1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help! My server keeps getting hacked!!

Discussion in 'BlackHat Lounge' started by mandude, Oct 15, 2012.

  1. mandude

    mandude Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 18, 2008
    Messages:
    797
    Likes Received:
    306
    Location:
    Tampa FL
    Wasnt sure what other section to put this under. I keep help! At least once a month now I have to keep going to accounts and deleting phishing websites, hacker scripts, and get notices that spam emails are being send by the 1000s. My web hosting company claims it can't be their fault, but I think something is not secure on my server for this to keep happening over and over. I have a virtual private server. I use Web Hosting Manager and Cpanel. They have been little to no help, I am hoping someone here can, maybe there are settings in WHM I can tweak. I need to make it so only I can upload files, I swear I set it to limit the amount of emails can be sent in a hour but not sure if that did anything.

    Some kind of software I can put on my server or something to stop these attacks? I really don't get how they get into it, and then somehow get into ALL my accounts even when they are not connected. And I dont know it is going on until they contact me to tell me an account has been suspended or shady activity is going on and I find the files and delete them.
     
  2. Jammy13

    Jammy13 Newbie

    Joined:
    Jan 24, 2009
    Messages:
    12
    Likes Received:
    2
    Hi there, when I want to get a server setup and secure I use a server management company to do the work, the company I use is called platinumservermanagement. they charge $30 a month, but you can cancel after the 1st month once they have set it up for you. here's a breakdown of what they offer:

     
    • Thanks Thanks x 1
  3. mandude

    mandude Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 18, 2008
    Messages:
    797
    Likes Received:
    306
    Location:
    Tampa FL
    Thanks, Maybe I will try them and after they install all that software cancel net month. Maybe, or keep them if they do a great job. Since you said you used them, once the software is installed how do you use it? Is it in your cpanel for easy access?
    thanks
     
  4. Jammy13

    Jammy13 Newbie

    Joined:
    Jan 24, 2009
    Messages:
    12
    Likes Received:
    2
    Yeah the stuff they install you can access through WHM
     
  5. Danny1111

    Danny1111 Elite Member

    Joined:
    Jul 5, 2011
    Messages:
    2,096
    Likes Received:
    2,480
    you probably are using an old WP theme or have outdated tim thumb - so once they get it - there's no stopping them.

    I would get a new VPS and install everything from scratch using a new template and latest timthumb

    then add some Wp security plugins .... using that company sounds like a good short term option but it maybe too late to tighten everything up now -- but starting on a fresh server you can lock everything down to prevent it from starting over.
     
  6. Danny1111

    Danny1111 Elite Member

    Joined:
    Jul 5, 2011
    Messages:
    2,096
    Likes Received:
    2,480
    the other thing you are going to see - is in Google its going to say - your site contains malicious scripts - and its going to kill your traffic over time.

    start working on this now.
     
  7. trubnut

    trubnut Regular Member

    Joined:
    Oct 16, 2011
    Messages:
    287
    Likes Received:
    102
    Location:
    In the office
    If it's happening again and again you'll need to figure out how they are gaining access, just deleting the files isn't going to help because the exploit will still be there for them to use again.

    Trying to find the point of entry can be a nightmare, I would suggest making sure everything is up to date and I would take a close look at the scripts you have installed on your server. Its more likely that your WHM and Cpanel are actually secure and they are gaining access via a script you have installed on your server. It could be something as simple as a plugin on a wordpress installation.

    I f@~#ing hate hackers with a passion!
     
  8. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,066
    Likes Received:
    2,872
    Gender:
    Male
    Are you using Wordpress anywhere in your server by any chance? My WP installations used to get hacked 3 times a week before i finally discovered how to protect them xD

    Tell me if you want to know nything on that!
     
  9. mandude

    mandude Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 18, 2008
    Messages:
    797
    Likes Received:
    306
    Location:
    Tampa FL
    I have like wordpress on every account. I am sure it is that. But I wish I could update WP automatically, or update all of them with 1 click. Please recommend WP security plugins, I had some, but they clearly didnt stop it.
     
