|
|
|
|
||||
|
Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
 |
|
|||||||
| Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
|
Thread Tools |
12-19-2005, 11:52 AM
|
#1 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
TROJAN infected our WEBSERVER!
I mean, really.
WHAT INSANITY! A trojan infected our WEBSERVER. I'm just beside myself here. I've never had this happen to me at any other place I have had a server colocated. A customer called in and complained that when they access our site through a google search their browser get's hijacked. Sure enough, a few seconds later the plethora of our sites on that server are completely in the bucket. Any hit to our sites attempts to download the trojan to the browser's computer. Smoke is just coming outta my ears over here. Anyone with any information, experience, suggestions (besides the obvious = "look for a new web host" which will be done) - please speak up!
__________________
 Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
12-19-2005, 11:54 AM
|
#2 |
|
Too lazy to set a custom title
Industry Role:
Join Date: Jul 2001
Posts: 59,204
|
Get a good sys admin.
|
|
|
|
|
12-19-2005, 11:55 AM
|
#3 |
|
I can change this!!!!!
Join Date: Feb 2004
Posts: 18,972
|
Who do you host with?
__________________
 |
|
|
|
|
12-19-2005, 11:56 AM
|
#4 |
|
So Fucking Gay
Join Date: Nov 2004
Posts: 19,714
|
Man that sucks.
Yea i'd be interested in knowing who you host with too? |
|
|
|
|
12-19-2005, 11:57 AM
|
#5 |
|
Strength and Honor
Join Date: Jul 2004
Location: Europe
Posts: 16,540
|
Who's your host?
|
|
|
|
|
12-19-2005, 11:58 AM
|
#6 |
|
Too lazy to set a custom title
Industry Role:
Join Date: Oct 2002
Location: Montreal, Quebec
Posts: 29,674
|
Firewall? Server Anti-virus software ?
If it is just a file, find it and delete it. If a process is running to do that, identify the process, kill it and try to remove it.
__________________
I know that Asspimple is stoopid ... As he says, it is a FACT ! But I can't figure out how he can breathe or type , at the same time .... |
|
|
|
12-19-2005, 12:08 PM
|
#7 |
|
Ryde or Die
Industry Role:
Join Date: Dec 2002
Location: California-Shanghai
Posts: 19,568
|
your host isn't doing shit about it?
|
|
|
|
|
12-19-2005, 12:09 PM
|
#8 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
mothafuckin POWERMEDIUM a.k.a. CANDID HOSTING
they have been trying to fix it for about a half an hour now! I am fucking livid that it happened in the FIRST PLACE
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-19-2005, 12:11 PM
|
#9 | |
|
Too lazy to set a custom title
Join Date: Nov 2002
Posts: 16,714
|
Quote:
candid? lol thought they kicked the bucket long ago.. get a real host even geocities would be better
__________________
A fast fortune is easy to earn! Just go with a winner! |
|
|
|
|
|
12-19-2005, 12:16 PM
|
#10 |
|
Damn Right I Kiss Ass!
Industry Role:
Join Date: Dec 2003
Location: Cowtown, USA
Posts: 32,409
|
Ns1.candidhosting.com 64.159.90.4
Ns2.candidhosting.com 64.159.90.10 |
|
|
|
|
12-19-2005, 12:20 PM
|
#11 | |
|
Damn Right I Kiss Ass!
