The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacking Issue

Discussion in 'Data Protection' started by mohamedhassan, Dec 29, 2006.

  1. mohamedhassan

    mohamedhassan Registered

    Joined:
    Dec 5, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Pleaaaaaaaaaaaaaaaase help

    all my websites has been hacked ,
    all the index pages chaged for more that 90 % of my sites. how can i avoid that
    my Linux is CentOS
    can anyone help me????
     
  2. GCIS

    GCIS Active Member

    Joined:
    Dec 12, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Your system has likely been rooted. Back up all your account data, mailboxes, and settings, and install them on a clean box. Your datacenter can help you with this.
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    mohamedhassan,

    If all your sites have been hacked then you have a very serious security breech
    and it is very likely your server now has backdoors left for the hacker which means
    you are still in trouble even if you close the original security hole.

    You should do the following ...
    Code:
       1.   Get a decent security specialist to review the server to get 
             a good idea what has been done to you and how they did it.  
    
       2.   Either have your data center transfer reload the machine's operating system
             totally from scratch and then reload all your accounts from backup after
             the server has been properly setup and secured.
    
             (OR)
    
             Buy a new server machine (I can help you there too) and restore the unhacked
             backups of your customer sites on the new server after it has been properly
             setup and secured.
    
    
       3.   Have the security on your server audited again to make sure you really 
             are in fact secured and safe from a possible repeat of what happened.
    
     
    #3 Spiral, Dec 29, 2006
    Last edited by a moderator: Dec 30, 2006
  4. HelloAdam

    HelloAdam Well-Known Member

    Joined:
    Nov 6, 2005
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Hey,

    Hire a server management team to backup all your data and then ask your Datacenter to do an OS reload on your server...

    From,
    Adam
     
  5. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Are the sites changed or do they simply have an encrypted javascript in a body tag or in iframe ?

    If the pages look the same but are attempting to dload files to viewers - its possible that the server wasnt rooted

    A hole in Frontpage extensions allowed javascript injection similar to what was described
    First recompile Apache without frontpage
    then remove Frontpage from WHM and CPanels and uninstall from all accounts
    then remove the javascript

    I would still move to a new server
    Doug
     
  6. moogle

    moogle Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    They just have a regular iframe code in the top of the index file.

    What about sites that don't have frontpage extensions installed?
     
  7. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Mcafee virusscan will likey tell you the name of the virus/script - you can google for iframe and that name

    I would bet it was frontpage - I had a few iframes but mostly encrypted javascript after the body tag of all the html files
    you can try grepping other accounts for unique code in the iframe to see how many files in how many accounts were affected - as I understand it the frontpage exploit can give them a great deal of access to htm files on the server
     
  8. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    Is threre a way to COMPLETELY disable FrontPage in whole server?
     
  9. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Are you sure there currently is a vulnerability in CPanel's frontpage extensions? If so, shouldn't you report this to CPanel?

    I thought even though they are EOL, CPanel is still maintaining them (thus fixing security issues).
     
  10. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    What FTP server are you using, Pure-FTP or ProFTP?
     
  11. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Its not cpanels frontpage extensions - its Microsoft's - Microsoft stopped supporting them. I dont know of anyone that has taken over the updating of them. Since I dont think the extensions are open source its unlikely that anyone can or will ....

    Cpanel doesn't take the responsibility of updating the security on ANY of the scripts it has links to .. as far as I know
     
  12. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    yes recompile apache without the extensions and then manually remov ethe extensions from each account then remove the icon from cpanel
     
  13. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Replacing or reloading the server may be overkill, but you won't know until you have someone review the server for you.
     
  14. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    And if I am sure nobody ever used FrontPage extensions on my server, it is enough to recompile Apache without FrontPage module?
     
  15. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    if you recompile without the extensions in Apache then the extensions will stop working, but I would still remove them from the accounts - I bet there is a command line that will do it quickly I just dont know what it is
     
Loading...

Share This Page