mohamedhassan

Registered
Dec 5, 2005
3
0
151
Pleaaaaaaaaaaaaaaaase help

all my websites has been hacked ,
all the index pages chaged for more that 90 % of my sites. how can i avoid that
my Linux is CentOS
can anyone help me????
 

GCIS

Active Member
Dec 12, 2006
26
0
151
Your system has likely been rooted. Back up all your account data, mailboxes, and settings, and install them on a clean box. Your datacenter can help you with this.
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
mohamedhassan,

If all your sites have been hacked then you have a very serious security breech
and it is very likely your server now has backdoors left for the hacker which means
you are still in trouble even if you close the original security hole.

You should do the following ...
Code:
   1.   Get a decent security specialist to review the server to get 
         a good idea what has been done to you and how they did it.  

   2.   Either have your data center transfer reload the machine's operating system
         totally from scratch and then reload all your accounts from backup after
         the server has been properly setup and secured.

         (OR)

         Buy a new server machine (I can help you there too) and restore the unhacked
         backups of your customer sites on the new server after it has been properly
         setup and secured.


   3.   Have the security on your server audited again to make sure you really 
         are in fact secured and safe from a possible repeat of what happened.
 
Last edited by a moderator:

HelloAdam

Well-Known Member
Nov 6, 2005
145
0
166
Pleaaaaaaaaaaaaaaaase help

all my websites has been hacked ,
all the index pages chaged for more that 90 % of my sites. how can i avoid that
my Linux is CentOS
can anyone help me????
Hey,

Hire a server management team to backup all your data and then ask your Datacenter to do an OS reload on your server...

From,
Adam
 

Silver_2000

Well-Known Member
Mar 31, 2002
337
1
318
Are the sites changed or do they simply have an encrypted javascript in a body tag or in iframe ?

If the pages look the same but are attempting to dload files to viewers - its possible that the server wasnt rooted

A hole in Frontpage extensions allowed javascript injection similar to what was described
First recompile Apache without frontpage
then remove Frontpage from WHM and CPanels and uninstall from all accounts
then remove the javascript

I would still move to a new server
Doug
 

moogle

Well-Known Member
Apr 7, 2003
94
0
156
They just have a regular iframe code in the top of the index file.

What about sites that don't have frontpage extensions installed?
 

Silver_2000

Well-Known Member
Mar 31, 2002
337
1
318
They just have a regular iframe code in the top of the index file.

What about sites that don't have frontpage extensions installed?
Mcafee virusscan will likey tell you the name of the virus/script - you can google for iframe and that name

I would bet it was frontpage - I had a few iframes but mostly encrypted javascript after the body tag of all the html files
you can try grepping other accounts for unique code in the iframe to see how many files in how many accounts were affected - as I understand it the frontpage exploit can give them a great deal of access to htm files on the server
 

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
you can try grepping other accounts for unique code in the iframe to see how many files in how many accounts were affected - as I understand it the frontpage exploit can give them a great deal of access to htm files on the server
Are you sure there currently is a vulnerability in CPanel's frontpage extensions? If so, shouldn't you report this to CPanel?

I thought even though they are EOL, CPanel is still maintaining them (thus fixing security issues).
 

Silver_2000

Well-Known Member
Mar 31, 2002
337
1
318
Are you sure there currently is a vulnerability in CPanel's frontpage extensions? If so, shouldn't you report this to CPanel?

I thought even though they are EOL, CPanel is still maintaining them (thus fixing security issues).
Its not cpanels frontpage extensions - its Microsoft's - Microsoft stopped supporting them. I dont know of anyone that has taken over the updating of them. Since I dont think the extensions are open source its unlikely that anyone can or will ....

Cpanel doesn't take the responsibility of updating the security on ANY of the scripts it has links to .. as far as I know
 

Silver_2000

Well-Known Member
Mar 31, 2002
337
1
318
And if I am sure nobody ever used FrontPage extensions on my server, it is enough to recompile Apache without FrontPage module?
if you recompile without the extensions in Apache then the extensions will stop working, but I would still remove them from the accounts - I bet there is a command line that will do it quickly I just dont know what it is