The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

::urgent:: Hacking Problem

Discussion in 'General Discussion' started by mohamedhassan, May 23, 2007.

  1. mohamedhassan

    mohamedhassan Registered

    Joined:
    Dec 5, 2005
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    HELLO ALL,

    i face a problem on my server from a long time, many sites hacked by replacing its index page , ialways face such this problem.:confused:
    can anyone help me plz, i'm not expert in linux:confused: :confused:
     
  2. ujr

    ujr Well-Known Member

    Joined:
    Mar 19, 2004
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Perhaps hire an admin? I'd assume that is probably what you want since you haven't tried finding out yourself -- no offense.

    You can start by asking your hosting company to look into it. We do these things for our clients, as many hosts do.

    Otherwise, you will find a bunch of people on these forums that offer such services.

    Here are a few people that come to mind, and in no particular order:

    Chirpy, ramprage , ServerTune, WebHostGear, PWSowner

    Also search the forums for "hack", Hacked and Hacking. There are so many threads to help out.
     
  3. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    1. Make Backups
    2. Have data center reformat server.
    3. Have server secured by a professional / random company who does them a dime a dozen.
    4. Restore sites after server's secured.


    Server's clearly rooted, and they're having a field day, since you dont know quite what your doing past WHM.

    Your machines resources are being used to scan / DoS attack / attack other servers on a daily basis, at some point your data center might frown upon this.

    Thus speaking, your in for a raping of a fee to get your server secured. I think there are still some companies who dont charge 100+ to get your server secured.
     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    If index pages are replaced on the server it doesn't necessarily mean it has been rooted, however possible. You'd need to have someone investigate the box and check it out.

    Do a system compromise check and also a security plan would be a smart move. Always keep backups of your data in the event you are compromised, you can use them in a time of need ;)
     
  5. kevinm

    kevinm Member

    Joined:
    Feb 22, 2006
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    I bet your running php as a module , without PHPsuexec (and open base restrictions) AND/or allowing users CGI without suexec.

    The above == defacers paradise , as they can use one vulnerable script to hack / replace index files of any other customer on your server.

    **Signs** ,imho,,,, you should rtfm on securing a web server , before starting to run a hosting entity.

    Kev
     
  6. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    could be a virus on local system

    hi,
    on one of my client had similar situation few months back, all their folders had index.htm replaced with a page which had link to either to a zip file (help.zip) or it ran the HELP.zip on own using some scripting. we thought its a root hack but later we found they were having virus infection on one of their employee's system which had FTP account info saved in the ftp client. the virus was replacing index.ext to "_index.ext" and uplaoding using ftp access, also uploaded few file a.asp, a.pl a.php.

    The virus was however identified as
    Code:
    http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2006-013122-5631-99
    so check if you have a.pl or only this kinda activity, most probably your local computer is infected and needs attention.

    best option would however be hire a admin somewhere and get this attended before its late.

    thanks,
    mohit
     

Share This Page