Facebook
TwitterHi All
I have a dedicated server with 1and1 which is running:
OS Linux 2.6.18-194.26.1.el5
Panel version 10.4.4
Update #49, last updated at April 14, 2013 04:04 AM
For the last 3 weeks, the site gets shut down by the data centre, usually on a Thursday evening because it's found to be running DDoS attacks. I bring the server back online and each week I have cleared off some old sites including ones where clients have installed Wordpress and not updated. What I've found shows that this seems to be the point of entry.
However, I've looked through logs and things and I can't see anything obvious. That could well be because I don't know what I'm looking for.
1and1 can't or won't help. They won't look even though I offered to pay and they can't recommend a company that can look for me. So, their suggestion is to go out to an unknown world with a compromised server and ask for help.
Could someone point me in the right direction, please as this is driving me to insanity.
I'm guessing that the WP exploit has let someone place files in a directory outside any of the /var/www/vhosts/[site] structure as I've deleted the sites completely that were using WP.
But I haven't got a clue where to start looking from here.
RK gives some warnings but I've searched and these look like false positives.
So, that's where I am!
Best regards
Andy
I have a dedicated server with 1and1 which is running:
OS Linux 2.6.18-194.26.1.el5
Panel version 10.4.4
Update #49, last updated at April 14, 2013 04:04 AM
For the last 3 weeks, the site gets shut down by the data centre, usually on a Thursday evening because it's found to be running DDoS attacks. I bring the server back online and each week I have cleared off some old sites including ones where clients have installed Wordpress and not updated. What I've found shows that this seems to be the point of entry.
However, I've looked through logs and things and I can't see anything obvious. That could well be because I don't know what I'm looking for.
1and1 can't or won't help. They won't look even though I offered to pay and they can't recommend a company that can look for me. So, their suggestion is to go out to an unknown world with a compromised server and ask for help.
Could someone point me in the right direction, please as this is driving me to insanity.
I'm guessing that the WP exploit has let someone place files in a directory outside any of the /var/www/vhosts/[site] structure as I've deleted the sites completely that were using WP.
But I haven't got a clue where to start looking from here.
RK gives some warnings but I've searched and these look like false positives.
So, that's where I am!
Best regards
Andy
