An employee from HP sent me the following email: Code: Someone is using the addresshttps://server.mydomain.com:81/~testing/www.paypal.com/cgi-bin/webscr/cmd_login-runas a phish to steal paypal passwords. If you can you shouldturn off access to this address ASAP. Is there a way to turn off access to this?
Are you administrating this server? if so then you should check wether this directory structure + files are under the ispconfig's own apache document root. Also you should find access to this of the ispconfig's apache logs (should be located in /root/ispconfig/httpd/logs) Right now I don't think this will work in a std. installation as userdirs are disabled (based on the fact that ~ indicates the start of a userhome).
If he is asking on how he can prevent this access, then he won't be able to configure the filter's for mod_security in deep. an iptables command to drop all incoming connection on port 81 will help the same way.
Have you tested that this URL really works? If yes, you should find out why it works and how the attacker got in. Just denieing access to the files wont fix this in the long term. For example search the requested file by running: locate cmd_login-runas and check your server with chkroot and rkhunter
Equally troubling is the fact that I can't log on with ssh anymore. My password is refused for admin and a normal user.
The user he gave me in the email does not work, but it seems like a legitimate email and it was sent via a mail form on my website (not to an email address). I checked my server with chkroot and rkhunter a few weeks ago (when I could log in using ssh) and it didn't come up with anything.
Ok, then your server ahs most likely been hacked and the hacker got root priveliges. Do you have physical access or does the server has a rescue system that you can boot to?
I turned it off for now. If you can think of a way to get it back up, I'd be your best friend forever. If not, is it a bad idea to copy the mail messages and databases over to a different server?
You should set up the server from scratch again, everything else would be too insecure. You can make backups of the old data by booting into the rescue system.
On this server, I allowed people to sign up for an email address. Is it safe to set up those same email addresses on a different server and use mail.mydomain.com again? I had ISPConfig running on the old server, but with only one website. Is there a way, and is it safe, to retrieve a database that was used for a blog and forum on the old server? If so, where do I find it? Thanks.
Maybe rkhunter and chrootkit working in cron will resolve this problem. And securing apache/php is good idea (suhosin + mod_security) .
Thanks for all the help, people. I'm fine with rebuilding it from scratch as it was on an old OS and the software needed to be updated anyway. I do have three concerns, however: 1) I have some databases on there that I used for a forum and blog that I would like to retrieve and use on a different server. The box is behind a firewall, so I was thinking of closing all of the ports on the firewall and using phpMyAdmin locally to export the databases. Is this safe? Will I be able to login? I was able to use ISPConfig even after it was hacked. 2) Also, a lot of people have email addresses that I'd like to re-establish for them on a different server. Is there any harm in doing that? I allowed people to sign up for their own email address (I don't know all of the people who signed up for one), so is there a chance that by setting up the same email account on a different server, they can hack a different server? Thanks.
Yes, you can do this using phpMyAdmin. You can use the same usernames, but I strongly recommend to use different (and strong) passwords.
1) Is it risky to reuse these databases? 2) The thing is I don't know these users. Can people hack into my system if they have an email address? Even if they have a valid username and password?
I could still log in to ISPConfig and I could use phpMyAdmin. I exported the two databases, but I want to make sure it's safe before I import the tables on the new server.
You're using system users which means their passwords are not stored in the database. So you can reuse the MySQL dumps, but I strongly recommend to change all passwords of system users and also ISPConfig users afterwards.
I got another server all set up and ready. I set up the forum again and imported all of the tables from the old forum...and now I can't log in to my new server. Please Please help. I did everything that was suggested for security: disabling root login, install rkhunter, changed my root password, etc.