Industry Role:
Join Date: Dec 2003
Location: Cowtown, USA
Posts: 32,409
|
Quote:
Having a virus has absolutely NOTHING to do with your host. And you don't even know if you have a virus or if someone hacked in and did this all manually which is usually the case. Your host only handles the server itself and the processes needed to run inorder for it to be a web server. (the kernel, apache, mysql, PHP)... You are responsible for EVERYTHING else. So when you people install phpBB 2.0.10 and get hacked, don't complain to the host... or when you fail to install software to monitor problems like these... |
|
|
|
|
|
12-19-2005, 12:24 PM
|
#12 |
|
►SouthOfHeaven
Join Date: Jun 2004
Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer
Posts: 28,609
|
it all depends on what was hacked... you are responsible for maintaining software you have access to .. not your host, they are responsible for the things they control.. i wouldnt be so quit to blame them just yet
__________________
hatisblack at yahoo.com |
|
|
|
|
12-19-2005, 12:26 PM
|
#13 |
|
i have man boobies
Join Date: Jul 2003
Location: van down by the river
Posts: 13,082
|
who the fuck uses the word plethora
__________________
333-765-551 |
|
|
|
|
12-19-2005, 12:26 PM
|
#14 | |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
Quote:
Secondly, it IS the responsibility of the host to maintain network security. Firewalls to the facility, server antivirus, etc. No? I haven't installed phpBB or any other out-of-box software. I am unsure how this happened - and if the sysadmin contacts me before next year to let me know how they traced the issue and it points to something that is not their fault I will be a bit blush, not mad at them, and more than a bit surprised.
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
|
12-19-2005, 12:36 PM
|
#15 | |
|
Damn Right I Kiss Ass!
Industry Role:
Join Date: Dec 2003
Location: Cowtown, USA
Posts: 32,409
|
Quote:
Tell about the other problems... You might just help someone NOT make a bad decision on their hosting for 2006. When you say security it is pretty black and white. They are only responsible for THEIR networks security. Routers, switches, etc.. if someone writes a virus for a switch they use, they need to upgrade and patch its software. As for your server, they only provide help if the entry point was a piece of software they are responsible for. Examples from above, the kernel, apache, mysql, sendmail, etc... If it turns out the entry point was a script in your affiliate program or other software YOU have control over, then they are off the hook on this one. |
|
|
|
|
|
12-19-2005, 12:38 PM
|
#16 |
|
I like Dutch Girls
Join Date: Feb 2003
Location: dutchteencash.com
Posts: 21,684
|
candid wont do shit
__________________
 ICQ 16 91 547 - SKYPE dutchteencash bob AT dutchteencash DOT com ... did you see our newest Sweet Natural Girl Priscilla (18)? |
|
|
|
|
12-19-2005, 12:41 PM
|
#17 |
|
Confirmed User
Join Date: Mar 2004
Location: → → →
Posts: 1,717
|
Does a sysadmin come with a colo at Candid or whatever the new name is?
|
|
|
|
|
12-19-2005, 12:43 PM
|
#18 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
From tech support:
"Vic, There were some older versions of PHP on your server which may have been causing this. I've upgraded and I can't recreate the error that was happening before."
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-19-2005, 12:44 PM
|
#19 |
|
Confirmed User
Join Date: May 2004
Location: South Florida
Posts: 4,134
|
a trojan? wtf is it a windows server?
|
|
|
|
|
12-19-2005, 12:46 PM
|
#20 | |
|
Confirmed User
Industry Role:
Join Date: Feb 2002
Location: NYC, NY
Posts: 8,531
|
Quote:
Did they ever sen you php vulnerability notices for the versions your running? That sucks man let me know if you need anything...
__________________
 ~ Webair Dedicated Cloud Servers™ ~ WEBAIR VSYS™ Virtual Hosting Platform ~ Superior CDN Network ~ ~ Managed Dedicated hosting Specialists ~ DISCOUNT DOMAIN NAMES! ~ WEBAIR FUSION IO MANAGED CLOUD SERVERS! ~ ICQ: 243116321 - TWITTER - @WEBAIRINC - E-Mail: [email protected] |
|
|
|
|
|
12-19-2005, 12:47 PM
|
#21 |
|
I can change this!!!!!
