Reseller domains hacked HELP!

V

venloft

Verified User
Joined
Oct 12, 2004
Messages
16
Hi,

I need help , one of my resellers account has been hacked ,by the way all the reseller's users are just fine, all the reseller's domains are forward to another site all the domain records seen to be corrupted, at the begining i thought that it was a httpd attack but no index files are replaced then i look for not usual apache process and nothing
ps aux | grep ^apache | grep -v /usr/sbin/httpd
then with httpd2 and find some
ps aux | grep ^apache | grep -v /usr/sbin/httpd
i killed all the httpd process and the domains still forward

i only have one named process runnig

the main reseller domain is showing a plesk default page insted of the good one , that happens with any domain zone register in the account, but they have a subdomain created in a user level account and its working fine


then i checked with chkrootkit and rkhunter, and get the next output for rkhunter only the file seen corrupted so i dont know if i have to delete it
/usr/sbin/prelink: "/usr/bin/file" is not an ELF file
/usr/sbin/prelink: "/usr/bin/file" is not an ELF file
/usr/bin/file [ BAD ]


i also checked /tmp for some .txt or perl script but there is nothing there ,
all named configuration files are fine.
Can anyone helpme i dont know what else to do.

if someone knows or have/had similar problem, what kind of attack is this?, and how to fix it and prevent it , please let me know , it doesnt look like a regular htpd attack

I have Fedora 3 server

this is the apache errorlog
Code: 
[Tue May 22 21:34:07 2007] [error] [client 66.98.148.24] File does not exist: /home/res01357/domains/sharedip/robots.txt
[Tue May 22 21:34:07 2007] [error] [client 66.98.148.24] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Tue May 22 21:50:00 2007] [error] [client 24.35.92.21] File does not exist: /home/res01357/domains/sharedip/ag/secciones/AG/ES/MAIN/M/SHOWROOMS/seccion_HTML.html
[Tue May 22 21:50:00 2007] [error] [client 24.35.92.21] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Tue May 22 21:50:02 2007] [error] [client 24.35.92.21] File does not exist: /home/res01357/domains/sharedip/index.php
[Tue May 22 21:50:02 2007] [error] [client 24.35.92.21] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Tue May 22 21:50:05 2007] [error] [client 24.35.92.21] File does not exist: /home/res01357/domains/sharedip/modules.php
[Tue May 22 21:50:05 2007] [error] [client 24.35.92.21] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Tue May 22 23:03:10 2007] [warn] NameVirtualHost 209.126.144.95:80 has no VirtualHosts
[Tue May 22 23:03:10 2007] [warn] NameVirtualHost 209.126.144.95:443 has no VirtualHosts
[Tue May 22 23:03:10 2007] [warn] NameVirtualHost 209.126.144.91:80 has no VirtualHosts
[Tue May 22 23:03:10 2007] [warn] NameVirtualHost 209.126.144.91:443 has no VirtualHosts
[Tue May 22 23:03:10 2007] [warn] NameVirtualHost 209.126.144.90:80 has no VirtualHosts
[Tue May 22 23:03:10 2007] [warn] NameVirtualHost 209.126.144.90:443 has no VirtualHosts
[Tue May 22 23:03:11 2007] [notice] Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a PHP/4.3.10 FrontPage/5.0.2.2510 configured -- resuming normal operations
[Tue May 22 23:03:11 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue May 22 23:03:11 2007] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Wed May 23 00:15:01 2007] [notice] caught SIGTERM, shutting down
[Wed May 23 00:15:05 2007] [warn] NameVirtualHost 209.126.144.95:80 has no VirtualHosts
[Wed May 23 00:15:05 2007] [warn] NameVirtualHost 209.126.144.95:443 has no VirtualHosts
[Wed May 23 00:15:05 2007] [warn] NameVirtualHost 209.126.144.91:80 has no VirtualHosts
[Wed May 23 00:15:05 2007] [warn] NameVirtualHost 209.126.144.91:443 has no VirtualHosts
[Wed May 23 00:15:05 2007] [warn] NameVirtualHost 209.126.144.90:80 has no VirtualHosts
[Wed May 23 00:15:05 2007] [warn] NameVirtualHost 209.126.144.90:443 has no VirtualHosts
[Wed May 23 00:15:06 2007] [notice] Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a PHP/4.3.10 FrontPage/5.0.2.2510 configured -- resuming normal operations
[Wed May 23 00:15:06 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed May 23 00:15:06 2007] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Wed May 23 01:00:50 2007] [warn] NameVirtualHost 209.126.144.95:80 has no VirtualHosts
[Wed May 23 01:00:50 2007] [warn] NameVirtualHost 209.126.144.95:443 has no VirtualHosts
[Wed May 23 01:00:50 2007] [warn] NameVirtualHost 209.126.144.91:80 has no VirtualHosts
[Wed May 23 01:00:50 2007] [warn] NameVirtualHost 209.126.144.91:443 has no VirtualHosts
[Wed May 23 01:00:50 2007] [warn] NameVirtualHost 209.126.144.90:80 has no VirtualHosts
[Wed May 23 01:00:50 2007] [warn] NameVirtualHost 209.126.144.90:443 has no VirtualHosts
[Wed May 23 01:00:51 2007] [notice] Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a PHP/4.3.10 FrontPage/5.0.2.2510 configured -- resuming normal operations
[Wed May 23 01:00:51 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed May 23 01:00:51 2007] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Wed May 23 01:16:09 2007] [error] [client 194.224.199.48] File does not exist: /home/res01357/domains/sharedip/robots.txt
[Wed May 23 01:16:09 2007] [error] [client 194.224.199.48] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Wed May 23 01:30:39 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/podcast.php
[Wed May 23 01:30:39 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Wed May 23 01:30:41 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/forums.php
[Wed May 23 01:30:41 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Wed May 23 01:30:42 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/html/biere.php
[Wed May 23 01:30:42 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Wed May 23 01:30:46 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/index.php
[Wed May 23 01:30:46 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/404.shtml
[Wed May 23 01:30:47 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/index.php
[Wed May 23 01:30:47 2007] [error] [client 24.154.211.66] File does not exist: /home/res01357/domains/sharedip/404.shtml


