I was notified today by Ev1Servers Abuse staff that one of the domains on my server was being used for fraudulent activities. Somehow, someone gained access to this site and uploaded an html file and a php script and they were using these files to steal ebay passwords from people. We have disabled the domain from within Plesk but I'm really not sure where to go from there. What steps should I take to find out how the attacker gained entry and then block up the hole? How can I prevent things like this from happening in the future. Any advice would be much appreciated.
My server is running RHEL3 with Plesk 7.5.3.
UPDATE: apparently the attacker managed to get root access because I can no longer log in as root via ssh...the password has been changed.
--zach
Full Version: Server hacked...need advice
If he gained root you should really back it up and restore the server, it is pretty much impossible to fully clean out a server without taking a lot of time and know what is going on if they did in fact gain root.
Mod_security can help with some of the php-injection attacks (most likely how those files go there) as well as keeping your kernel updated so they are not able to gain root access.
There is a lot of information on the forums as well as online on how to make your server more secure, I would suggest taking a look at those.
Mod_security can help with some of the php-injection attacks (most likely how those files go there) as well as keeping your kernel updated so they are not able to gain root access.
There is a lot of information on the forums as well as online on how to make your server more secure, I would suggest taking a look at those.
John,
Thanks for taking the time to reply. That's pretty much what I have concluded by this point. So, I just need to login to server command and order a server restore? I'm assuming they will basically format the HD and reinstall the same OS and Plesk version. Is that a correct assumption? Also, one thing that could make this tricky is getting the server back up in running with minimal downtime. I'd like to have the server restored late tonight and have the thing up and running by tomorrow. The tricky thing is how to get the large plesk backup file back onto the server after the restore...I really only have access to 50kbps upload. Do you know if there is anyway to have the backup file transfered somewhere on site temporarily and then transfered back to the HD after the restore? Also, in your experience, would ordering a priority restore at say 9pm tonight give me enough time to get this thing running by the morning. Sorry for all the questions, but I really appreciate your help.
Thanks for taking the time to reply. That's pretty much what I have concluded by this point. So, I just need to login to server command and order a server restore? I'm assuming they will basically format the HD and reinstall the same OS and Plesk version. Is that a correct assumption? Also, one thing that could make this tricky is getting the server back up in running with minimal downtime. I'd like to have the server restored late tonight and have the thing up and running by tomorrow. The tricky thing is how to get the large plesk backup file back onto the server after the restore...I really only have access to 50kbps upload. Do you know if there is anyway to have the backup file transfered somewhere on site temporarily and then transfered back to the HD after the restore? Also, in your experience, would ordering a priority restore at say 9pm tonight give me enough time to get this thing running by the morning. Sorry for all the questions, but I really appreciate your help.
QUOTE (eth00 @ Jan 31 2007, 02:35 PM) 
If he gained root you should really back it up and restore the server, it is pretty much impossible to fully clean out a server without taking a lot of time and know what is going on if they did in fact gain root.
Mod_security can help with some of the php-injection attacks (most likely how those files go there) as well as keeping your kernel updated so they are not able to gain root access.
There is a lot of information on the forums as well as online on how to make your server more secure, I would suggest taking a look at those.
Mod_security can help with some of the php-injection attacks (most likely how those files go there) as well as keeping your kernel updated so they are not able to gain root access.
There is a lot of information on the forums as well as online on how to make your server more secure, I would suggest taking a look at those.
QUOTE (ds694 @ Jan 31 2007, 06:17 PM)
John,
Thanks for taking the time to reply. That's pretty much what I have concluded by this point. So, I just need to login to server command and order a server restore? I'm assuming they will basically format the HD and reinstall the same OS and Plesk version. Is that a correct assumption? Also, one thing that could make this tricky is getting the server back up in running with minimal downtime. I'd like to have the server restored late tonight and have the thing up and running by tomorrow. The tricky thing is how to get the large plesk backup file back onto the server after the restore...I really only have access to 50kbps upload. Do you know if there is anyway to have the backup file transfered somewhere on site temporarily and then transfered back to the HD after the restore? Also, in your experience, would ordering a priority restore at say 9pm tonight give me enough time to get this thing running by the morning. Sorry for all the questions, but I really appreciate your help.
Thanks for taking the time to reply. That's pretty much what I have concluded by this point. So, I just need to login to server command and order a server restore? I'm assuming they will basically format the HD and reinstall the same OS and Plesk version. Is that a correct assumption? Also, one thing that could make this tricky is getting the server back up in running with minimal downtime. I'd like to have the server restored late tonight and have the thing up and running by tomorrow. The tricky thing is how to get the large plesk backup file back onto the server after the restore...I really only have access to 50kbps upload. Do you know if there is anyway to have the backup file transfered somewhere on site temporarily and then transfered back to the HD after the restore? Also, in your experience, would ordering a priority restore at say 9pm tonight give me enough time to get this thing running by the morning. Sorry for all the questions, but I really appreciate your help.
to get the data back to the server, I would suggest making the backup, and leaving it on the drive. Then have the DC slave the old drive. Once the server is restored, you can mount the slaved drive and migrate the backups to the new drive.
For previous ev1 customers:
A restore does not format your current drive, a new drive is simply put in the server, your old one is kept around for ~3 days(just incase you go OH WAIT I NEEDED...) and then the old drive meets with mr. format.
for TP customers: (one of the dallas techs please correct me if im wrong)
I believe the restore is done automatically and the drive is completely wiped, and os + panel reinstalled.
Faze,
Thanks for responding. That's great! I didn't realize that they just put a new drive in when they did a restore. Thanks again for informing me.
Thanks for responding. That's great! I didn't realize that they just put a new drive in when they did a restore. Thanks again for informing me.
QUOTE (faze @ Feb 1 2007, 07:24 AM)
to get the data back to the server, I would suggest making the backup, and leaving it on the drive. Then have the DC slave the old drive. Once the server is restored, you can mount the slaved drive and migrate the backups to the new drive.
For previous ev1 customers:
A restore does not format your current drive, a new drive is simply put in the server, your old one is kept around for ~3 days(just incase you go OH WAIT I NEEDED...) and then the old drive meets with mr. format.
for TP customers: (one of the dallas techs please correct me if im wrong)
I believe the restore is done automatically and the drive is completely wiped, and os + panel reinstalled.
For previous ev1 customers:
A restore does not format your current drive, a new drive is simply put in the server, your old one is kept around for ~3 days(just incase you go OH WAIT I NEEDED...) and then the old drive meets with mr. format.
for TP customers: (one of the dallas techs please correct me if im wrong)
I believe the restore is done automatically and the drive is completely wiped, and os + panel reinstalled.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.