cPanel Forums
07-08-2009, 08:16 AM
|
|||
|
|||
|
hacked server
My server is hacked by backd00red , they gained access to the server and changed rot password, they defaced most site on the server!
how can they access the root? i have a very strong password. my question, how do i secure the server now after it is reinstalled? thanks Tom     
|
|
07-08-2009, 10:55 AM
|
|||
|
|||
|
Was everything updated, do you run the latest kernel on your machine? Did you do anything towards security on your server or did you let it do its own thing after you ordered it?
__________________
John W Security and general linux how-to's w w w . t o t a l s e r v e r s o l u t i o n s . c o m Tss -- Live Support! Tweaking, Securing, 24x7 Service Monitoring, Monthly Management, Migrations, Restores, Optimization, Consulting English And Spanish Support! We do it all @ TotalServerSolutions
|
|
07-08-2009, 11:49 AM
|
||||
|
||||
|
Quote:
__________________
 click logo to visit us for dedicated cPanel servers and more
|
|
07-08-2009, 07:47 PM
|
|||
|
|||
|
Quote:
|
|
07-08-2009, 08:39 PM
|
||||
|
||||
Quote:
Quote:
Quote:
I have more than 30 years field experience in network and server security, written many network security books, teach on the subject, and own several computer security consulting firms with clients around the globe so I am definitely in a position to help you recover and can show you a lot of things you maybe didn't think about originally that may or may not of led to the current breach. The bigger question is if you fully grasp the extent of your current situation you just described? There is also a very good chance that whoever got into your server also installed backdoors for themselves to regain access again at a later date and that will also need to be determined and closed out in addition to hardening the security on your server. Don't worry about any money at the moment, I am more concerned with stopping attacks like these and I am only glad to help and can give you a very big helping hand working through this issue. We need to get your server back to a safe state and get you much better security so you don't have to go through this again. I am most concerned that you may have far more issues than you are aware (or even begin to grasp at the current moment) since I have dealt with the clean up of thousands of these sort of attacks. I would almost guarantee your server now has a huge number of backdoors and other security compromises already in place to be concerned about above and beyond the original path of exploit and that is what I would be most concerned about first. If these issues are not handled properly right now, you are just going to run into the same situation again or far worse. Once that is addressed then the fun task of cleanup can press forward and then server security hardening so that this becomes an isolated incident that doesn't repeat for you. I will be on for another few hours and keep an eye on private messages if you want to reach me. I'll also send you a message how to reach me. EDIT: Regarding italics above. I'm going offline now but will be back tomorrow
__________________
My Server Expert: Cloud VPS servers w/Cpanel, Security Hardening, Management, and Monitoring! Last edited by Spiral; 07-09-2009 at 12:24 AM. Reason: No longer online
|
|
07-09-2009, 12:10 AM
|
||||
|
||||
|
JPetersen:
I would love to answer your questions but the last time it slipped publicly my identity online, that was a huge mistake and I am very careful now what I let slip and choose my words very carefully and very deliberately for good reason. Don't think I am blowing you off because I am here and now giving you a thoughtful personal answer. Someone I helped a few years ago and later flew up to meet me posted my identity the next week and I got rushed with thousands of "help me", "can I hire you", and "how do you security this or that" and general fan lore questions which to be honest was a bit overwhelming. I would prefer not to get into all that all over again so I am sure you can respect my interest in privacy. If you are really that curious though, it is not exactly rocket science to figure out who I am just on what side facts you already know about me and my writings and posts in this and dozens of other forums but I would prefer you leave that to your own quiet speculation. Many thanks.  Anyway, to your larger and unspoken question ... I am here first and foremost because I enjoy helping people and I do what I can to help those who really need help concentrating the most on those people I feel need the help the most. Most of these people would not be able to afford hiring anyone at my level so they have really nowhere to turn other than to scout online help forums (like this one and dozens of other similar forum communities) out there. I have a different name in every forum community but you can be sure that I monitor a great many of them as these are the place you find people with the most questions and in the most need and I help people where I can. If you doubt any of that, just read all my posts here posted through the years. Quote:
above and clearly thought his security was "good enough" which it obvioiusly wasn't and that is good enough for me. Under those conditions, I'll help anyone that asks for my help assuming they can get my attention but I watch these forums fairly close so it is not all that hard to do. -Spiral PS: Incidentally, for those who have a need to know, I do let them know, and most of those people and the people I choose to help and there have been many through the years, most I can now consider friends, some very close friends.
__________________
My Server Expert: Cloud VPS servers w/Cpanel, Security Hardening, Management, and Monitoring! Last edited by Spiral; 07-09-2009 at 12:21 AM.
|
|
07-09-2009, 01:06 AM
|
|||
|
|||
|
Quote:
Thanks.
|
|
07-09-2009, 02:33 PM
|
|||
|
|||
|
I've used and recommend Chirpy. He's a moderator here, has well over 13,000 posts, and knows his stuff.
