, but another user pass and exploited some local vulnerability to get root?

Did you check your logs to see if they brute forced it? As far as monitoring, this is what I just posted on another thread:

I had a similar problem a while ago and used the ossec tool (open source) to find all offending packages. It has a nice rootkit/worm/exploits detection tool in there....

After that, I kept that running with Snort and modsecurity (all open source) to monitor my systems. I lately also found sucuri to remotely check if my sites have been defaced, blacklisted, etc.

links:
Welcome to the Home of OSSEC
ModSecurity: Open Source Web Application Firewall
Snort :: Home Page
Sucuri information security (BETA)

[Spiral]

Quote:

Originally Posted by ddmd

Maybe they did not found your root password, but another user pass and exploited some local vulnerability to get root?

Sphost was (and still - unfortunately) using an obsolete almost EOL version
of Fedora and the BIND server had originally not been patched or secured
in the original server configuration and the hackers had used an old exploit
to gain a root shell via a DNS attack. It would not have worked on most
servers today so they were actually lucky finding his server.

His server has now been fully secured and the vulnerable areas have
been manually patched and reconfigured so the previous vulnerabilities
no longer exist, the server fully hardened, and an extensive list of
defensive technologies have been put in place to help protect him
from future exploit and hacking attempts.

He's in a lot better shape now and has also been upgraded in the process
to Apache 2.2.11 along with SuHosin hardened SuPHP and other goodies
including well configured firewall and port scan monitors, root kit detectors,
intelligent traffic monitoring, self updating protection, and other fun stuff.