CSF, cpHulk, all kind of security, and I get hacked.

[nourjabi]

Hi everyone,

I'm new here, and I hope I posted this in the right location.

I have a Dedicated Server from iWeb Servers Canada.

Recently I have been attacked from hackers so much, they keep getting in and messing around with my clients Index files using Mass.SH hacks.

I installed CSF today ( Had some hard time configuring it and got my self locked out couple times). But fine now.

Can you help me figure how those hackers are getting in? Security holes? or something?

ps: they managed to clear Secured logs for SSH everytime, so I have no SSH log to see how and where they messed around.

thanks a bunch!

 

[georgeb]

CSF has nothing to do with this kind of hack, you have to control anything that is uploaded to your server, control who is using SSH etc. Many things...If you believe that just installing CSF you are safe, you are wrong, CSF is great but you have to control any file that is uploaded to your server. You can use CXS (with Mod Security) from Config Server, or your own scripts, elaborate security inside your server, control who is connected via SSH etc, check logs, inform you when any other is connected root via SSH. There are many things to check, not just wait until the hacker is inside your server. Many things to do...If you don't know to do those things it is better to hire somebody who knows, like this you'll save a lot of money not been hacked....


Regards

 

[quizknows]

Most of the time hackers get in through an outdated website, often joomla or wordpress with old plugins.

If they are able to erase root-owned logs, then it is very likely your kernel was old and let an exploit on one hacked site escalate to root priveleges.

At this point you need to have your host make a new server with a clean operating system, new kernel, and new root password, and then migrate all of your users to that server. The sites should be scanned for malware by a professional, ideally prior to moving the to the new server.

 

[24x7server]

Basically hacker are using shell scripts to excite any perl scripts on server so you will have to scan your all websites for the shell scripts, You can find out shell scripts through maldet (LMD) scan.

Also install ConfigServer eXploit Scanner and mod_Security on your server

 

[Easylife]

maybe your computer system has its own problem, and hacker stolen all these files by vicious code,so I suggest that you should reinstall the system.

 

[cPanelMichael]

Hello

It's a good idea to consult with a qualified system administrator if your server has been rooted. Going forward, the cPanel Security Advisor Addon may be useful for helping you to determine which options you can enable on your system to improve security:

cPanel Security Advisor Addon

Thank you.

 

[nourjabi]

thanks everyone for your info, i will look into it. and report if any succed

 

[nourjabi]

I have worked out few CSF modifications, and ran CSF Security test, and fixed many holes here and there, and seems everything is smooth and all those IPs trying to hack into the server are blocked. thanks everyone

 

[inthukha]

Well, i m still suggest you to run clamd, LMD, rootkit hunter as well for detecting exploits. because if they change the logs it means they can do anything if their exploit existing in the system.