Server Hacked

[SimonrFrance]

Sir,

Our server is hacked and hacker uploaded following 3 files in website main folder.

1- index.html
2- index.php
3- x.html

For example:
www.abc.com/index.html
www.abc.com/index.php
www.abc.com/x.html

Query 1:
He uploaded only in main website folder. Almost 300 websites are hosted on this server. How i can delete these 3 files from 300 folders by command?

Query 2:
How i can check how hacker got access to do this?

Regards,
FHS

 

[sahostking]

Hacked probably got through FTP Access.

I'm sure some of the guys here could assist with some bash script to do this but this may assist:
linux - Deleting files based on Substring match - Stack Overflow

 

[SimonrFrance]

Hi,

Thank you for your reply. Normally hacker upload index file to deface site. So therefore i want to keep backup of ALL index files of customers websites.

Do you know some bash script to keep index files backup? index.html , index.htm and index.php ?

Regards,
FHS

 

[cPanelMichael]

Hello

I suggest consulting with a qualified system administrator or security specialist because it's possible your server was rooted if files were uploaded to all of your accounts. It's generally recommended to reinstall the Operating System and restore the accounts if your server has been hacked at the root level.

Thank you.

 

[Schottkey]

You must verify the access log of the server. It should be in /usr/local/apache/domlogs/ folder and the name of the file should be the name of the domain name (for exemple: abc.com)

For removing the files:

find . -name index.htm -exec echo {} \;

Where echo command (print to screen) can be replace with copy, move or remove command.

Best regards,
Schottkey

 

[SimonrFrance]

Hi,

Thank you for your reply. Server administrator is saying that hacker used 0day CentOS kernal exploit to hack it.
Now administrator updated the kernal and rebooted the server. But he is unable to cath the hacker, or how he initiated the process.

So therefore i need your help in following matters,
1) Hacker upload index.html or index.php files to deface website. To restore these pages we should keep backup of these index pages. So i want to use some bash script to make only index files backup on server somewhere on weekly basis (like backup). I tried to find the some script but didn't understand them,
a) A Shell Script to fix index injuction - restore from Cpanel backups - Web Hosting Talk
b) Script to Backup files - The UNIX and Linux Forums

2) How to catch hacker? how he got access? which account he used to exploit?

I will be very thankful to you.

regards,
FHS

 

[24x7server]

In these kind of hacking hacker's replace pages using FTP service, I think you will get index pages as well as .htaccess upload logs in messages. I will not be able to help you with specific bash script that you needed, but would suggest you to keep your directory listing disabled on server.

As well as I would suggest you to check if there are PHPShell files available on your server, sometime you will see root symlinks in multiple accounts which is the most dangerous part.

For securing your server I will strongly suggest you to use CXS app on your server which will help you to find our most of the exploits.

 

[quizknows]

likely the semtex.c root exploit was used, I've seen that a lot lately. This means one website was hacked, and that access (paired with an outdated kernel) was used to get root. Once they have root they run a local script usually called mass.pl or mass.txt to replace all index files.

An updated kernel is a good step, however, you should re-image your host. By this I mean install a clean new operating system, and migrate your accounts to that host. Without doing this you have no guarantee that a backdoor was not left while the hacker had root

As far as finding the site they got into in the first place, search for files like mass.pl or mass.txt, and also run a maldet scan for cmdshells.

 

[Schottkey]

If your server was hacked you must know what door was open and closed because will be a next time. Do you have joomla installed in your server ? or other CMS ?

Is the apache server configured as DSO or suPHP, please see the post 1257931