New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I've rebuilt /tmp directory and just have a few sess_ files, eaccelerator folder & lost+found folder.
problem is when a server is compromised, you have no idea where they locate warez files or trojans, you'll keep facing the same issue. my suggestion would be to rebuild the server ground up
I have all sites backed up. So I need to reinstall from solusvm? Re-install cPanel setup etc... Then how do I add all domains back?
If you don't know, by a managed VPS, or hire someone.... but you will continue to be hacked as long as you have the server as it is. They could have even installed ssh_keys at this point and can fully login to your system with no issues.
I signed up with platinumservermanagement.com earlier today, maybe they will do it.
I get those
php.exe.globals
warnings all the time from maldet. They may be false positives as a lot of legitimate stuff uses that.I don't know about your particular setup but I do have a lot of experience with hackers getting in through php vulnerabilities unfortunately. It's usually something quite simple so don't try overthink it.
You probably have some php software installed with a known vulnerability. The automated bots looking for that vulnerability probably keep finding you. Make sure all your php software is fully patched with the latest fixes. Make sure Apache has
AllowOverride On
so the .htaccess files can do their job.The easiest way to find the hackers fingerprints is to first find out when the exploit happened and then do a search for datestamps to find all files that changed during that time. That is usually the first thing I do. You would think hackers would try change that once they got in but I guess they are too lazy or stupid to bother.
find /var/www/ -newermt 2014-12-15 ! -newermt 2014-12-16 -ls
That's not correct. In a standard cpanel environment php will use /tmp to store files. Keep in mind that a standard cpanel environment uses suPHP and though files may be in there from multiple accounts, they may not be executable under any other account but the one that placed them there. Malicious temp files are not uncommon and not usually, in a typical cpanel environment, a sign of any problem that extends beyond a single user account.
The correct course of action would be to follow the file's ownership and then see how it was created by matching log times for cpanel and Apache. If it's owned by root, or executed with any super user privileges, then you have a bigger problem.
what I'm afraid of is, you may have backed up your friendly neighborhood hacker along with it......
btw are you by any chance providing a hosting service?
@n1kko The phishing page is deleted. @Jar
If you don't really know what to do, you should hire someone rebuild and clean the code for you. I am sure that by now your server is running malicious things again.
I personally have never believed in this philosophy of just re-installing every time there is a problem including hackers. Imho that is just being lazy and you will never learn anything by doing that. Should at least try find the root cause first.
You will find the root of the cause if you know what's happening. The OP don't even know what to do when getting hacked (keep changing FTP password) then how you could expect him to do that? Hire someone and they will inspect and report what happened and do what needed.
Agreed but we are talking bout a production server, not one that's lying idle. Would you be able to guarantee a solution, within what time frame? I'm sure @n1kko must be having insomnia (I would) knowing the server is compromised. Mind you, the hacker may continue putting in more rubbish as you remove them.
Sure, first...and then you reinstall.
100% sorted with the superb help and support from @anthonysmith
He's good people!
So what was the problem? You sure you are not going to be hacked again within a week?
The issue was with one site not my cPanel. Some script was injected which kept adding more php files all over. RKhunter all came up clean so did clamscan. Few things now been updated on my server and I have also updated sites scripts.
keep monitoring just in case
Out of curiosity, what finally found the issue?
I found the issue myself first after noticing website was acting strange. It was by pure fluke I found a file in public_html which made me look through more folders etc.
When the issue carried on that's what made me think cPanel had been hacked but I missed more dodgy files that had been uploaded.
Uploaded via ftp (/var/log/messages), file manager (/usr/local/cpanel/logs/access_log), or POST to a vulnerable script (/usr/local/apache/domlogs)?
The first file was actually uploaded from a file uploader on the website. Which I have since removed, the site is running a fairly old script which I will be changing very soon.
I hate php for this very reason. All the files are directly accessible by the webserver by default which seems rather dumb by todays security standards. If I could I would run everything on python where nothing is directly accessible but it's often not an option for various reasons.
At a minimum a lot of php software should be re-written to use smarty templates but that doesn't seem to be happening either.
At some point something has to be available to the web server, but one can separate it from the PHP processor using something like FastCGI that runs under a different user with separate privileges. Though ultimately when you're building a dynamic site, especially one that allows for uploads or receipt of data from an end user, you really have to code it properly to sanitize what's allowed.
I'm not sure that using a specific template system is going to resolve underlying security issues; however, if you're addressing a more broad issue of separating programming logic from display rendering, absolutely. That results in not only cleaner code, but also a web site that's easier to keep up to date.
The problem is PHP is so forgiving. It's the easiest language I've ever used. This means everyone and their cousin is a programmer for the web; that's the biggest problem for PHP security. (It's like everyone using WordPress, which is easy, but they install untrusted themes or out-of-date plugins and then have a compromised site.)
If you understood how a lot of these exploits are done you would understand that removing the scripting language from direct access removes a LOT of potential exploits. I am not claiming to know about this because I am an expert or because I am a hacker. I am claiming to know all this after having been the victim of numerous hacks from these scumbags.
Show them a finger