The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My server has been hacked again. Please Help me!

Discussion in 'Security' started by hackboys, Nov 21, 2009.

  1. hackboys

    hackboys Active Member

    Joined:
    Feb 12, 2008
    Messages:
    31
    Likes Received:
    1
    Trophy Points:
    8
    Hi there,
    I had my server hacked , I found this script that was run as root:

    [snipped]


    How can i defender my server from this script (Back Connect Backdoor) ?
     
    #1 hackboys, Nov 21, 2009
    Last edited by a moderator: Nov 21, 2009
  2. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Are you literally running RH9? That is an incredibly old release that is open to who knows how many exploits.

    If the attacker gains root it is hard to block them from doing much. A properly configured firewall can help block a backdoor like that from working but if they have root wiping the iptables rule would allow it to work.

    What kernel were you running when you got exploited? You probably need to update it or get an entirely new OS.
     
  3. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for posting this, now even more hackers will have that backdoor and exploits.

    Seriously dude, you still have a RH 9 install disk? That belongs in a museum.

    RH9 was released like 5 years ago, and even at that time it wasn't that good. The RH series was totally discontinued after that, and is now RHE. RHE 5 is out, or if you want a free OS go with CentOS 5.
     
    #3 BianchiDude, Nov 21, 2009
    Last edited by a moderator: Nov 21, 2009
  4. madaboutlinux

    madaboutlinux Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    1,052
    Likes Received:
    2
    Trophy Points:
    38
    Location:
    Earth
    Your server is definitely rooted and cannot be cleaned up. The best way it to re-install the machine and apply some security tweaks.

    The most important is your kernel which need to be kept updated as such rootkits are uploaded using a security hole in the kernel. You can then enable Apache suexec, PHP suexec, enable open_basedir, disable some php functions using which server side commands can be executed, install CSF firewall, mount /tmp and /dev/shm with noexec,nosuid mode and a few other important changes.
     
Loading...

Share This Page