The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site getting hacked everyday

Discussion in 'Security' started by amorosso, Sep 29, 2010.

  1. amorosso

    amorosso Active Member

    Joined:
    Aug 29, 2009
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Hi everyone. I need some help. My site keeps getting hacked into. I have had this issue for a while now. I changed servers, ip's and even added a hardware firewall. What's happening is that someone keeps hacking the index.php file. I just don't know what to do now.

    My os is CENTOS 5.4 i686 standard

    Any help would be awesome.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    My first thoughts would be to scan your home computer with a tool like this and once you're sure you're clean, set a very hard to guess password. cPanel's built in Password Generator can help here.
     
  3. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    My first thought would be check what Kernal your on and make sure it's patched

    Second thought is, If the Kernal is patched and your system is clean change the email of the account as if your mail was hacked they can be recovering things.

    Third option is if you was hacked and such make sure you do not have crazy 777 permissions, And if its mysql driven, Make sure you have no remote mysql in place where they can be pulling the data.

    I assume its your own server, Make sure there is no other user, Use very strong passwords, disable root logins.. Much Much more but there is no way of explaining without actually looking at things.
     
  4. maever

    maever Active Member

    Joined:
    Sep 26, 2005
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Hello amorosso,

    The way you describe it, it sounds like you have a PHP exploit in your code.
    If this is the case, then changing ISPs nor adding a firewall will work (though enabling Mod security + suhosin might help, these are security modules which prevent a lot of common PHP exploits, but there will be plenty of holes left).

    If you want, you can send me your index.php file through a private message and I can take a look at it. I work as hosting manager for a webhosting company, I deal with issues like these daily.

    If a PHP exploit is the case, then changing passwords will not solve it.
    Though i'm wondering, are you hosting your own Cpanel WHM server ? or are you simply a user?
     
    #4 maever, Sep 30, 2010
    Last edited: Sep 30, 2010
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Wouldn't we expect a bit more damage than a defaced index.php if it was a php exploit as you suggest it could be?
     
  6. maever

    maever Active Member

    Joined:
    Sep 26, 2005
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Hard for me to judge the damage considering the little information available to me. It's not even clear if its a defaced site?
    Perhaps amorosso could clear the air and explain with more detail :)

    A good secure environment with suphp compiled with suhosin + mod_security and "dangerous" functions disabled (ini_set, exec, shell_exec, passthru, system, etc) will leave little room for serious exploits.

    A hacked site does not have to be a hacked server.
     
  7. amorosso

    amorosso Active Member

    Joined:
    Aug 29, 2009
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Thanks everyone. No I have a dedicated server with Cpanel WHM. I did follow
    http://forums.cpanel.net/f185/beginners-guide-securing-your-server-30159.html Just last night. So far so good.

    But what is or was happening is that someone is changing any or all index.php files just by adding to them. For the most part I just rewrite the file or remove what they added. At one time they even changed my java files. I have had my own server with the site sites for over three years without any issues. Until that is.
     
  8. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Do not take any offence here but to be honest those guides are basic, There is much much more to it for security and such.

    The first thing I would do is work on SSH security, disable root login, Change port, and password authentication.

    When the files have stopped being chaanged then you know they maybe struggling to get access. Now you work on extra security and harden the php.
     
  9. maever

    maever Active Member

    Joined:
    Sep 26, 2005
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    I agree with GaryT, the guide is a good start, but not enough.

    I'll give you a bit of basic advise concerning server security, this should lead to a setup which is fairly safe.
    Changing ssh to a custom port is a good move.
    this can be achieved by editing /etc/ssh/sshd.conf, disabling root login is a good idea but one I consider a bit optional.

    Although manging a server is fun, you have to be aware that you will need to spend time messing around with the security. if you don't want this, you could simply get a reseller account at a hosting provider, with nearly all the same rights.

    What I recommend is the following:
    * use the easyapache builder and rebuild apache with mod_security and suhosin.
    (be aware that you might have to tweak suhosin, it will limit php variables and postvalues, which is good).
    * Get CSF (free!) from ConfigServer Services, it's a pretty straightforward install, it has a security overview of your server, be sure to follow that guide as extensively as possible. (be sure you open all your desired ports in the firewall). it is added as a plugin in your WHM.
    * get SuPHP, it eats a lot of CPU but is a lot safer.

    btw I still think that this problem might be caused by a php exploit.
    could you send me your index.php in a private message ?

    I am willing to help you set this up,
    send me a private message if you want.
     
    #9 maever, Sep 30, 2010
    Last edited: Sep 30, 2010
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I thought this part from the original post explained it well enough to suggest what I did above:
     
  11. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Another suggestion is use brute force detection, And use CSF to block port scans on 5 attempts, Would limit them next to nothing.

    When changing port I would suggest something out of the norm, Keep it out of the 4 didgit range and go higher.
     
Loading...

Share This Page