ConfigServer cPanel Server Security, Setup and Management Services There are quite a few other people that have used him also on this forum and they may just jump in with their recommendations also.
|
|
07-09-2009, 06:18 PM
|
||||
|
||||
|
Quote:
 I can give you a long list of people and companies that can help you but there is very few, if any, that could help you to the extent that I can and I am not asking for any money either which is a plus for you. Just to give you other options, chk's recommendation of asking Chirpy for help isn't a bad idea and I have known Chirpy plenty long enough and I have seen his work enough first hand to vouch for him. I also routinely use his firewall script myself. PlatinumServerM, also around here, has reasonable enough experience to help you with this issue and has his own server management company as well. A friend of mine, Crosswinds, might be able to help you. I don't know if he would take you on since his interests lie elsewhere but crosswinds is one of the very few people I can talk to on a peer level and that says a whole lot actually and I know he would have the necessary skills to help you out and be able to rip through your server and get you back where you need to be with real security added in the process along the way. These are the few people around here that I would personally trust outside myself.  If you are feeling a bit paranoid or otherwise just wanting to do everything yourself, that is fine. Talk to me and I'll still try to guide you through the steps of where to go, what to look for, what to update, and what you need to know to get your server fixed and heavily secured. If you are lucky, maybe find out exactly how you were originally hacked if you haven't already destroyed the evidence the hacker may have left behind.
__________________
My Server Expert: Cloud VPS servers w/Cpanel, Security Hardening, Management, and Monitoring!
|
|
07-09-2009, 07:10 PM
|
|||
|
|||
|
Quote:
Quote:
as for your free offer, i do appreciate it as well, but i prefer to pay for what i get. while IT IS so kind of you, still i really cant accept that. however, if you are seriouse about helping me to do it myself, this will make me learn a lot, i recommend that you post a SECURE YOUR SERVER type of thread in public so other people benefit from it as well, like this thread which is very usefull but unfortunatly i did all what is mentioned there but my server got hacked so looks like there is a lot more to be done.
|
|
07-09-2009, 07:37 PM
|
||||
|
||||
|
Quote:
 I could help you diagnose the issue and track down the source of the original attack but if you already reloaded the server, there is not much use in that so yes the next step would be to secure the server and I definitely can help you with that far beyond your wildest dreams. Generally it is good to dig through things for forensic purposes before blowing away the server but since you've already jumped ahead, not much can be done other than to press forward with getting you re-setup again and secured so this doesn't happen again. Quote:
If you have read my posts here, you will see that I often address many issues that are often overlooked. While the "secure your server" type threads here and elsewhere are useful for the basics, they often overlook many of the more important areas where you might be vulnerable and the hackers out there aren't going to be so ignorant. The bigger thing to know and understand is "how things work" and the reasons why there are vulnerabilities. A hacker doesn't think about where you have secured your server so much as what you may have missed. Regarding posting a thread, I'm actually in the process of doing much better than that. I have a new book that is coming out soon that will have a CD that automatically secures everything for Linux servers particularly those running Cpanel or Plesk. Once we get the bugs worked out in that program and some of the licensing issues, I'm considering posting a link to downloading it on here so that may be coming along fairly soon. Now regarding your mentioning "you did all", I would like to sit down with you and discuss exactly everything you can remember you did originally as that will give me some insight as to your original configuration, the areas you may have missed, and where you more likely got hacked, and also would tell me what areas I may need to bring you more up to speed on and get you to strengthen your understanding. Regarding your offer to pay, I won't recend my offer but I'll do it this way. If you think my help to you is valuable, you can go ahead and pay me what you think it is worth to you. Fair enough? I'll be offline for the next hour or so as there is a place I need to be but I'll be online most of this evening if you want to try to catch up to me. I left you a message yesterday with my contact info so that you can reach me outside of the private messages here.
__________________
My Server Expert: Cloud VPS servers w/Cpanel, Security Hardening, Management, and Monitoring!
|
 |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Server Hacked, please help | encryption | cPanel and WHM Discussions | 15 | 02-20-2008 10:02 AM |
| server has been hacked | aracrew | cPanel and WHM Discussions | 2 | 01-21-2008 06:55 PM |
| my Server Hacked | linuxprovider | cPanel and WHM Discussions | 4 | 01-02-2007 05:09 PM |
| Server being hacked? | ThaMATRiX | cPanel and WHM Discussions | 35 | 10-18-2004 09:05 PM |
| new server got hacked | brumie | cPanel and WHM Discussions | 24 | 04-29-2004 01:00 PM |
All times are GMT -5. The time now is 02:34 PM.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc
