An employee from HP sent me the following email: Code: Someone is using the addresshttps://server.mydomain.com:81/~testing/www.paypal.com/cgi-bin/webscr/cmd_login-runas a phish to steal paypal passwords. If you can you shouldturn off access to this address ASAP. Is there a way to turn off access to this?
Are you administrating this server? if so then you should check wether this directory structure + files are under the ispconfig's own apache document root. Also you should find access to this of the ispconfig's apache logs (should be located in /root/ispconfig/httpd/logs) Right now I don't think this will work in a std. installation as userdirs are disabled (based on the fact that ~ indicates the start of a userhome).
If he is asking on how he can prevent this access, then he won't be able to configure the filter's for mod_security in deep. an iptables command to drop all incoming connection on port 81 will help the same way.
Have you tested that this URL really works? If yes, you should find out why it works and how the attacker got in. Just denieing access to the files wont fix this in the long term. For example search the requested file by running: locate cmd_login-runas and check your server with chkroot and rkhunter
Equally troubling is the fact that I can't log on with ssh anymore. My password is refused for admin and a normal user.
The user he gave me in the email does not work, but it seems like a legitimate email and it was sent via a mail form on my website (not to an email address). I checked my server with chkroot and rkhunter a few weeks ago (when I could log in using ssh) and it didn't come up with anything.
Ok, then your server ahs most likely been hacked and the hacker got root priveliges. Do you have physical access or does the server has a rescue system that you can boot to?
I turned it off for now. If you can think of a way to get it back up, I'd be your best friend forever. If not, is it a bad idea to copy the mail messages and databases over to a different server?
You should set up the server from scratch again, everything else would be too insecure. You can make backups of the old data by booting into the rescue system.
On this server, I allowed people to sign up for an email address. Is it safe to set up those same email addresses on a different server and use mail.mydomain.com again? I had ISPConfig running on the old server, but with only one website. Is there a way, and is it safe, to retrieve a database that was used for a blog and forum on the old server? If so, where do I find it? Thanks.
Maybe rkhunter and chrootkit working in cron will resolve this problem. And securing apache/php is good idea (suhosin + mod_security) .
Try to understand how the attackers broke in, check the permisions, /tmp, faulty software, logs,"testing" user...If not they could do it again and again. The most secure way is to boot from a LiveCD and mount the filesystems. Consider banning IP ranges of some countries, maybe none of your users are from China or Russia, so why risk to let crackers from these countries access (russian or chinese users of the forum, don't hate me ) ________ Pornstars Aline ________ Nexium attorney
Thanks for all the help, people. I'm fine with rebuilding it from scratch as it was on an old OS and the software needed to be updated anyway. I do have three concerns, however: 1) I have some databases on there that I used for a forum and blog that I would like to retrieve and use on a different server. The box is behind a firewall, so I was thinking of closing all of the ports on the firewall and using phpMyAdmin locally to export the databases. Is this safe? Will I be able to login? I was able to use ISPConfig even after it was hacked. 2) Also, a lot of people have email addresses that I'd like to re-establish for them on a different server. Is there any harm in doing that? I allowed people to sign up for their own email address (I don't know all of the people who signed up for one), so is there a chance that by setting up the same email account on a different server, they can hack a different server? Thanks.
Yes, you can do this using phpMyAdmin. You can use the same usernames, but I strongly recommend to use different (and strong) passwords.
1) Is it risky to reuse these databases? 2) The thing is I don't know these users. Can people hack into my system if they have an email address? Even if they have a valid username and password?
If your database was compromised they have the encrypted passwords of your users. Although it's "almost impossible" to decipher the passwords by brute force, they can run a dictionary attach to reveal weak passwords. They can't get into your system with the email password, but they may user the password to login in other services if they reuse passwords (their back accounts, gmail,...). ________ Motorcycle Tires ________ Body science
I could still log in to ISPConfig and I could use phpMyAdmin. I exported the two databases, but I want to make sure it's safe before I import the tables on the new server.
You're using system users which means their passwords are not stored in the database. So you can reuse the MySQL dumps, but I strongly recommend to change all passwords of system users and also ISPConfig users afterwards.