Join Date: Feb 2004
Posts: 18,972
|
__________________
|
|
|
|
|
12-19-2005, 12:49 PM
|
#22 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
My other issues with them
- no a dedicated sysadmin doesn't come with a colo, you are lumped into a tech support pool which really is only 9to5, Monday - Friday unless you call in and demand an escalation on your ticket. - our mailserver is out of control and they can't seem to do anything about it. by "out of control" i mean being used to send out email by spamers. - they couldn't manage to get elmlm installed correctly for me - they tried to charge me for october's bandwidth on november's (smaller) bandwidth contract (we took our content to Limelight Networks for distribution). - now this. So what do you think of their response? I had a half a fuckin hour complete downtime while waiting for them to decide that it was possibly caused by an older version of php. and that they can't trace the problem. My focus is blurry right now, so any advice you might offer about how to deal with the situation will be helpful
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-19-2005, 12:54 PM
|
#23 | |
|
Confirmed User
Join Date: May 2004
Location: South Florida
Posts: 4,134
|
Quote:
 |
|
|
|
|
|
12-19-2005, 12:59 PM
|
#24 | |
|
Too lazy to set a custom title
Industry Role:
Join Date: Oct 2002
Location: Montreal, Quebec
Posts: 29,674
|
Quote:
An older version will expose you to security risks. Updated version from 4.1.1 to 4.1.2 ( just as an example ... ) are in fact security patches most of the time. Get a good admin ( Dynaspain as example ) to close the ports not used, change the numbers of the one used to complicate the hackers task ... But this situation is not really the responsability of your host. You have a CP on that box. YOU should update the OS , HHTP , etc .. software.
__________________
I know that Asspimple is stoopid ... As he says, it is a FACT ! But I can't figure out how he can breathe or type , at the same time .... |
|
|
|
|
|
12-19-2005, 01:13 PM
|
#25 |
|
Registered User
Join Date: Dec 2004
Location: N
Posts: 45
|
The spam issue might just be a highjack of another customers for instance guestbook script (assuming the box is shared). I know several hosts which has a "free" unsecure guestbook script. These are usually found by hackers by doing a simple search from google.
I guess thats where the line is drawn between pro hosts and, hmm... not pros. 
__________________
I need productive trades for these sites. Preferably +50/day but I'm prepared to try smaller too. www.phemlist.com - signup - PR2 TextTGP 30% skim www.phemthumbs.com - signup - PR2 ThumbTGP 30% skim |
|
|
|
|
12-19-2005, 01:19 PM
|
#26 |
|
Too lazy to set a custom title
Industry Role:
Join Date: Mar 2003
Location: Homeless
Posts: 62,911
|
__________________
PornGuy skype me pornguy_epic AmateurDough The Hottes Shemales online! TChicks.com | Angeles Cid | Mariana Cordoba | MAILERS WELCOME! |
|
|
|
|
12-19-2005, 01:26 PM
|
#27 |
|
Confirmed User
Join Date: Jan 2004
Posts: 1,238
|
I'm a host myself and I'll take my chances here as to what happened, as I've seen this on one of my customers servers.
The real culprit could be any of the following combination of things: Old PHP version allowing an easy code exploit Poorly written PHP/CGI code that allowed an exploit Error Reporting turned on providing critical info to the attacker to exploit your system Chances are no matter how good a sys admin, or how great a host you get -- you can still be affected by these things unless from the ground up you build your sites with security in mind which almost no one ever does as it greatly limits the suite of available applications. For example with PHP you must run with safe mode enabled along with a slew of other options that will need to be enabled to ensure proper security, mind you though that a number of scripts will not run with safe mode turned on. * As for the attack they most likely overwrote your html/php files and inserted a few lines of code, all you need to do is get an experienced tech to write a script which will go thru every file that has been affected on your system and remove the malicious lines of code. Good Luck as its a serious Pain in the Ass!
__________________
Managed US/NL Hosting [ [Reality Check Network ] Dell XEON Servers + 1/2/3 TB Packages ICQ: 4-930-562 |
|
|
|
|
12-19-2005, 01:35 PM
|
#28 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
pornguy, thanks for the lead.
so here's what it seemed to be: We were running PHP 4.3.7 (Unix - not shared, dedicated) Apparently someone took advantage of this to create the following effect: hits to our php page would (often, apparently, not always) redirect and attempt to get the client to click "OK" to download the browser hijacker. I am led to hope that the upgrade of PHP to 4.3.11 closes this vulnerability. So far, it appears to. We've been running for about 15 minutes without a detected incident. A QUESTION: Those of you with dedicated servers (sorry, I used "colocated" earlier, which is not exactly what we have) - do you receive notifications from your server when a php upgrade should be installed, etc?
