HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Hacked! All my sites gone (http://www.howtoforge.com/forums/showthread.php?t=50038)

breauxlg 14th November 2010 17:37

Hacked! All my sites gone
 
All of the sites on my ubuntu server with ispconfig2 have been zapped. All that is left in the var/www/webXX/web folders are the default index.htm, and the error and webalizer folders. All of my databases are still intact, but the content is gone. I have no clue where to start looking. My mail is still working, but I don't know what is fried and what is not.

falko 15th November 2010 14:32

Do you have backups?
Did you run rkhunter and/or chkrootkit to find out if there's malware on your server?
Did you check your logs?

breauxlg 15th November 2010 14:52

I'll have to find out how to do those things.
 
I'll have to search on those functions to see how to do them. I had installed a backup program, but I don't see it anymore and the only backup I have on an external drive is old. I hadn't been paying attention to this server, because it just ran, so I thought everything was okay. I'm trying to move my email accounts to another server so I can zap this one and start again. Is there a place where a person can buy an ubuntu/lamp/ispconfig3 image that is bullet-proof?

breauxlg 15th November 2010 15:26

RKHunter and CHKROOTKIT logs
 
2 Attachment(s)
Here are the logs from RKHUNTER and CHKROOTKIT.

falko 16th November 2010 16:23

The logs look ok, but maybe one of your web applications is vulnerable. Did you keep them up-to-date?

breauxlg 16th November 2010 20:59

Apparently, my apps are not up to date
 
Falko,
I checked for updates on the server and it says there are 113 updates available. Apparently I hadn't done them in a while. I see you have a perfect server for ubuntu 10.04 lts and ispconfig3 tutorial. I had used one of your older tutorials when I set this server up and it ran great for a good while. I do have a couple of drupal sites and one joomla site. Can those have been the culprits? It looks like I'll be doing the 10.04. Does that tutorial give everything I need to have a hack-proof server? Is there even such a thing? How often should I have the server check for updates? Do I ask too many questions? If so, disregard that last one.

damir 16th November 2010 22:35

Servers needs to be patched all the time, i check my servers almost every day. Subscribe to security RSS feeds and monitor your server regularly. Perfect guides are for installing, they are far from bulletproof. To secure and harden your system take some trial and error but it is something that you need to do.

If you run your business on these servers than i would think twice to hire you but if those are hobby projects than it's a good learning.

breauxlg 16th November 2010 23:41

Checking servers
 
The sites I have on this server are not mission critical. I have a Windows 2008 server that sits right next to this one. It has a number of websites on it that have been running for years and I've never had any problem with them. I wanted to see what the linux world had to offer, so I took an old server and loaded Ubuntu on it to play around with. After I got a little comfortable with it, I bought a new server and installed the lts that was available at the time using Falko's perfect server tutorial.

By the way, I can't say enough good things about Falko. I don't know where he finds the time and patience to do what he does (I guess he's a he) on these forums. The server was working fine, although I noticed that the drupal and joomla based sites get more than their share of probes from the internet. I just went back and saw that all of the site folders had been modified on October 29th at pretty much the same time. I would like to know how to look back at a system log to maybe figure out where the attack originated - maybe in one of the drupal or joomla applications. My system log only seems to go back a week.

damir 17th November 2010 09:42

Falko and Till are founders of howtoforge and ISPConfig, this is their living. If they stop, customers stops to come :) but they are top notch.

If your server is patched and correctly configured, it is very very hard for attacker to take control of your system. To be root hacked is 100% administrators fault.

metaldrummer 18th November 2010 04:53

Quote:

Originally Posted by damir (Post 244524)
Falko and Till are founders of howtoforge and ISPConfig, this is their living. If they stop, customers stops to come :) but they are top notch.

If your server is patched and correctly configured, it is very very hard for attacker to take control of your system. To be root hacked is 100% administrators fault.

Is true...this problem is hack from turquish.

Apache vulnerability.

On my case i have opensuse 11.0 and not know how to upgrade to 11.3.
I have fear that the server unusable.

Any can help me or any guide?
Regards


All times are GMT +2. The time now is 11:43.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.