Hacked! All my sites gone

Discussion in 'Installation/Configuration' started by breauxlg, Nov 14, 2010.

  1. breauxlg

    breauxlg New Member

    All of the sites on my ubuntu server with ispconfig2 have been zapped. All that is left in the var/www/webXX/web folders are the default index.htm, and the error and webalizer folders. All of my databases are still intact, but the content is gone. I have no clue where to start looking. My mail is still working, but I don't know what is fried and what is not.
  2. falko

    falko Super Moderator ISPConfig Developer

    Do you have backups?
    Did you run rkhunter and/or chkrootkit to find out if there's malware on your server?
    Did you check your logs?
  3. breauxlg

    breauxlg New Member

    I'll have to find out how to do those things.

    I'll have to search on those functions to see how to do them. I had installed a backup program, but I don't see it anymore and the only backup I have on an external drive is old. I hadn't been paying attention to this server, because it just ran, so I thought everything was okay. I'm trying to move my email accounts to another server so I can zap this one and start again. Is there a place where a person can buy an ubuntu/lamp/ispconfig3 image that is bullet-proof?
  4. breauxlg

    breauxlg New Member

    RKHunter and CHKROOTKIT logs

    Here are the logs from RKHUNTER and CHKROOTKIT.

    Attached Files:

  5. falko

    falko Super Moderator ISPConfig Developer

    The logs look ok, but maybe one of your web applications is vulnerable. Did you keep them up-to-date?
  6. breauxlg

    breauxlg New Member

    Apparently, my apps are not up to date

    I checked for updates on the server and it says there are 113 updates available. Apparently I hadn't done them in a while. I see you have a perfect server for ubuntu 10.04 lts and ispconfig3 tutorial. I had used one of your older tutorials when I set this server up and it ran great for a good while. I do have a couple of drupal sites and one joomla site. Can those have been the culprits? It looks like I'll be doing the 10.04. Does that tutorial give everything I need to have a hack-proof server? Is there even such a thing? How often should I have the server check for updates? Do I ask too many questions? If so, disregard that last one.
  7. damir

    damir New Member

    Servers needs to be patched all the time, i check my servers almost every day. Subscribe to security RSS feeds and monitor your server regularly. Perfect guides are for installing, they are far from bulletproof. To secure and harden your system take some trial and error but it is something that you need to do.

    If you run your business on these servers than i would think twice to hire you but if those are hobby projects than it's a good learning.
  8. breauxlg

    breauxlg New Member

    Checking servers

    The sites I have on this server are not mission critical. I have a Windows 2008 server that sits right next to this one. It has a number of websites on it that have been running for years and I've never had any problem with them. I wanted to see what the linux world had to offer, so I took an old server and loaded Ubuntu on it to play around with. After I got a little comfortable with it, I bought a new server and installed the lts that was available at the time using Falko's perfect server tutorial.

    By the way, I can't say enough good things about Falko. I don't know where he finds the time and patience to do what he does (I guess he's a he) on these forums. The server was working fine, although I noticed that the drupal and joomla based sites get more than their share of probes from the internet. I just went back and saw that all of the site folders had been modified on October 29th at pretty much the same time. I would like to know how to look back at a system log to maybe figure out where the attack originated - maybe in one of the drupal or joomla applications. My system log only seems to go back a week.
  9. damir

    damir New Member

    Falko and Till are founders of howtoforge and ISPConfig, this is their living. If they stop, customers stops to come :) but they are top notch.

    If your server is patched and correctly configured, it is very very hard for attacker to take control of your system. To be root hacked is 100% administrators fault.
  10. metaldrummer

    metaldrummer New Member

    Is true...this problem is hack from turquish.

    Apache vulnerability.

    On my case i have opensuse 11.0 and not know how to upgrade to 11.3.
    I have fear that the server unusable.

    Any can help me or any guide?
  11. damir

    damir New Member

    ^ I have no clue how to upgrade to 11.3, im a Debian user but doesn't Opensuse provides security patched to 11.0?
  12. metaldrummer

    metaldrummer New Member

    Now only for 11.1, 11.2 & 11.3

    11.0 discontinued :-(

    Someone using OpenSuse 11.x with Ispconfig 2.x?


Share This Page