  10. bonzo90

    bonzo90 Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 2, 2012
    Messages:
    505
    Likes Received:
    270
    Location:
    EU
    Use WP Security, There are SO many things that people can get access through, even just having one folder with incorrect permissions can totally screw you over, I had a guy send out 10k emails on my server, got me blacklisted in a DAY for spam, he was offering android apps to hotels in the UK... DROVE ME MAD trying to find the error, turns out was a .JS file in one of my themes!!!
     
  11. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,066
    Likes Received:
    2,872
    Gender:
    Male
    Man if you have wordpress, you can get hacked very quickly. I have seen my latest version of WP (3.4.2 got hacked!) with no plugin, and only Twenty Eleven installed, getting hacked.
    So i decided to fight against it. There are a few things you can do:

    1. Clean your server ( best would be to use fresh wp installation) , change every password you have (including CPanel) with some really strong passwords. Use alpha Numeric Sentences (not words lol). Password cracking is becoming faster and faster. They are now using GPU for cracking passwords, which can be a hell lot quicker.Do not use admin as your username (though it doesn't really help. They will get your username for sure!). It makes the n00bs frustrated.

    2. Install WP Login Lockdown, on every account that you have, so that brute-forcing becomes tougher. If they use bruteforcing scripts like WPScan, it will throw an warning to them that your site uses login lock down. It might scare some of them off.

    3. Password Protect your wp-admin folder using htpasswd and htaccess (google it). That works as an extra protection. Be sure to use a very uncommon username (not admin , administrator etc) and alpha numeric sentence for the password.

    4. Remove every plugin and theme that you don't need (even hello dolly!) on the server.

    5. In your php.ini (or php5.ini), insert the following two lines:
    Hiding the php errors and warning will protect you from the full path disclosure vulnerability that many hackers use. Contact your hosting provider if you are unsure how to do it.

    6. Monitor your apache log regularly, to make sure there isn't anything funny going on.
    7. BACK UP BACK UP BACK UP!!
    8. DO not use default themes / hacked themes etc. Best is to make a theme for yourself ( if you know php !). Or may be get a custom theme made from a freelancer site ( tell them you don't need a child theme. You would need a complete theme!). Before you install the theme, make sure there is no timthumb script in the theme (that's a thumbnail script, which can be exploited to upload php files from remote locations).
    9. Last but not the least : go get a good server!! Many of the shared *nix servers are not chmoded properly. So one user can actually enter another user's account ( believe it or not!). I haven't had any issues since i started using godaddy, because they have very strict folder permissions.
     
    • Thanks Thanks x 1
    Last edited: Oct 15, 2012
  12. datomcat

    datomcat Newbie

    Joined:
    Jun 13, 2012
    Messages:
    43
    Likes Received:
    22
    mandude,

    The fact it keeps reoccurring means you've not discovered and fixed the underlying cause. It could be an out-dated WP plugin with a known security issue, or something maliciously bundled with a theme from a dodgy source. Assuming you are running these sites on one VPS (lots of separate installations) you could try Wordpress Multisite making the admin a little easier. Or alternatively rely on good-old UNIX tools for keeping directories in-sync.

    Because Wordpress is so widely used there are lots of guides on securing it and the platform it runs on (PHP, Apache, MySQL).
     
  13. mandude

    mandude Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 18, 2008
    Messages:
    797
    Likes Received:
    306
    Location:
    Tampa FL
    I wish WP and the plugins could update itself. I have so many installs and some I do not visit that often but still keep active. I hate how easily wordpress can be hacked.

    Is there some sort of script to update all wordpress on your server at once?
     
    Last edited: Oct 15, 2012
  14. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,066
    Likes Received:
    2,872
    Gender:
    Male
    No i do them manually. I understand that it can be tough if you have a network of blogs, but that isn't enabled by WP yet!