My server/websites were hacked - please help.

Discussion in 'Server Operation' started by Been Told, Jun 14, 2009.

  1. Been Told

    Been Told Member

    Hi there,
    my root server (debian lenny) was hacked and a lot of files were deleted from the /var/www/webXX folders.
    I have checked access loggs and there were no failed or successful SSH logins at the time the hacking took place, apart from ones from my own IP.
    I checked the apache logs and found no "exec" calls or anything like that (although I'd be happy to post the logs for inspection here).
    FTP logs are clean, no FTP logins at the time of the hack.

    I do have a website for uploading/sharing images (for members of one of my forums) which is based on a free no-name picture upload script, which can also be seen in operation here:

    Also one of my forums (vBulletin) has a flash chat by Tufat integrated.

    Those two seem to be two prime candidates for security problems (in my opinion). So now they are both offline and I don't want to bring either one of them back before I can figure out what happened.

    Since the hacker/script that entered my server deleted files en-masse I could imagine that they deleted the offending script too.
    What do you guys think?

    Forums/Websites were all up to date versions of their respective software.
  2. Been Told

    Been Told Member

    The actual question here, which I forgot to post (lol):
    Are there any tools that help look for malicious files?
  3. id10t

    id10t Member

    Try rootkit hunter
  4. Been Told

    Been Told Member

    OK, I've run the script but I'm not sure about the results.
    I've uploaded the log of the scan (attached).

    Does anyone have any hints?

    Attached Files:

    • rkh.txt
      File size:
      78.6 KB
  5. falko

    falko Super Moderator ISPConfig Developer

    The output looks good - at least rkhunter didn't find any known malware...
  6. Been Told

    Been Told Member

    Thanks falko.

    When looking for suspicous files myself: am I right in thinking that the first/best place to look for them are folders that users can upload stuff to via forums/scripts/websites?
  7. id10t

    id10t Member

    Yup. Also weak passwords (I had someone get in on a demo account and use my box for ssh brute force attempts)
  8. Been Told

    Been Told Member

    Hm. All my passwords are 10 digits plus with numbers, letters in mixed case and most have a special character or two thrown in.
  9. Forgott3n

    Forgott3n New Member

    Check your apache logs for anyone accessing the AdminCP directory that does not have your IP.

    Also, check your logs for file requests that start with a . (period) or that have suspicious $_GET[''] lines like (?act=SELECT+*+FROM+*)
  10. Been Told

    Been Told Member

    Thanks for that. All negative on the things you mentioned.

Share This Page