My VPS is hacked - Please HELP! - Knowledgebase

Portal Home > Knowledgebase > Articles Database > My VPS is hacked - Please HELP!

My VPS is hacked - Please HELP!

Posted by swalian, 01-13-2010, 05:10 AM
Hello, My vps is hacked since Dec 2009. I have change all account password and root password but in Jan 2010 it happen again... 1. Someone upload phising site into several domain (amazon.com, citi, sitekey, etc) and also they change one of my domain wordpress index and put strange code on the bottom. I have check and see they upload use the domain password, how they can get the password? Here is the code that they put into wordpress file: << snipped >> Here is the log: 2. Someone change one of my client domain password I ask support about this and it looks like the hacker use root password, here is the log: -> 213.171.197.182 is not my IP The strange thing is the hacker not did this into all domain: 1. They put the phissing site into the similar domain, in Dec they put into domain a, b, and c then in Jan they also put into those domain again. 2. They change the domain d password in Dec 2009, and in Jan 2010 they only change the password for this d domain only. I want to know how to prevent this... how they can get root password? Thanks, Last edited by Alex; 01-13-2010 at 05:52 PM.
Posted by Vamsii, 01-13-2010, 05:12 AM
Hi.. are you using any control panel ? like cpanel ?
Posted by gigatux, 01-13-2010, 05:55 AM
If you've been hacked once and they have the root password, your best bet is to reinstall the OS and copy across sanitised data from a backup. If they've had root, it's very possible that they have installed other password monitoring software (or rewritten binaries such as passwd) so can always be informed if you change the root password. This is why you really need to reinstall if you at all can!
Posted by swalian, 01-13-2010, 06:11 AM
Yes, the control panel is cpanel Yes, the support people plan to move my account into new server. So, after reinstalled os and move all account into new server, it will be safe? Or I must check all files in all domain and make sure all safe? And how they can get my root password?
Posted by gigatux, 01-13-2010, 06:14 AM
Well, it's never guaranteed, but it's a good start. If all binaries on your system have been reinstalled from a safe source, that's one less route in again. Of course, make sure all security updates have been performed. However, there's always the possibility of badly coded things such as PHP scripts allowing SQL injection etc. I would check all files in the domain (especially if you've got something like SSH jailing) without a doubt.
Posted by Sposs, 01-13-2010, 07:14 AM
Have you set-up Iptables? Also as already suggested , wipe the machine with a re-install and restore from back-ups that you know are clean.
Posted by swalian, 01-13-2010, 07:30 AM
Is SQL Injection can get root password? Or is any bad php scripts can get root password? I'm not sure about ssh jailing, but I think I don't have it.
Posted by gigatux, 01-13-2010, 07:35 AM
No, they can't. Sorry for the confusion - those were additional security points. The thing is, you never know what exploits there are in PHP or even MySQL, and having insecure scripts might be able to trigger them in some circumstances.
Posted by AppKoders, 01-13-2010, 11:07 AM
It could also be that your local PC is infected with a trojan/keylogger try scanning you PC and make sure that it is free from viruses
Posted by Alex, 01-13-2010, 05:53 PM
I removed the code from the original post since it's been setting off a lot of member's antivirus protection. If you want to see what code they put on the members site, shoot him a PM or email. Alex
Posted by swalian, 01-13-2010, 09:36 PM
Yes, I have check about this... it found DTSCache, what's that? I use avira and spyware terminator... But after clean my pc and change all password, my server still got hack in early Jan.
Posted by M Bacon, 01-13-2010, 11:23 PM
What version are you running of Word Press? 2.9.1 is the latest. Run a anti-spyware scan on your computer. Try this: http://www.malwarebytes.org/
Posted by LeaTrueman, 01-14-2010, 01:49 AM
Hello, Which firewall that you are using?. Install CSF and configure which will alert you about all the suspecious processes, invalid login attempts etc.
Posted by swalian, 01-14-2010, 02:43 AM
I don't know....my vps is fully managed so they take care everything.
Posted by madaboutlinux, 01-14-2010, 07:49 AM
swalian, Is your server hosted with FastHost? The IP 213.171.197.182 you forwarded in the very first post belongs to FASTHOSTS-UK-NETWORK. If your server is hosted with them, it's the support who is changing the password for some reason... may be changing the password to work on your server issues. Looking at the logs you forwarded clearly states that the root password wasn't hacked. It's one of your account that is hacked which is very usual way of hacking nowadays and then injecting code, uploading files/directories under the account etc are carried out. Such hacks mostly occur because of the weak passwords OR the clients local machine is infected with a virus/spyware. Just changing/re-installing the server will rarely fix the issues and you will have to take appropriate security measures to make sure such problems won't re-occur. Their are various ways to secure your server and hope your hosting support dept will take care of those.
Posted by webhostmaniac, 01-14-2010, 08:00 AM
to it looks like they used a php shell script. I would reload your server then re install cpanel. then restore the good files you have. Then take it into liberty to install csf firewall, mod security, and rootkit hunter. CSF has a check list you can go through to secure and harden your server. Also disable unnecessary php functions in the php.ini file that you do not use but shells can use to access your server.