At the begining of the month someone infected my site with some js stuff that redirected visitors to other sites but I keep cleaning that. I changed all my password for everything. Today I think the same person hacked again my server and deleted one site (just one others are fine). There are no wordpress or joomla sites. I installed ispconfig with this I really don't know where to begin, how should I secure my server and stop this. Another thing I can't access settings in phpmyadmin. Could they hacked my vps through it?
First you should check your server with rkhunter, then wil maldetect: http://www.howtoforge.com/forums/showthread.php?t=58440 Then you should ensure that all ubuntu security updates are installed. If your sites use a cms system and there are updates for that cms, then you should install them as well if possible. you can also try to install mod_security to secure your server even more.
Thnx for replying but that didn't help my problem. maldetect didn't find anything. ---------------------------------- I see 1.4.2 is out but when I do Code: /usr/bin/rkhunter --update Code: [ Rootkit Hunter version 1.4.0 ] Checking rkhunter data files... Checking file mirrors.dat [ No update ] Checking file programs_bad.dat [ No update ] Checking file backdoorports.dat [ No update ] Checking file suspscan.dat [ No update ] Checking file i18n/cn [ No update ] Checking file i18n/de [ No update ] Checking file i18n/en [ No update ] Checking file i18n/tr [ No update ] Checking file i18n/tr.utf8 [ No update ] Checking file i18n/zh [ No update ] Checking file i18n/zh.utf8 [ No update ] So I did the scaning anyway... Code: [04:57:38] File properties checks... [04:57:38] Required commands check failed [04:57:38] Files checked: 137 [04:57:38] Suspect files: 3 [04:57:38] [04:57:38] Rootkit checks... [04:57:38] Rootkits checked : 305 [04:57:38] Possible rootkits: 0 [04:57:38] [04:57:38] Applications checks... [04:57:38] All checks skipped [04:57:38] [04:57:38] The system checks took: 2 minutes and 40 seconds This is from log file, all other is [OK] or [ Not found ] Code: [...] [04:55:09] Performing file properties checks [04:55:09] Warning: Checking for prerequisites [ Warning ] [04:55:09] Unable to find 'lsattr' command - all file immutable-bit checks will be skipped. [...] [04:55:20] /usr/bin/GET [ Warning ] [04:55:20] Warning: The file '/usr/bin/GET' exists on the system, but it is not present in the 'rkhunter.dat' file. [...] [04:55:29] /usr/bin/unhide.rb [ Warning ] [04:55:29] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text [...] [04:55:29] /usr/bin/lwp-request [ Warning ] [04:55:30] Warning: The file '/usr/bin/lwp-request' exists on the system, but it is not present in the 'rkhunter.dat' file. [...] [04:57:17] Checking loaded kernel modules [ Warning ] [04:57:17] Warning: No output found from the lsmod command or the /proc/modules file: [04:57:17] /proc/modules output: [04:57:17] lsmod output: [...] [04:57:26] Checking for local host name [ Found ] [04:57:26] [04:57:26] Info: Starting test name 'startup_malware' [04:57:26] Checking for system startup files [ Found ] [...] [04:57:28] Checking for passwd file [ Found ] [04:57:28] Info: Found password file: /etc/passwd [...] [04:57:29] Performing system configuration file checks [04:57:29] Checking for a system logging configuration file [ Found ] [04:57:29] Info: Found SSH /etc/ssh/sshd_config configuration file: [04:57:29] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'. [04:57:29] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'. [04:57:29] Checking if SSH root access is allowed [ Warning ] [04:57:29] Warning: The SSH and rkhunter configuration options should be the same: [04:57:29] SSH configuration option 'PermitRootLogin': yes [04:57:29] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no [...] [04:57:30] Checking for a running system logging daemon [ Found ] [04:57:30] Info: Found rsyslog /etc/rsyslog.conf configuration file: [04:57:30] Checking for a system logging configuration file [ Found ] [...] [04:57:30] Checking /dev for suspicious file types [ Warning ] [04:57:30] Warning: Suspicious file types found in /dev: [04:57:30] /dev/.udev/rules.d/root.rules: ASCII text [04:57:31] Checking for hidden files and directories [ Warning ] [04:57:31] Warning: Hidden directory found: /dev/.udev: directory [...] Also I've upgraded from ubuntu 13.10 to 14.04 and installed mod_security from here -------------------------- Code: # sudo apt-get upgrade Code: Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
And after all this, again hacking happend. Does anyone have any idea how can I see how are they doing this?
Sounds like one of your sites has a vulnerability. Till wrote a little article some time ago about how to see which site is sending emails. (something with piping all the email thru a PHP script) Unfortunately I can not find the article at the moment. Maybe this is a good option for you to see what site is being used to spam with
Found the article. No guarantee if this will work for you! http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam Make sure that you read the comment section too!
Thanks for the reply. But the server is not used for spamming. In the middle of the attack before they wiped everything, I saved a couple of logs. The site has option to upload attachments, like images... This is from logs Code: "POST /ajaxup.php HTTP/1.1" 200 748 "http://fiddle.jshell.net/_display/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" "GET /upload/2014/54679168731b1.php5?act=img&img=home HTTP/1.1" 304 225 "http://xxxxxx.com/upload/2014/54679168731b1.php5?" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" "GET /upload/2014/54679168731b1.php5?act=ls&d=%2Fvar%2Fwww%2Fclients%2Fclient0%2Fweb1%2Fweb&sort=0a HTTP/1.1" 200 5627 edit: it was c999shell -.- So what should I do now to protect sites/server from this?
In that case you will need to fix the upload script (54679168731b1.php5) as that is where the problem is. A fix could be some check to see if it is a true image that has been uploaded.
54679168731b1.php5 is not an upload script, it was the file that someone upload to the server and use it to mess up things. Should this in htaccess help? Code: <Files ~ "\.(php|sql|php3|php4|php5|phtml|pl|py|jsp|asp|htm|shtml|sh|cgi)$"> order allow,deny deny from all </Files> ^^ this didn't help again *.ph5 was uploaded and deleted the site
Your site has severe problems in its code and you have to fix these if you want to stop the hackers come in. Has the site very many request? If not, then check the requests in access.log that have been done before the site got wiped out. Start with the check of post requests.
Code: "POST /ajaxup.php HTTP/1.1" 200 743 "http://fiddle.jshell.net/_display/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36" only POST ajaxup.php is for uploading images. so I guess they use this file to get *.php5 on the server
I did some digging around... the script for uploading is uploadify, it has been modified for the site. It contains Code: 'fileExt' : '*.jpg;*.gif;*.png;*.jpeg', but that is not enough for securing the upload. So I was thinking to modify .vhost (just in case that htaccess files are rewriten or deleted) files for all the sites and add this lines: Code: deny from all <Files ~ "^\w+\.(gif|jpe?g|png)$"> order deny,allow allow from all </Files> only for images and Code: <IfModule mod_php5.c> php_flag engine off </IfModule> if someone is trying to put some code into images. Would that do some work?