Possible hacking attempt? (ISPConfig 3.0.5.4p3)

Discussion in 'General' started by phamels, Oct 10, 2014.

  1. phamels

    phamels Member

    Hi all!

    Today I noticed something weird on one of my websites hosted with ISPConfig 3.0.5.4p3
    There's no SSH access allowed (nor is the SSH accessible from the outside world) yet on one of my website folders I have noticed some worrying directories:

    Code:
    drwxr-xr-x 16 root  root    4096 Sep 30 15:53 .
    drwxr-xr-x  9 root  root    4096 Oct  1 21:14 ..
    drwxr-xr-x  2 root  root    4096 Oct 10 11:17 bin
    drwxr-xr-x  2 webxx clientxx 4096 Sep 25 12:23 cgi-bin
    drwxr-xr-x  2 root  root    4096 Sep 30 15:53 dev
    drwxr-xr-x  2 root  root    4096 Oct 10 11:21 etc
    drwxr-xr-x  2 root  root    4096 Oct 10 11:17 lib
    drwxr-xr-x  2 root  root    4096 Oct 10 11:18 lib64
    drwxr-xr-x  2 root  root    4096 Oct 10 00:31 log
    drwx--x---  2 webxx clientxx 4096 Sep 25 13:02 private
    drwxr-xr-x  2 root  root    4096 Sep 25 12:49 ssl
    drwxrwxrwx  2 webxx clientxx 4096 Sep 25 12:23 tmp
    drwxr-xr-x  2 root  root    4096 Oct 10 11:21 usr
    drwxr-xr-x  2 root  root    4096 Oct 10 11:23 var
    drwx--x--x 15 webxx clientxx 4096 Sep 25 12:59 web
    drwx--x---  2 webxx clientxx 4096 Sep 25 12:23 webdav
    
    I tired removing these unwanted folders as root but:

    Code:
    rm: cannot remove `bin': Permission denied
    
    Although lsattr gives me the following:

    Code:
    -------------e-- ./usr
    -------------e-- ./var
    -------------e-- ./tmp
    -------------e-- ./lib
    -------------e-- ./etc
    -------------e-- ./private
    -------------e-- ./lib64
    -------------e-- ./log
    -------------e-- ./ssl
    -------------e-- ./cgi-bin
    -------------e-- ./dev
    -------------e-- ./bin
    -------------e-- ./web
    -------------e-- ./webdav
    
    I can't find anything out of the ordinary in the log files, neither in the web folder have any of the php files been modified.

    I didn't pay much attention to it at first, but it seems like the content of these folders has been updated since I first noticed them.


    Anything else I'm overlooking?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats absolutely fine and no hack attempt. Thats the jail of the website. A jail is not only created for ssh users, it is also used by cron. so nothing to worry about.

    Btw. A hacker would never create a jail in a website.

    The folders are protected to ensure that you dont delete them as this would destroy the website. You can delete them by removing the immuttable attribute from the website root flder first, but be aware that the website cronjobs will fail then and you have to add back all deleted files and folders to manually to get them working again.
     
  3. phamels

    phamels Member

    Alright Till,

    Thanks for the quick reply!

    I was getting a bit worried since last night someone tried to do an unauthorized purchase on one of my credit cards :) (Not related to a website hosted on this server; old account somewhere else with bad password)

    Fits what you said perfectly, I did recently create a cron job for this particular website.
    Accidently did delete everything in these folders though; should I remove the cron job and recreate it (or perhaps an SSH user and remove it again)?

    EDIT: Never mind, just saw I had to put em their again manually :) (Perhaps by creating a cron on a different site and do a copy, minding the permissions?)
     

Share This Page