403 errors after server been compromised

[zwen]

Hello,

we believe our server has been compromised ... and although the admins have fixed the emails and stuff... they are unable to revert some of the websites that are showing ERROR 403 (No permission to see the page).

Any idea how we can reset the permissions of the webpages?

Also some sites (different list of domains from the earlier problem) are listed under INACTIVE, i tried the button to reactivate them, but doesnt look like it's working...

Any idea what's going on there?

thanks a million.

 

[designeru]

Hint!

Hello,

we believe our server has been compromised ... and although the admins have fixed the emails and stuff... they are unable to revert some of the websites that are showing ERROR 403 (No permission to see the page).

So, check the permitions on the folder specified in /usr/local/apache/conf/httpd.conf (don't go directly to /home dir... it could been changed). Also, be sure the user specified in the conf file is the one that has to has access to that directory.

Any idea how we can reset the permissions of the webpages?

On all webpages... sure, you can do a bash script... something like this one (this one wasn't tested, use it at your own risk).

cmd=` ls /home `
for i in $cmd
do
    chown $i:nobody /home/$i -R
    chmod 755 /home/$i -R
done

Also some sites (different list of domains from the earlier problem) are listed under INACTIVE, i tried the button to reactivate them, but doesnt look like it's working...

Any idea what's going on there?

thanks a million.

Were are those websites marked as inactive? You mean suspended?

 

[zwen]

the server was ok last night and the admins at the dc ran scripts to secure the server...

403 errors are unsolved, and the cpanel team are suppose to be working on it.

This morning the server acts up again, emails and sql are down again...

and it's the same time as yesterday... the admins are working on getting the emails n sql to work.

I'm desperate to get the server up n running again... this is really bad. Will it happen again tomorrow at the same time?!

Can someone advise me on what to do next? This is really bad. i'm making life very miserable for my clients.... i feel so bad.

 

[david510]

Have you installed security softwares such as APF, BFD ?

 

[angelina_holy]

check the permissions and ownership on public_html folder for user:nobody permission 750
What does /var/log/messages say ?