Hi, My server is now hacked 2 times in 2 weeks, today again was hacked, i have alll the ports closed , i closed ftp 21 ,also ssh22 ,but even that they could enter to the server and hack my webpage , i use joomla for building the webpage can be the reason ? or that i have the firewall off because of selinux is desables. this are my configurations : ISPconfig centos 5.2 i used perfect server tutorial of falco I have all unecessery ports closed even FTP - 21 and SSH 22 Thank you in advance for your help.
Well i was unlucky to get my site hacked aswell. I found a rs57 shell on my server that was uploaded trough a image uploading function. look trough you web folder and see if you can find any wierd looking scripts. If i were you i would backup my joomla database and template folder reinstall the server and start over with a fresh joomla. (remember to backup userfiles images etc.etc. I can recomend you to install OSSEC wich is a intrusion detection system then you can get noticed of all scan attacs. And it would most certain warn you if someone is trying to exec a shellscript. I installed OSSEC after my own server got hacked and i enjoy open my mail and be noticed of everything unsual happening on my server.
You could also create a bash script that is run hourly or daily by cron that searches for all executable files in paths that you know can be uploaded to. It could then either email you these as a list, or archive them, or delete them.
