My ISPconfig server get hacked

Discussion in 'General' started by quannv, Apr 1, 2011.

  1. quannv

    quannv New Member

    The document root (/var/www) of ISPconfig3 server ( Debian Lenny) is written by hacker, he put the phishing website with .it domain, after I delete phishing website, he is still put them, I can not inspect the reason. This problem is really awesome for me, I attach here the website code, so if any one need other information to inspect them help me, I will provide

    update: I check the /tmp dir and I get the phishing website code, How to prevent /tmp attack?

    Attached Files:

      File size:
      15.3 KB
    Last edited: Apr 1, 2011
  2. i-chat

    i-chat New Member

    first of all - please try to decently explain what you did to try and stop this,
    also tell us stuff like, who you think did this. in example is it a client or someone you dont know.

    do you protect your sever by a firewall and how strong are your password ... note a password should always be complex ...

    a passworld like: abcd123 is easily hackabale.
    where: #M7tW3ftW.8oO0 is not.

    try to understand that a decent security is verry important, and try to do some background checks (like reading the loggs) to investigate what may be the problem here..

    note that no one here has access to your server so - we can really help you - unless you tell us more..
  3. Norman

    Norman Member HowtoForge Supporter

    Most likely reason he was able to access /tmp is cause one of your sites has wrong chmod for directories so they could upload files (php shells) or has outdated versions of common CMS:es with security exploits.

    Update your websites and make sure you find which website was used to execute scripts locally as that user.
    Check which user owns the files under /tmp and it should give some hints.
    if it's owned by www-data you have to check the access.log's of each site individually or do some grepping/find of unknown files that may seem out of place.
  4. quannv

    quannv New Member

    Thank Norman, I check owner of files in /tmp and I see root is owner of that, can someone run under root?

    There are some files have mysql owner

    -rw-rw---- 1 mysql mysql 1385260 Apr 2 10:46 #sql_2a25_0.MYD
    -rw-rw---- 1 mysql mysql 1024 Apr 2 10:46 #sql_2a25_0.MYI
  5. Norman

    Norman Member HowtoForge Supporter

    Well, it could be any numerous ways if they made access to write to /tmp through an exploited site.
    You could also be running outdated local software that made it possible to exploit. Who knows.

    Can't tell for sure without access to system and doing an investigation.
    Talking someone through a forensics exam isnt really an option.

    *does this for a living*

Share This Page