The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Hacked - Need to restore files

Discussion in 'General Discussion' started by flashweb, Jan 19, 2004.

  1. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi,

    My server is hacked and i am going to get the OS reinstalled.

    I am uploading content of

    /home/backup/cpbackup/weekly/*.*

    to remore ftp server.

    I will be able to restore this after i get the OS reinstalled ?

    How do i restore this back up files ?

    thanking you,

    Yujin
     
  2. blaze64

    blaze64 Well-Known Member

    Joined:
    Feb 5, 2003
    Messages:
    159
    Likes Received:
    0
    Trophy Points:
    16
  3. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Thanks for the link.

    Hope this will save me a lot of time.

    Just for information, can i just put the siteusername.tar.gz files on new servers backuploacation like

    /home/backup/cpbackup/weekly/*.tar.gz

    Will i able to restore accounts through WHM ?
     
  4. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I got the OS reloaded and done everything. It worked fine.

    But i forget to use the chkrootkit

    I checked after i fully finished the server and found it infected by Suckit and bindshell (Port 465)

    Already have lot of down time, so thinking of getting another server and move sites through WHM A/c Transfer.

    This this method is safe to transfer sites from infected server ?

    If i use WHM Transfer, my reseller a/c will get created in new server as before ?
     
  5. Mani

    Mani Well-Known Member

    Joined:
    Dec 22, 2003
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    16
    bindshell (Port 465)

    is a falls allert from chkrootkit you dont have to be worried about it
     
  6. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    How i block this port with iptables ?
     
  7. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    I've recived BINDSHELL (ports 465) report as INFECTED by chkrootkit. Is it normal? Also chkrootkit wrote, that I have "possible Slaper Worm installed".

    Have I to do something?
     
  8. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Bindshell is usually safe BUT that slapper is a real worm.

    http://www.cert.org/advisories/CA-2002-27.html

    It looks like you could probably safely remove it BUT you would need to be very careful. Apparently slapper is self propogating so it has probably is installed in the default places. Whatever the case you need to look at doing something soon, this worm is scanning for more hosts to infect until you do something which could get your ISP to shut you down.
     
Loading...

Share This Page