Results 1 to 7 of 7

Thread: Hacked and trying to find the culpret

Hybrid View

  1. #1
    Junior Member
    Join Date
    Dec 2010
    Posts
    3

    Exclamation Hacked and trying to find the culpret

    I was hacked last week ,and now i have recently re-imaged my server but i still have a folder/script trying to brute force another server via my own server. so as you can see this was due to a installed website backup.

    My problem is i dont have a clue how to trace the source of the attack. I have installed splunk succesfully to try and make my life easier but i dont know were to start to search and query.

    For your information the server that my server is trying to hack is 188.40.55.134.[port]: SIP if this helps

    my operating sys is centos 5.5 and i have plesk 9.5 running on my server.

    help is needed as soon as possable as my hosting company have given me until tomorrow to sort it or they will block and shut my server.

    thanks in advance

  2. #2
    Junior Member
    Join Date
    Dec 2010
    Posts
    3
    can anyone not offer any help?

  3. #3
    HYBR|D
    Guest
    get your hosting company wipe and rebuild the server.

    also you should be able to submit an site backup to them and have them audit the backup before it's put back online

  4. #4
    Junior Member
    Join Date
    Dec 2010
    Posts
    3

    Exclamation

    is there any way for me to detect the intrusion now. i just need some advice regardsless if i need to install software on the server as well some common sense steps on how to investigate and isolate the problem.

    Please you help would greatly be appreciated.

    thanks in advance

  5. #5
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Does the backup that you restored include the log files from your previous installation? If the backup is infected, the break-in would have happened before the backup was made, so if the log files are intact in the backup, you might be able to find some traces there. Take a look in your /var/log directory, and see how far back the entries go.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #6
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    Check the .htaccess file to see if it contains a malicious redirection........
    "It is a shame that stupidity is not painful" - Anton LaVey

  7. #7
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Just reinstall everything.

    Disable functions you don't need in PHP. Make sure proftpd is updated. After a few failed logins start dropping the connections with the iptables. Make sure the actual backups aren't viewable via: the web directory. Its petty ante common sense stuff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •