mohamedhassan

Registered
Dec 5, 2005
3
0
151
HELLO ALL,

i face a problem on my server from a long time, many sites hacked by replacing its index page , ialways face such this problem.:confused:
can anyone help me plz, i'm not expert in linux:confused: :confused:
 

ujr

Well-Known Member
Mar 19, 2004
290
0
166
Perhaps hire an admin? I'd assume that is probably what you want since you haven't tried finding out yourself -- no offense.

You can start by asking your hosting company to look into it. We do these things for our clients, as many hosts do.

Otherwise, you will find a bunch of people on these forums that offer such services.

Here are a few people that come to mind, and in no particular order:

Chirpy, ramprage , ServerTune, WebHostGear, PWSowner

Also search the forums for "hack", Hacked and Hacking. There are so many threads to help out.
 

HostMerit

Well-Known Member
Oct 24, 2004
164
0
166
New Jersey, USA
cPanel Access Level
DataCenter Provider
1. Make Backups
2. Have data center reformat server.
3. Have server secured by a professional / random company who does them a dime a dozen.
4. Restore sites after server's secured.


Server's clearly rooted, and they're having a field day, since you dont know quite what your doing past WHM.

Your machines resources are being used to scan / DoS attack / attack other servers on a daily basis, at some point your data center might frown upon this.

Thus speaking, your in for a raping of a fee to get your server secured. I think there are still some companies who dont charge 100+ to get your server secured.
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
If index pages are replaced on the server it doesn't necessarily mean it has been rooted, however possible. You'd need to have someone investigate the box and check it out.

Do a system compromise check and also a security plan would be a smart move. Always keep backups of your data in the event you are compromised, you can use them in a time of need ;)
 

kevinm

Member
Feb 22, 2006
19
0
151
I bet your running php as a module , without PHPsuexec (and open base restrictions) AND/or allowing users CGI without suexec.

The above == defacers paradise , as they can use one vulnerable script to hack / replace index files of any other customer on your server.

**Signs** ,imho,,,, you should rtfm on securing a web server , before starting to run a hosting entity.

Kev
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
could be a virus on local system

hi,
on one of my client had similar situation few months back, all their folders had index.htm replaced with a page which had link to either to a zip file (help.zip) or it ran the HELP.zip on own using some scripting. we thought its a root hack but later we found they were having virus infection on one of their employee's system which had FTP account info saved in the ftp client. the virus was replacing index.ext to "_index.ext" and uplaoding using ftp access, also uploaded few file a.asp, a.pl a.php.

The virus was however identified as
Code:
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2006-013122-5631-99
so check if you have a.pl or only this kinda activity, most probably your local computer is infected and needs attention.

best option would however be hire a admin somewhere and get this attended before its late.

thanks,
mohit