Phishing on my server!

Discussion in 'Server Operation' started by dayjahone, Sep 24, 2008.

  1. dayjahone

    dayjahone Member

    An employee from HP sent me the following email:

    Someone is using the address a phish to steal paypal passwords.  If you can you shouldturn off access to this address ASAP.
    Is there a way to turn off access to this?
  2. Hi

    Install Mod_security and Enable mod_userdir Protection.
  3. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Are you administrating this server?
    if so then you should check wether this directory structure + files are under the ispconfig's own apache document root. Also you should find access to this of the ispconfig's apache logs (should be located in /root/ispconfig/httpd/logs)

    Right now I don't think this will work in a std. installation as userdirs are disabled (based on the fact that ~ indicates the start of a userhome).
  4. Ben

    Ben ISPConfig Developer ISPConfig Developer

    If he is asking on how he can prevent this access, then he won't be able to configure the filter's for mod_security in deep.

    an iptables command to drop all incoming connection on port 81 will help the same way. ;)
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Have you tested that this URL really works? If yes, you should find out why it works and how the attacker got in. Just denieing access to the files wont fix this in the long term.

    For example search the requested file by running:

    locate cmd_login-runas

    and check your server with chkroot and rkhunter
  6. dayjahone

    dayjahone Member

    Equally troubling is the fact that I can't log on with ssh anymore. My password is refused for admin and a normal user.
  7. dayjahone

    dayjahone Member

    The user he gave me in the email does not work, but it seems like a legitimate email and it was sent via a mail form on my website (not to an email address).

    I checked my server with chkroot and rkhunter a few weeks ago (when I could log in using ssh) and it didn't come up with anything.
    Last edited: Sep 24, 2008
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, then your server ahs most likely been hacked and the hacker got root priveliges. Do you have physical access or does the server has a rescue system that you can boot to?
  9. dayjahone

    dayjahone Member

    I have physical access but no rescue system.
  10. dayjahone

    dayjahone Member

    I turned it off for now. If you can think of a way to get it back up, I'd be your best friend forever.

    If not, is it a bad idea to copy the mail messages and databases over to a different server?
  11. falko

    falko Super Moderator ISPConfig Developer

    You should set up the server from scratch again, everything else would be too insecure. You can make backups of the old data by booting into the rescue system.
  12. dayjahone

    dayjahone Member

    On this server, I allowed people to sign up for an email address. Is it safe to set up those same email addresses on a different server and use again?

    I had ISPConfig running on the old server, but with only one website. Is there a way, and is it safe, to retrieve a database that was used for a blog and forum on the old server? If so, where do I find it?

  13. savago

    savago Member

    Maybe rkhunter and chrootkit working in cron will resolve this problem. And securing apache/php is good idea (suhosin + mod_security) .
  14. marpada

    marpada New Member

    Try to understand how the attackers broke in, check the permisions, /tmp, faulty software, logs,"testing" user...If not they could do it again and again.
    The most secure way is to boot from a LiveCD and mount the filesystems.

    Consider banning IP ranges of some countries, maybe none of your users are from China or Russia, so why risk to let crackers from these countries access (russian or chinese users of the forum, don't hate me :p)
    Pornstars Aline
    Nexium attorney
    Last edited: May 13, 2011
  15. dayjahone

    dayjahone Member

    Thanks for all the help, people. I'm fine with rebuilding it from scratch as it was on an old OS and the software needed to be updated anyway. I do have three concerns, however:

    1) I have some databases on there that I used for a forum and blog that I would like to retrieve and use on a different server. The box is behind a firewall, so I was thinking of closing all of the ports on the firewall and using phpMyAdmin locally to export the databases. Is this safe? Will I be able to login? I was able to use ISPConfig even after it was hacked.

    2) Also, a lot of people have email addresses that I'd like to re-establish for them on a different server. Is there any harm in doing that? I allowed people to sign up for their own email address (I don't know all of the people who signed up for one), so is there a chance that by setting up the same email account on a different server, they can hack a different server?

    Last edited: Sep 26, 2008
  16. falko

    falko Super Moderator ISPConfig Developer

    Yes, you can do this using phpMyAdmin.

    You can use the same usernames, but I strongly recommend to use different (and strong) passwords.
  17. dayjahone

    dayjahone Member

    1) Is it risky to reuse these databases?

    2) The thing is I don't know these users. Can people hack into my system if they have an email address? Even if they have a valid username and password?
  18. marpada

    marpada New Member

    If your database was compromised they have the encrypted passwords of your users. Although it's "almost impossible" to decipher the passwords by brute force, they can run a dictionary attach to reveal weak passwords.

    They can't get into your system with the email password, but they may user the password to login in other services if they reuse passwords (their back accounts, gmail,...).
    Motorcycle Tires
    Body science
    Last edited: May 13, 2011
  19. dayjahone

    dayjahone Member

    I could still log in to ISPConfig and I could use phpMyAdmin. I exported the two databases, but I want to make sure it's safe before I import the tables on the new server.
  20. falko

    falko Super Moderator ISPConfig Developer

    You're using system users which means their passwords are not stored in the database. So you can reuse the MySQL dumps, but I strongly recommend to change all passwords of system users and also ISPConfig users afterwards.

Share This Page