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-19-2005, 01:43 PM
|
#29 | |
|
►SouthOfHeaven
Join Date: Jun 2004
Location: PlanetEarth MyBoardRank: GerbilMaster My-Penis-Size: extralarge MyWeapon: Computer
Posts: 28,609
|
Quote:
 If you arent satisfied your host is adequately taking care of it in a timely fashion then its up to you.. it cant hurt to ask them .
__________________
hatisblack at yahoo.com |
|
|
|
|
|
12-19-2005, 01:50 PM
|
#30 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
if leaving error reporting on is a vulnerability (thanks zagi, i've turned it off) - i imagine leaving a file called "phpinfo.php" is a bit of a no no, right? But this is the second time tech support has left this file hanging around.
Also, I found no files modified besides those i modified myself.
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-19-2005, 02:02 PM
|
#31 |
|
<&(©¿©)&>
Industry Role:
Join Date: Jul 2002
Location: Chicago
Posts: 47,882
|
It shouldn't be possible to fuck up the whole server, if the host is doing its job
__________________
Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000 Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager  Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager |
|
|
|
|
12-19-2005, 02:20 PM
|
#32 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
from candid's tech support:
"It looks like someone may have used one of the numerous exploits in PHP 4.3.7 to overflow apache and install a new module into apache which redirected traffic randomly from google." Any comments on this?
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-19-2005, 02:28 PM
|
#33 |
|
Too lazy to set a custom title
Join Date: Jun 2004
Location: Brasil
Posts: 15,778
|
How Have You Got A Trojan On Your Server?
__________________
Do you need cheap, fast and reliable porn website hosting? Host Head is the way to go!! Asian Gay Special | Live on MSN - Live Webcam Chat | Live Adult Webcam Performances | MY SWEET BLACKS LIVE ON CAM Pukka Tranny | Tattooed Shemales | She's A He | Menu Porno | Porn Performances | All Chubby MY ICQ# 169833797 |
|
|
|
|
12-19-2005, 02:29 PM
|
#34 |
|
Confirmed User
Join Date: Mar 2004
Posts: 767
|
Here's some advice. Your entire system has likely been rootkitted (what is a rootkit? Check here). My advice:
1. Migrate all data (data, files, pics, movies, config settings etc.) to a clean backup box 2. Reinstall the infected machine FROM SCRATCH 3. Upgrade all modules, firewall all unneeded ports 4. Copy your data back 5. Cron monitor all system and config files w/ md5 checksums Takes half a day or even a whole day. Good luck.
__________________
perfectgonzo.com |
|
|
|
|
12-19-2005, 02:47 PM
|
#35 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
it's not a trojan on the server... but it was redirecting traffic to download a trojan to the client.
David, thanks for the checklist, but rooting is done against WINDOWS boxes, right? We run on Unix.
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-19-2005, 02:58 PM
|
#36 | ||
|
Too lazy to set a custom title
Industry Role:
Join Date: Oct 2002
Location: Montreal, Quebec
Posts: 29,674
|
Quote:
Quote:
If not, you can do in ssh command line an update by running the update apache command. Again, you will have choices available. The host/datacentre will not inform you of that... They will inform you of kernel update, which they perform.
