Server compromised

[mohannad1982]

Hello !!
a few days ago i found a C99 shell in my files, in this path /home/user/
so i deleted it and install ( maldet ) so i can scan the server and delete all patches or shells
after that i see that my site is been redirected to another site to page that included ADSENSE ads, i scanned the server one more time and found that the hackers has modified one of the java scripts with another on..
yesterday i tried to secure all files with ( chattr +i /path ) .. so i think that this will solve my problem, but the redirection to the hacker's site is stopped only 2 hours, and he return redirect my site..
i have traffic 4 Million a month , and i am loosing all 15 years work on my site
( the site is in Arabic language )
so what else i can do, and why after i secured the files it is happen ?
thanks

 

[Ibrahim S]

Asalaam Alaikum,

They must have an encrypted backdoor, I would recommend you to turn off the "file_uploads" from the PHP and ensure that you don't have "exec" as well.

Let me know if you need any further help.

Sincerely,

 

[24x7server]

Hi,

It looks like the account is compromised.

1. Change the password of the account immediately (Cpanel, FTP, etc..)..
2. Scan the complete directory of your account.
3. Secure your website, so codes cannot be manipulated in it.

There are chances that some codes may be injected, which will trigger from time to time to get you in the same situation again..

Maldet will not detect everything, try switching to different solutions too.

 

[mohannad1982]

@24x7server
Hello Bro, i did all things that you said, also i deleted the old site and now i work with original one..
also ..
i disabled SSH Password Authorization and i work with root’s SSH Keys. i noticed that when i restart the ssh service i receive something like that (May 15 13:24:52 server1 sshd[22330]: Received disconnect from 88.247.250.201: 11: Bye Bye)
and when i block this IP, after 1 hour i restart the ssh service and find like this message but another IP ..
also i notice that when i login account from root ..
List Accounts>( the account ) after that the cpanel is opened, i have retro style, so when the cpanel opened, it opens in the root not in public_html ( as i set it up from setting
i think that i have competently hacked , is there is any way to fix it ? without formatting the server
thanks

 

[cPanelJasonT]

Hello,
The suggestions provided in this thread for removing the malware and restricting access are good suggestions. One could speculate on common methods (e.g. symlink attack), but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. There is a thread here where a similar question is asked:

Log Files To Check After Account Hacked

As far as security going forward after you have reinstalled the OS and cPanel and restored the accounts, the following document is a good place to start:

Security - cPanel Knowledge Base - cPanel Documentation