Site getting hacked everyday

amorosso

Active Member
Aug 29, 2009
44
0
56
Hi everyone. I need some help. My site keeps getting hacked into. I have had this issue for a while now. I changed servers, ip's and even added a hardware firewall. What's happening is that someone keeps hacking the index.php file. I just don't know what to do now.

My os is CENTOS 5.4 i686 standard

Any help would be awesome.
 

GaryT

Well-Known Member
May 19, 2010
320
3
68
My first thought would be check what Kernal your on and make sure it's patched

Second thought is, If the Kernal is patched and your system is clean change the email of the account as if your mail was hacked they can be recovering things.

Third option is if you was hacked and such make sure you do not have crazy 777 permissions, And if its mysql driven, Make sure you have no remote mysql in place where they can be pulling the data.

I assume its your own server, Make sure there is no other user, Use very strong passwords, disable root logins.. Much Much more but there is no way of explaining without actually looking at things.
 

maever

Active Member
Sep 26, 2005
31
0
156
Hello amorosso,

The way you describe it, it sounds like you have a PHP exploit in your code.
If this is the case, then changing ISPs nor adding a firewall will work (though enabling Mod security + suhosin might help, these are security modules which prevent a lot of common PHP exploits, but there will be plenty of holes left).

If you want, you can send me your index.php file through a private message and I can take a look at it. I work as hosting manager for a webhosting company, I deal with issues like these daily.

If a PHP exploit is the case, then changing passwords will not solve it.
Though i'm wondering, are you hosting your own Cpanel WHM server ? or are you simply a user?
 
Last edited:

Infopro

Well-Known Member
May 20, 2003
17,090
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Hello amorosso,

The way you describe it, it sounds like you have a PHP exploit in your code.
If this is the case, then changing ISPs nor adding a firewall will work (though enabling Mod security + suhosin might help, these are security modules which prevent a lot of common PHP exploits, but there will be plenty of holes left).

If you want, you can send me your index.php file through a private message and I can take a look at it. I work as hosting manager for a webhosting company, I deal with issues like these daily.

If a PHP exploit is the case, then changing passwords will not solve it.
Though i'm wondering, are you hosting your own Cpanel WHM server ? or are you simply a user?

Wouldn't we expect a bit more damage than a defaced index.php if it was a php exploit as you suggest it could be?
 

maever

Active Member
Sep 26, 2005
31
0
156
Hard for me to judge the damage considering the little information available to me. It's not even clear if its a defaced site?
Perhaps amorosso could clear the air and explain with more detail :)

A good secure environment with suphp compiled with suhosin + mod_security and "dangerous" functions disabled (ini_set, exec, shell_exec, passthru, system, etc) will leave little room for serious exploits.

A hacked site does not have to be a hacked server.
 

amorosso

Active Member
Aug 29, 2009
44
0
56
Hard for me to judge the damage considering the little information available to me. It's not even clear if its a defaced site?
Perhaps amorosso could clear the air and explain with more detail :)

A good secure environment with suphp compiled with suhosin + mod_security and "dangerous" functions disabled (ini_set, exec, shell_exec, passthru, system, etc) will leave little room for serious exploits.

A hacked site does not have to be a hacked server.
Thanks everyone. No I have a dedicated server with Cpanel WHM. I did follow
http://forums.cpanel.net/f185/beginners-guide-securing-your-server-30159.html Just last night. So far so good.

But what is or was happening is that someone is changing any or all index.php files just by adding to them. For the most part I just rewrite the file or remove what they added. At one time they even changed my java files. I have had my own server with the site sites for over three years without any issues. Until that is.
 

GaryT

Well-Known Member
May 19, 2010
320
3
68
Do not take any offence here but to be honest those guides are basic, There is much much more to it for security and such.

The first thing I would do is work on SSH security, disable root login, Change port, and password authentication.

When the files have stopped being chaanged then you know they maybe struggling to get access. Now you work on extra security and harden the php.
 

maever

Active Member
Sep 26, 2005
31
0
156
I agree with GaryT, the guide is a good start, but not enough.

I'll give you a bit of basic advise concerning server security, this should lead to a setup which is fairly safe.
Changing ssh to a custom port is a good move.
this can be achieved by editing /etc/ssh/sshd.conf, disabling root login is a good idea but one I consider a bit optional.

Although manging a server is fun, you have to be aware that you will need to spend time messing around with the security. if you don't want this, you could simply get a reseller account at a hosting provider, with nearly all the same rights.

What I recommend is the following:
* use the easyapache builder and rebuild apache with mod_security and suhosin.
(be aware that you might have to tweak suhosin, it will limit php variables and postvalues, which is good).
* Get CSF (free!) from ConfigServer Services, it's a pretty straightforward install, it has a security overview of your server, be sure to follow that guide as extensively as possible. (be sure you open all your desired ports in the firewall). it is added as a plugin in your WHM.
* get SuPHP, it eats a lot of CPU but is a lot safer.

btw I still think that this problem might be caused by a php exploit.
could you send me your index.php in a private message ?

I am willing to help you set this up,
send me a private message if you want.
 
Last edited:

Infopro

Well-Known Member
May 20, 2003
17,090
516
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Hard for me to judge the damage considering the little information available to me. It's not even clear if its a defaced site?
Perhaps amorosso could clear the air and explain with more detail :)

A good secure environment with suphp compiled with suhosin + mod_security and "dangerous" functions disabled (ini_set, exec, shell_exec, passthru, system, etc) will leave little room for serious exploits.

A hacked site does not have to be a hacked server.
I thought this part from the original post explained it well enough to suggest what I did above:
What's happening is that someone keeps hacking the index.php file
 

GaryT

Well-Known Member
May 19, 2010
320
3
68
Another suggestion is use brute force detection, And use CSF to block port scans on 5 attempts, Would limit them next to nothing.

When changing port I would suggest something out of the norm, Keep it out of the 4 didgit range and go higher.