Please Help Me , Thanks
 
Did the zones files get modified? Is there some kind of redirect in the public_html such a .htaccess? Redirecting to a default plesk page doesn't seem to be much of a hack. Did you check whois to make sure the domains are still pointed to your server?
 
whois domain register is just fine , no .htaccess . still cant fix it , so im going to reinstall de system if i dont success in a couple of hours
 
If you reinstall DA everything will be deleted.

What is a domain you are having a problem with?
 
Let's try to figure this out...

Venloft, are you running DirectAdmin or Plesk? Your hacked page is showing a Plesk page, and DA doesn't include any Plesk pages.

If you're running Plesk, you're in the wrong place.

If you're running DirectAdmin then you need to check DNS to make sure your sites are pointing to your server.

Jeff
 
Im running DA , and DNS is fine i have been trying to find a solution , but so far with no success.

it looks and works like a domain pointer force for the IP addresses, but i dont know how to verify that

im re-installing server about 10am pacific time , so if i find an answer before that ill let you all know. by the mean time any help and/or suggestion will be appreciated.
 
I already told you the answer. The ip is not being routed to your server. Otherwise DA would answer to it and it currently doesn't. You can reinstall all you want but its not going to help the problem. You need to talk with your ip provider about it. 209.126.144.45 is not being routed to your DA server. Its being routed to another server that is apparently running plesk. The problem is at the router or switch upstream from your server.

Check with your provider and get back to us after that.
 
Floyd, correct me if I'm wrong but I thought Plesk connects on port 8443. I've tried a connection to that IP on port 8443 and that gets refused as well. While I doubt that there's a hack out there that pretends to be a Plesk server, I suppose it's possible.

venloft, I do agree that you need to check with your provider to see where the IP# is being routed.

Jeff
 
Floyd, correct me if I'm wrong but I thought Plesk connects on port 8443.
Click to expand...

I don't know. All I know is that it didn't connect to port 2222 but the other ip did. So that told me that the problem ip is probably not being directed to his server at all. I don't think there is anything venloft can do to his server to fix it. Reinstalling DA would be a waste of time and delete his current configuration.

The other thing that is possible is that another user on the same network has added the .45 address to his server and stolen the ip.
 
Floyd as you say it was the ip address was the problem, thank you.
they fixed me the issue before reinstalling, however i decided it was moment to upgrade the box so i go ahead . again thank you
 
You must log in or register to reply here.
Back
Top