__________________
I know that Asspimple is stoopid ... As he says, it is a FACT ! But I can't figure out how he can breathe or type , at the same time .... |
||
|
|
|
|
12-19-2005, 03:11 PM
|
#37 | |
|
Confirmed User
Join Date: May 2004
Location: South Florida
Posts: 4,134
|
Quote:
 |
|
|
|
|
|
12-19-2005, 03:12 PM
|
#38 | |
|
Too lazy to set a custom title
Industry Role:
Join Date: Oct 2002
Location: Montreal, Quebec
Posts: 29,674
|
Quote:
Activate Safe Mode Using Per Site Basis Now if you have scripts that require safe mode off like Modernbill or any script doesn't work well with safe_mode on what you will do? Disable safe_mode on the entire server just for these scripts? This isn?t very practical when you can disable php safe mode per user account/site basis. Let?s do it! 1) SSH to your server and login as root. 2) Then find the httpd.conf, normally it?s in /etc/httpd/conf/ or /usr/local/apache/conf/ If it?s not in either of those places try search for it: locate httpd.conf 3) Then find the site you wish to edit. Ctrl+W and type in the domain name You should see something like this: PHP Code:
php_admin_flag safe_mode Off We have also found that the following works as well if the above does not but DO NOT USE BOTH, pick one! php_admin_value safe_mode 0 to be like this : PHP Code:
Now save the changes.Ctrl + X then Y 6) Restart the Apache web server by /etc/init.d/httpd restart Final Words PHP Safe mode should be on by default on all your servers for added security. However there are some scripts that are not compatible with it on so you have to make an exception to some client sites. Make sure you know why they?re requesting to have it turned off because it is much more secure for everyone to have it on. If you run into trouble after editing httpd.conf you can run the apachectl configtest in shell. This will test the Apache configuration for errors and report them back to you if you can?t start it, very handy indeed!
__________________
I know that Asspimple is stoopid ... As he says, it is a FACT ! But I can't figure out how he can breathe or type , at the same time .... |
|
|
|
|
|
12-19-2005, 03:22 PM
|
#39 | |
|
Confirmed User
Join Date: Mar 2004
Posts: 767
|
Quote:
Consider going through what I suggested, you are only asking for trouble if you just patch up PHP and Apache and bring the box(es) back online.
__________________
perfectgonzo.com |
|
|
|
|
|
12-20-2005, 08:29 AM
|
#40 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
My tech at the hosting company: "I don't think your system was rootkitted. I don't see any trace of it. The nature of what happened to your server is that PHP or apache (both which run as unprivileged users) can be overflowed. The most the user has access to is the files the apache user owns, which were replaced when I recompiled PHP and apache."
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-20-2005, 09:03 AM
|
#41 |
|
Confirmed User
Join Date: Nov 2005
Posts: 268
|
I don't want to rub in, but if this was a windows machine, everyone on this board would have said something bad about windows...WOW UNIX and no one say "how great UNIX is"?
It funny how the first thing people will bash is Candid, without even getting all the facts. I guess UNIX are not great perfect machines as anyone on this board try to make. |
|
|
|
|
12-20-2005, 09:09 AM
|
#42 | |
|
Confirmed User
Join Date: Apr 2002
Location: /root/
Posts: 4,997
|
Quote:
person. |
|
|
|
|
|
12-20-2005, 09:11 AM
|
#43 | |
|
Confirmed User
Join Date: Dec 2004
Location: ICQ: 251-911-362
Posts: 915
|
Quote:
__________________
see sig above mine |
|
|
|
|
|
12-20-2005, 10:09 AM
|
#44 |
|
Pay to Cum
Join Date: Aug 2004
Location: Nor San Diego
Posts: 1,029
|
well call me naieve (sp?), but in the past getting a dedicated server somewhere and having them set it up, the techs there are experts and set the machine up properly. I.E. they turn off error reporting, mount /tmp noexec, set up suexec domains, etc. etc. right from the start - part of the reason why I pay a fee to a hosting company is to take advantage of the expertise they have in running and setting up servers. I am dissatisfied with Candid - and I believe rightfully so - because they set this box up in ways that they now come back and tell me are not safe.
Lesson learned - I need to personally learn-up on all that shit and get up to speed with it, and make sure that my tech support people are doing what they should be. Reality is a bummer.
__________________
Contact Me - ICQ: 206851710 eMail vic (at) hellhousemedia (dot) com 'Satanism is like Capitalism for teens' - Ty HellHouse |
|
|
|
|
12-20-2005, 11:06 AM
|
#45 |
|
Biz Dev and SEO
Industry Role:
Join Date: Jun 2005
Posts: 15,180
|
that's because you are using windows server! LOL! :D
__________________
--- Busy ranking websites on Google...
|
|
|
|
