Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 24th September 2008, 02:55
dayjahone dayjahone is offline
Senior Member
 
Join Date: Jan 2007
Posts: 421
Thanks: 31
Thanked 0 Times in 0 Posts
Default Phishing on my server!

An employee from HP sent me the following email:

Code:
Someone is using the addresshttps://server.mydomain.com:81/~testing/www.paypal.com/cgi-bin/webscr/cmd_login-runas a phish to steal paypal passwords.  If you can you shouldturn off access to this address ASAP.
Is there a way to turn off access to this?
Reply With Quote
Sponsored Links
  #2  
Old 24th September 2008, 08:37
24x7servermanagement 24x7servermanagement is offline
Junior Member
 
Join Date: Sep 2008
Location: India
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via AIM to 24x7servermanagement Send a message via MSN to 24x7servermanagement
Default Hi

Install Mod_security and Enable mod_userdir Protection.
__________________
24x7servermanagement.com
Windows + Linux / Hosting Support
AIM:- SrvManager || sales@24x7servermanagement.com
Reply With Quote
  #3  
Old 24th September 2008, 08:40
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Are you administrating this server?
if so then you should check wether this directory structure + files are under the ispconfig's own apache document root. Also you should find access to this of the ispconfig's apache logs (should be located in /root/ispconfig/httpd/logs)

Right now I don't think this will work in a std. installation as userdirs are disabled (based on the fact that ~ indicates the start of a userhome).
Reply With Quote
  #4  
Old 24th September 2008, 08:42
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Quote:
Originally Posted by 24x7servermanagement View Post
Install Mod_security and Enable mod_userdir Protection.
If he is asking on how he can prevent this access, then he won't be able to configure the filter's for mod_security in deep.

an iptables command to drop all incoming connection on port 81 will help the same way.
Reply With Quote
  #5  
Old 24th September 2008, 08:50
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,389 Times in 4,234 Posts
Default

Quote:
An employee from HP sent me the following email:
Have you tested that this URL really works? If yes, you should find out why it works and how the attacker got in. Just denieing access to the files wont fix this in the long term.

For example search the requested file by running:

locate cmd_login-runas

and check your server with chkroot and rkhunter
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 24th September 2008, 14:24
dayjahone dayjahone is offline
Senior Member
 
Join Date: Jan 2007
Posts: 421
Thanks: 31
Thanked 0 Times in 0 Posts
Default

Equally troubling is the fact that I can't log on with ssh anymore. My password is refused for admin and a normal user.
Reply With Quote
  #7  
Old 24th September 2008, 14:28
dayjahone dayjahone is offline
Senior Member
 
Join Date: Jan 2007
Posts: 421
Thanks: 31
Thanked 0 Times in 0 Posts
Default

The user he gave me in the email does not work, but it seems like a legitimate email and it was sent via a mail form on my website (not to an email address).

I checked my server with chkroot and rkhunter a few weeks ago (when I could log in using ssh) and it didn't come up with anything.

Last edited by dayjahone; 24th September 2008 at 14:32.
Reply With Quote
  #8  
Old 24th September 2008, 14:30
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,389 Times in 4,234 Posts
Default

Ok, then your server ahs most likely been hacked and the hacker got root priveliges. Do you have physical access or does the server has a rescue system that you can boot to?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 24th September 2008, 14:41
dayjahone dayjahone is offline
Senior Member
 
Join Date: Jan 2007
Posts: 421
Thanks: 31
Thanked 0 Times in 0 Posts
Default

I have physical access but no rescue system.
Reply With Quote
  #10  
Old 25th September 2008, 04:36
dayjahone dayjahone is offline
Senior Member
 
Join Date: Jan 2007
Posts: 421
Thanks: 31
Thanked 0 Times in 0 Posts
 
Default

I turned it off for now. If you can think of a way to get it back up, I'd be your best friend forever.

If not, is it a bad idea to copy the mail messages and databases over to a different server?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Site very slow after server migraion dimitar General 2 22nd February 2008 12:23
Terrible server speeds gAnDo HOWTO-Related Questions 3 14th February 2008 18:31
Problem with keeping Apache alive bobeq Server Operation 3 29th November 2007 16:11
Rejecting outbound mail tristanlee85 General 11 20th May 2007 17:04
Dns question Mahir Installation/Configuration 48 14th November 2006 10:19


All times are GMT +2. The time now is 00:58.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.