The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server hacked, what to do, need advice

Discussion in 'Security' started by mmarch, Mar 17, 2010.

  1. mmarch

    mmarch Active Member

    Joined:
    Jan 15, 2009
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    I have server with WHM installed under which i host some of my joomla projects. 2 days ago my server was down, i contacted my data centre and they told me, that server was hacked from germany, and they fixed it. I have not idea what they did due they told me just it's fixed. Now i have the same situation - server is down, i am able to ping IP address, but i am not able to login via ssh.

    Bad of all is that data centre support will work just tomorrow - i must wait 9h. But server is down.

    Could please someone point me what i must to do to avoid this in future and how i am able to restart server if i am not able to login, what i must ask my data centre?
     
  2. Datacenter1.com

    Joined:
    Oct 28, 2005
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    /local/bar
    I'm sorry to hear about your server down but is your provider can't help for 9 hours, I would start looking around for a new provider and hire someone for a server hardening
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I wholeheartedly agree with what Datacenter1.com said about finding a new provider as you definitely need 24 hours around the clock support for issues such as hardware failures or other matters where you need critical support right away and if they are not providing that then I would definitely be looking elsewhere.

    Now regard to the matter of your security, if your data center did not say what they did or what the problem was, I would serious be concerned with their handling of the matter or competence particularly given that you now say that you have been "hacked again".

    Did they run scans for exploits? Rootkits? Etc?

    What exactly was done after the first attack?

    Now granted that most data center technicians are not security experts but they should have at least told you what they did do towards trying to resolve your situation or what they found out about your server.

    Fortunately, you do not have to wait for them to open and I am sorry I did not see your post 2 hours ago because I certainly would have responded then as I can get to the bottom of how you server was hacked, what problems you have, and help you take necessary steps to help you make sure you don't go do this all over again a third time.

    At this point, you need a detailed intensive assessment of your server because if it's been compromised twice now, there is a very high probability that your server has already been rooted and that is something that you most certainly need to know ASAP and depending on your server's current situation you may or may not look at reloading things and definitely want to do a full security review and closely examine all your activity logs everywhere.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Addendum note:

    You say that you are not able to SSH at the moment but are you able to connect to your WHM? If so you could still do a whole lot.

    Also, does your provider have any controls that you can login to such as power down (**HINT**), reboot, or remote console?

    If you can get into at least part of your server, you can cut other access and then work on regaining full control from there.
     
  5. mmarch

    mmarch Active Member

    Joined:
    Jan 15, 2009
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    1. No i am not able to connect any way - not through WHM or SSH
    2. I have not idea about that, i will ask them
    3. I am not familiar with linux at all, they are renting me a server with service and after first problems told me that server was hacked, but they fixed it. How they hacked i have not idea. He told me that to find out more i must check SQL logs. I checked but in this log file via WHM was just 2 records, my fault i didn't contacted data centre due was busy all day - we are living in separate time zone.
    I just returned to PC and found that server is dead again.
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Based on what you just said, it sounds like that they believe the exploit was done via SQL injection though if that is actually the case, you would remain vulnerable as long as you still had the same exploitable script which means something you got needs some updating or patching.

    However, if it were just simply SQL injection alone, that is not likely to bring down the entire server in the manner in which you are describing so it sounds a lot more like ddos than anything at this point or some kind of combination especially if the server has already been root compromised.
     
  7. fordp

    fordp Registered

    Joined:
    Apr 18, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page