Warning

Ozzu.com does not undertake any obligation to control, research, verify, validate, or approve the content that is received or viewed in this forum. You will be responsible to research any product or service before setting up any kind of transaction. Proceed at your own risk!
Back To Marketplace

Quick $50?

Post November 5th, 2009, 1:48 pm

So I upgraded to the more secure versions of Apache, PHP, etc last week.

Today my server is hacked. Who wants to take a crack and getting it back online and figuring out where they came in from?

I got paypal...

Here are some websites that are down

wildjohn.com
rentyourdot.com
bodydot.com

All on same server. I checked the folders and there is nothing changed in the public_html folders of those accounts. This suggests its a config issue since its global.

However it isn't totally global, since some websites on the same server are running.

balboaparkdancers.org is running fine.

Again, the public_html folders are fine.

Suggestions on how to start to fix? Suggestions on how to find out what files were changes?

Is there a way to sort by date, all the files on the server to find out what files were changed? I could write a small php program to do that...yeah maybe I will start there and return...
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post November 5th, 2009, 1:48 pm

  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4451
  • Loc: NY
  • Status: Offline

Post November 5th, 2009, 3:03 pm

Did you go through the Apache logs to see what scripts were run? What OS are you running?

Post November 5th, 2009, 3:12 pm

No, I will look now. I was just researching now what to see how to check this. I suspect an override httpd.conf file or something as the /home folders are intact.

I will get back to you in 2 mins. I do know the hack occured about 2 am last night.

Post November 5th, 2009, 3:24 pm

Ok so I can't find the apache logs...would rebulding apache through cpanel help?
  • Don2007
  • Web Master
  • Web Master
  • No Avatar
  • Joined: Nov 21, 2006
  • Posts: 4451
  • Loc: NY
  • Status: Offline

Post November 5th, 2009, 4:30 pm

You still didn't tell me what OS was running? Maybe the logs were erased so you couldn't get the IP address? There should be a file called access.log. If the logs were erased, the box was rooted. If you can't do any forensics on it, then you really need to rebuild from scratch. If you can find the PHP script that was run, you can patch it.

Post November 5th, 2009, 4:39 pm

I see a access_log file in the cpanel folder, but that only shows who logged into cpanel. It only shows me.

I see a folder called /usr/local/apache/logs, but there is no access log file. There IS an error_log file though.

If the access log file was deleted, then it would be simply really short wouldn't it? I mean, the other sites are still running, so if it was deleted it would simply record logs from last night until now.

I also have log files in every folder of each website. Are those the logs you mean?

I don't think I am looking in the right folder.

Do you want to have a look for me?
Moderator Remark: Removed your email for your protection. Listing your email publicly will allow spambots to pick it up and you will get alot of junk mail as a result.

Post November 6th, 2009, 3:56 am

And BigWebmaster comes to the rescue!

Turns out Godaddy was hacked and DNS settings were changed.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Joined: Dec 20, 2002
  • Posts: 7492
  • Loc: Seattle, WA & Phoenix, AZ
  • Status: Offline

Post November 6th, 2009, 8:33 am

Glad it is all fixed now :)

Did Godaddy support ever let you know how your DNS settings got hacked?
  • joebert
  • Orange Lover
  • Genius
  • User avatar
  • Joined: Feb 10, 2004
  • Posts: 12469
  • Loc: FL
  • Status: Offline

Post November 6th, 2009, 10:29 am

Yeah Godaddy has always sent me an email within an hour or three whenever any sort of change is made to my account. It would be rather spooky if someone was able to hijack you without that email getting sent.

Post November 7th, 2009, 12:50 pm

Bigwebmaster wrote:
Glad it is all fixed now :)

Did Godaddy support ever let you know how your DNS settings got hacked?


No they didn't. They denied everything.

Wouldn't you? If you ran a big website and you were hacked? Don't want that info leaking out!
Upload video and picture galleries at http://www.bodydot.com?post+upload+video+picture+gallery

Post November 22nd, 2009, 1:50 pm

I wish I had time to help, check out the group and password files in the etc directory for names that are not used. I know it's vague but they need to be in there to have access most of the time.

Also run chkrootkit to see if it picks up anything.

I also recommend getting cpanel for your control panel it updates nightly to keeps things mostly safe, from there csf for a firewall and some basic security will help.

Post January 19th, 2010, 6:41 am

you should have more concern about emails from Godaddy any notifications..

Page 1 of 1

Post Information

  • Total Posts in this topic: 12 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 2010 Unmelted, LLC. Driven by phpBB © 2010 phpBB Group.