Serious Problem! Server Hacked?!?!?!

P

PRB

Verified User
Joined
Oct 18, 2008
Messages
154
PLEASE HELP!

At 17:39 I received a message that a user was created, the username of this user wasnt a randomly generated mix of letters (like dsqidid) but a real name: "john". So that mustve mean I created it manually, but I DID NOT CREATE IT!

So I got worried someone would have gotten in inside my admin account:
On all 6 production servers theres this:
0=attempts=1&lastaccess=Apr 28, 2009 at 17:36&lasthostaccess=75.102.25.27

Of course the time varies on each server. WHO THE HELL IS THIS? THAT IS NOT MY IP ADDRESS

I have changed all passwords of all admin accounts immediatly. On server 1, I had a table in my MySQL database with all server IP adresses and their admin passwords, could it be that they broke into my MySQL database? All passwords are 6+ letters and numbers, all servers are hardened. They did not log in to root but only to admin, which means they did not have root login details as only my admin details are inside the database.

all they did was (as far as it seems) update DirectAdmin on every server?! :confused:

please help me, send me your IM to me by PM or something, I desperately need help for this!!!
 
the system is completely made by me, and its very secured

i have a live chat system and a phorum (a forum) using the same database, is it possible they got in using those two softwares?

EDIT: And I also have a wordpress blog using the same database. It mustve been by these bloody 3rd party scripts. damnit
 
Last edited:
At 17:39 I received a message that a user was created
Click to expand...
How were you informed that a user had been created?

On all 6 production servers theres this:
0=attempts=1&lastaccess=Apr 28, 2009 at 17:36&lasthostaccess=75.102.25.27
Click to expand...
Is that the output you got from running 'last' in the shell? If not is the output from 'last' similar? Also, do you recognise that IP? Is it of the subnet associated with the server?

I have changed all passwords of all admin accounts immediatly.
Click to expand...
I recommend changing all root passwords as well.

On server 1, I had a table in my MySQL database with all server IP adresses and their admin passwords, could it be that they broke into my MySQL database?
Click to expand...
Of course it's possible but of course storing login details -anywhere- on a server is a bad idea.

They did not log in to root but only to admin, which means they did not have root login details as only my admin details are inside the database.
Click to expand...
Under normal circumstances only users identified as root (or superuser) can create new users.

Have you also checked /root/.bash_history and /home/admin/.bash_history (or similar) for clues?
 
The IP# belongs to:

HostForWeb Inc.

The rDNS for the IP# is:

superniceday.info

But superniceday.info resolves to a completely different IP#.

Do you know who these people are?

Jeff
 
You must log in or register to reply here.
Back
Top