• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue System hacked - help

PeterCardiff

New Pleskian
Hi,

This is my first post so hello to everyone.
We've been recently hacked thru the I believed support portal which allowed people to attached the files.
Soon after the server was trying to send lots of the spam close to 40k in a 2 days time- most of the where blocked as we got limit set to 100 per hour for sending emails.
The spam was coming from php script which was hidden in one of the main website folder.
We have noticed that all the index.html files on the main page have been replaced with index.php files.
So I removed all the files website and replaced with the old local back up.
I have also changed the password for the root access.
However, after 1 day the files on the website has been replaced again.
Today I have also changed the password for ftp user and I am going to set only one specific static IP for SSH access.

Please see attached warnings from rkhunter/calmav

Thanks in advance for your help.
Pete
 

Attachments

  • rkhunter-report.pdf
    336.9 KB · Views: 6
See all the warning below

[08:37:00] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[08:37:00] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]

[08:37:02] Checking for enabled xinetd services [ Warning ]
[08:37:02] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[08:37:02] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa

[08:37:14] Checking for hidden files and directories [ Warning ]
[08:37:14] Warning: Hidden directory found: /dev/.mdadm
[08:37:14] Warning: Hidden directory found: /dev/.udev
[08:37:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[08:37:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[08:37:14] Warning: Hidden file found: /usr/sbin/.sendmail.postfix-wrapper.swp: Vim swap file, version 7.4
[08:37:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

[08:37:16] Checking version of Apache [ Warning ]
[08:37:16] Warning: Application 'httpd', version '2.2.15', is out of date, and possibly a security risk.
 
Also, I do get "Apache memory usage" warnings that the server is taking too much memory over 1.2 GB where normally it was around 600Mb
 
I am having trouble to understand what you are asking for. Could you please form specific questions?
 
I am sorry Peter I was typing in rush,

I am looking for ideas how to fix a hacked server?

Are these hidden files are correct?


[08:37:14] Checking for hidden files and directories [ Warning ]
[08:37:14] Warning: Hidden directory found: /dev/.mdadm
[08:37:14] Warning: Hidden directory found: /dev/.udev
[08:37:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[08:37:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[08:37:14] Warning: Hidden file found: /usr/sbin/.sendmail.postfix-wrapper.swp: Vim swap file, version 7.4
[08:37:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
 
Why I've got warning msg for following lines?

[08:37:00] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[08:37:00] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
 
I don't see any issues with that.
Please refer to http://www.sys-admin.gr/232/plesk/rkhunter-and-plesk-xinetd-services/ for details.

If your subscriptions have SSH access without chroot, I suggest to reinstall the complete server from scratch, because a smart hacker can then have moved software onto the system that you'll never find. If your subscriptions are all chrooted or do not provide SSH access, you should be o.k.

Make sure that your /tmp directory (or partition) does not have exec permissions, else it can be possible to start software from there.

It is not enough to replace a hacked website with a backup. You must find the security holes and close them. Normally, plugins to software like Joomla or Wordpress provide access to hackers.
 
Thanks Peter,

The subscriber/user didn't have access to SSH , so should I be alright then?

I found trojans on tmp files (on root folder and var/tmp), however I cannot disable the exec permissions as I couldn't login to the Plesk webpage.
At the moment I removed all files from the main domain and scanning the system via calmav and removing any other infected files.
 
I know which website has been cracked - We were hosting the Support Ticketing Portal which allowed users to upload files/attched files eg screen-shoot. However, someone uploaded the trojan and then took control of the domain.
 
Hello:

Just wondering if you resolved this issue? And if so how?

I have the same hack on my Plesk server, started in Jan/Feb this year - a vendor trying to send me an email noticed that Gmail was blocking email being directed to my Gmail account, the hacker scripts had been sending out 10's of 1,000's email - other mail services have blocked email.

The data center where I am located was of little help except that one support admin noticed something written in Estonian - also same advice as above to abandon the server.

Going through the web sites via FTP was able to see several files that had been uploaded which I would either delete or rename. Also had the same issue with doing a fix and then it would come back! An attempt to stop this: I removed the write permissions on index.html - also check the .htaccess files...

The info about the /tmp directory is new to me, I have attached a link screen shot of that from my server.
http://www.hostprodirect.com/tmp_screenshot.jpg

Thanks!

- Dave
 
Back
Top