The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mailware in my website

Discussion in 'Security' started by josua_aja, Feb 1, 2012.

  1. josua_aja

    josua_aja Registered

    Joined:
    Feb 1, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I'm a network and web administrator.

    This morning I get email from abuse@...

    Code:
    Dear abuse-team,
    >
    > malware seems to be hosted at 202.51.119.151, accessible via
    > http://mycompany.com/concrete/config/gendeng/Ckrid.txt
    >
    > PLEASE DO NOT JUST DELETE THAT FILE:
    > YOUR WEBSPACE HAS BEEN COMPROMISED - YOU NEED TO FIX YOUR SECURITY
    > LEAK OR YOU WILL HAVE FURTHER MALWARE THERE SOON.
    >
    > Check your webspace for old unsecure software-installations and do not
    > forget to check your ftp-transferlogfiles also.
    >
    > The mentioned file contains code that has been used for cross-site
    > scripting attacks on our servers.
    > (See Cross-site scripting - Wikipedia, the free encyclopedia )
    >
    > Please check how one was able to upload it.
    > Usually you can find further unwanted/uploaded code on your webspace.
    >
    > Please take care.
    >
    > The recipient address of this report was provided by the Abuse Contact
    > Database of abusix.org. If you have any question or think the
    > recipient address might be wrong, contact abusix.org directly via
    > email (info@abusix.org). Further information about the Abuse Contact
    > Database can be found here:
    >
    > /http://abusix.org/services/abuse-contact-db
    >
    > abusix.org is neither responsible nor liable for the content or
    > accuracy of this message.
    >
    >
    > Regards,
    > Hosteurope Abuse
    I'm newbie in centos. My company using centos as OS for cpanel.

    So what step must I do to secure my website.

    Anyone please help me...
     
  2. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Hello,

    Initially you have to find how the vulnerable contents has been uploaded to yor webspace ( it may be via FTP, web, cpanel File manager, etc ). After finding the source of this issue, you have to take necessary actions to stop abusing the same security hole again by the hacker. You can check te corresponding log file to find this!

    Also upgrade the application and associated plugins you use for this account to the latest stable versions! If you use custom code, consult your programmer and make sure that the source code is free from vulnerabilities!

    Make sure no directory exists with pemission 777 and file with 666. If exists, change them to 755 and 644 respectively! ( if you use DSO and need apche to write into the directory / file - change the group ownership to nobody and set 775 for directory and 664 for file; don't give 777 or 666 )

    If you aren't enabled Mod Security yet on your server, enable it. You can enable it via EasyApche script.

    Change all the passwords associated with the hacked account and the new one should be the combination of the numerics, characters and sysmbols!

    Use CSF and tune it, which will help you to make your server safe up to an extent.

    Thank you,
    Nibin.
     
    #2 NixTree, Feb 2, 2012
    Last edited: Feb 2, 2012
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You really should hire a professional if you're unsure of the way forward. You should not leave security tweaking (or disaster recovery for that matter) to suggestions offered on a forum, IMO.
    Here's a link you should find useful in that regard:
    Dev & Sys Admin Services « Application Catalog
     
  4. josua_aja

    josua_aja Registered

    Joined:
    Feb 1, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Thank you for your respond nibin...

    But how can i find how the vulnerable contents has been uploaded to yor webspace ( it may be via FTP, web, cpanel File manager, etc ).

    Please teach me for detail what should I do to check it.
     
  5. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Hello,

    I would like echo Infopro, If you are unsure about hoe to proceed further to find out the cause of the vulnerability, better consult a SysAdmin service at the earliest.

    FYI - we can find whether a file is uploaded via FTP using the following steps..

    1. run "ls -l <file name>" from SSH and find when the file was created / uploaded

    2. When you have the date of vulnerable file creation, find the /var/log/messages log corresponding to the matching date, time ( say /var/log/messages.1 )

    3. After finding the right log file, run "grep <user> /var/log/messages.1". This will display all the FTP activities of the user on that log ( + some other log possibly like SSH, etc). You can easily find the FTP transactions if you carefully read the filtered log file...

    Again, if you are unsure how to track these stuffs - hire a sysadmin service and they wil be able to help you to resolve this asap!

    Thank you,
    Nibin.
     
  6. minosjl

    minosjl Well-Known Member

    Joined:
    Jun 4, 2011
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Dear bro,

    can you please where you got this mail from another hosting provider or from the server ?
     
  7. josua_aja

    josua_aja Registered

    Joined:
    Feb 1, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    thank you for answer nibin, I'll try that you suggested.

    I get this email from my internet provider, minosjl.
     
Loading...

Share This Page