Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th November 2010, 18:37
breauxlg breauxlg is offline
Junior Member
 
Join Date: Jul 2009
Posts: 27
Thanks: 3
Thanked 0 Times in 0 Posts
Default Hacked! All my sites gone

All of the sites on my ubuntu server with ispconfig2 have been zapped. All that is left in the var/www/webXX/web folders are the default index.htm, and the error and webalizer folders. All of my databases are still intact, but the content is gone. I have no clue where to start looking. My mail is still working, but I don't know what is fried and what is not.
Reply With Quote
Sponsored Links
  #2  
Old 15th November 2010, 15:32
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

Do you have backups?
Did you run rkhunter and/or chkrootkit to find out if there's malware on your server?
Did you check your logs?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 15th November 2010, 15:52
breauxlg breauxlg is offline
Junior Member
 
Join Date: Jul 2009
Posts: 27
Thanks: 3
Thanked 0 Times in 0 Posts
Default I'll have to find out how to do those things.

I'll have to search on those functions to see how to do them. I had installed a backup program, but I don't see it anymore and the only backup I have on an external drive is old. I hadn't been paying attention to this server, because it just ran, so I thought everything was okay. I'm trying to move my email accounts to another server so I can zap this one and start again. Is there a place where a person can buy an ubuntu/lamp/ispconfig3 image that is bullet-proof?
Reply With Quote
  #4  
Old 15th November 2010, 16:26
breauxlg breauxlg is offline
Junior Member
 
Join Date: Jul 2009
Posts: 27
Thanks: 3
Thanked 0 Times in 0 Posts
Default RKHunter and CHKROOTKIT logs

Here are the logs from RKHUNTER and CHKROOTKIT.
Attached Files
File Type: txt chkrootkitlog.txt (4.5 KB, 160 views)
File Type: txt rkhunter.txt (73.4 KB, 159 views)
Reply With Quote
  #5  
Old 16th November 2010, 17:23
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

The logs look ok, but maybe one of your web applications is vulnerable. Did you keep them up-to-date?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
breauxlg (16th November 2010)
  #6  
Old 16th November 2010, 21:59
breauxlg breauxlg is offline
Junior Member
 
Join Date: Jul 2009
Posts: 27
Thanks: 3
Thanked 0 Times in 0 Posts
Default Apparently, my apps are not up to date

Falko,
I checked for updates on the server and it says there are 113 updates available. Apparently I hadn't done them in a while. I see you have a perfect server for ubuntu 10.04 lts and ispconfig3 tutorial. I had used one of your older tutorials when I set this server up and it ran great for a good while. I do have a couple of drupal sites and one joomla site. Can those have been the culprits? It looks like I'll be doing the 10.04. Does that tutorial give everything I need to have a hack-proof server? Is there even such a thing? How often should I have the server check for updates? Do I ask too many questions? If so, disregard that last one.
Reply With Quote
  #7  
Old 16th November 2010, 23:35
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

Servers needs to be patched all the time, i check my servers almost every day. Subscribe to security RSS feeds and monitor your server regularly. Perfect guides are for installing, they are far from bulletproof. To secure and harden your system take some trial and error but it is something that you need to do.

If you run your business on these servers than i would think twice to hire you but if those are hobby projects than it's a good learning.
Reply With Quote
  #8  
Old 17th November 2010, 00:41
breauxlg breauxlg is offline
Junior Member
 
Join Date: Jul 2009
Posts: 27
Thanks: 3
Thanked 0 Times in 0 Posts
Default Checking servers

The sites I have on this server are not mission critical. I have a Windows 2008 server that sits right next to this one. It has a number of websites on it that have been running for years and I've never had any problem with them. I wanted to see what the linux world had to offer, so I took an old server and loaded Ubuntu on it to play around with. After I got a little comfortable with it, I bought a new server and installed the lts that was available at the time using Falko's perfect server tutorial.

By the way, I can't say enough good things about Falko. I don't know where he finds the time and patience to do what he does (I guess he's a he) on these forums. The server was working fine, although I noticed that the drupal and joomla based sites get more than their share of probes from the internet. I just went back and saw that all of the site folders had been modified on October 29th at pretty much the same time. I would like to know how to look back at a system log to maybe figure out where the attack originated - maybe in one of the drupal or joomla applications. My system log only seems to go back a week.
Reply With Quote
  #9  
Old 17th November 2010, 10:42
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

Falko and Till are founders of howtoforge and ISPConfig, this is their living. If they stop, customers stops to come but they are top notch.

If your server is patched and correctly configured, it is very very hard for attacker to take control of your system. To be root hacked is 100% administrators fault.
Reply With Quote
  #10  
Old 18th November 2010, 05:53
metaldrummer metaldrummer is offline
Senior Member
 
Join Date: Dec 2006
Posts: 108
Thanks: 18
Thanked 1 Time in 1 Post
 
Exclamation

Quote:
Originally Posted by damir View Post
Falko and Till are founders of howtoforge and ISPConfig, this is their living. If they stop, customers stops to come but they are top notch.

If your server is patched and correctly configured, it is very very hard for attacker to take control of your system. To be root hacked is 100% administrators fault.
Is true...this problem is hack from turquish.

Apache vulnerability.

On my case i have opensuse 11.0 and not know how to upgrade to 11.3.
I have fear that the server unusable.

Any can help me or any guide?
Regards
Reply With Quote
Reply

Bookmarks

Tags
hacked, ispconfig2, sites delete, ubuntu

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Change sites directory =ChAoS= Tips/Tricks/Mods 6 29th August 2010 17:54
Virtual Sites & DNS Setup Jayson Wonder Installation/Configuration 27 11th December 2008 19:08
Help - virtual sites - email not working - what FQDN? sagor Installation/Configuration 4 26th April 2008 20:00
Sites Viewed From Server Go To Shared IP mojosound General 4 3rd April 2006 21:13


All times are GMT +2. The time now is 10:34.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.