The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is my server hacked?

Discussion in 'Security' started by azrael, Feb 9, 2009.

  1. azrael

    azrael Active Member

    Joined:
    Jul 20, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Every time I visit all sites of a server.. I'm redirected to this unknown russian site..
    http://www.nnovauto.ru

    and so as other sites that are being hosted...

    anyone here who experiencd the same??
     
  2. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Do a search on here for a javascript hack, there have been several posts about this exact same thing around 4 to 6 months ago but I cannot remember exactly what they were. If I remember correctly there was some script or test you could do.
     
  3. azrael

    azrael Active Member

    Joined:
    Jul 20, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    I can't find any scripts.

    The server has 100 sites.

    When I search sites og the server in google, google show me the link.

    If i click it, it redirect to another site.

    But if I copied th link, it work find.
     
  4. Voltar

    Voltar Well-Known Member

    Joined:
    Apr 30, 2007
    Messages:
    269
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bakersfield, California
  5. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Assuming the pages have been modified by inserting iframes

    if you look you will find some scripts that will clean the iframes from all the files

    add a firewall and rootkit hunter
     
    rhenderson likes this.
  6. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Thanks SIlver Iframes was what I was thinking about when I posted above, just could not remember the terminaology. Gave you a rep for that one.
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You also need to be concerned about how the iframe code got there in the first place. If you remove the code without fixing the security problem, the code will likely get put back again.

    At the least you should:
    • change your root and/or reseller passwords
    • check logs to see whether ftp was used, if so, change the user passwords
    • if the server is yours, check for up to date kernel
    • add CSF firewall from www.configserver.com

    From hearing about this happen before, the ways they get in to do this seem to be (choose one, usually):
    • user PHP scripts with weaknesses, leading to system compromise
    • sniffing the root/reseller password over wifi
    • a trojan keylogger installed on your PC/desktop/laptop
    • an old kernel with a known weakness
    • stealing passwords on a server not running suphp and using them to escalate privilege
     
  8. azrael

    azrael Active Member

    Joined:
    Jul 20, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    No iframe injection..

    Here try test..

    orinonga.com

    Search it at google.

    And copy the link from google, visit...
     
    #8 azrael, Feb 12, 2009
    Last edited by a moderator: May 14, 2009
  9. maquinadigital

    maquinadigital Well-Known Member

    Joined:
    Aug 10, 2006
    Messages:
    51
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    DataCenter Provider
    I had the IFRAME problem but I'm now having one other problem, similar to this one.

    The websites files (several websites, on my server), are ok, and not changed but, when entering it from the browser, a javascript is there.

    Restarting apache solves the issue (temporarily)

    Somebody told me about code injection to the shared memory or something.

    Maybe suPHP will help. Will try this weekend.

    Do you have suPHP installed?

    best regards
     
Loading...

Share This Page