Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd January 2010, 17:33
kerubino kerubino is offline
Junior Member
 
Join Date: Jan 2010
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Default apache pages modified????

Hi,

I would like to ask you what to do if you think that your ISP config and your system has been hacked.

Which is the first steps to do?

Our sites has been hacked in this way:

At some time (i could not reach yet precisely) all defualt pages of apache are automatically modified.

For instance: index.php, index.html...

Default pages are modified adding an iframe that redirects you to a suspicious antivirus, antimalware or stats webpage.

Is surprising because all default pages are modified with the same TIMESTAMP.

I had checked all my crons, but i didn't see any suspicious... maybe is a bug of ISP config, i don't know.

We have 2.2.32 of ISP config on a Debian 5 64bit machine.

I thank you for you help in advance.
Reply With Quote
Sponsored Links
  #2  
Old 23rd January 2010, 18:05
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 34,628
Thanks: 793
Thanked 4,998 Times in 3,909 Posts
Default

Install rkhunter:

http://www.rootkit.nl/projects/rootkit_hunter.html

and run:

rkhunter -c

Quote:
I had checked all my crons, but i didn't see any suspicious... maybe is a bug of ISP config, i don't know.
Possible of course but not that likely as there are no known bugs. Check your logs if someone loggs in with ftp or ssh. Do the sites where the pages get modified have anything in common e.g. the same cms installed in the site. Have you updated your phpmyadmin, there was a bug some months ago which was used to infect servers. Also do you had all updates of your linux distro installed?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 23rd January 2010, 20:19
kerubino kerubino is offline
Junior Member
 
Join Date: Jan 2010
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you.

i also was looking the ftp logs... i see that someone is logging to ftp that is not me!!!


i also searched with rkhunter... but nothing found.

It seems that someone could reach my ftp password... i'll change all passwords.
Reply With Quote
  #4  
Old 24th January 2010, 03:13
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,711
Thanks: 1,900
Thanked 2,702 Times in 2,545 Posts
 
Default

Quote:
Originally Posted by kerubino View Post
i also was looking the ftp logs... i see that someone is logging to ftp that is not me!!!
Can you post an excerpt of your FTP log?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Intel 82815 Video Card & Ubuntu 8.10 harvey527 Kernel Questions 8 5th November 2010 14:51
Admin Program for Virtual Users and Domains Postfix courier etc...(Ubuntu 8.04)? the1rob HOWTO-Related Questions 11 4th August 2009 04:54
problems with suexec gobokster Installation/Configuration 7 7th May 2009 13:33
Exim MTA dazblade Server Operation 4 16th July 2007 18:42
Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAs pontifex HOWTO-Related Questions 2 26th October 2005 17:54


All times are GMT +2. The time now is 09:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.