Hacker keeps changing our index.html page

[rashad]

Hi,
I have secured my VPS very well, but I do not know how Hacker can change all the indexes for my clients at same time !!

I searched to see if any file the haker created is hidden on the VPS, however, no luck. Any suggestions on what or where to look to fix this??
Is there any special script or program can be install to stop this kind of thing?

[JPC-Jawad]

You can open a support ticket if you already have not and get the basic security hardening measures performed on your VPS which includes APF Firewall and BFD Brute Force Detection Software installation among other things, You also need to follow guidelines in the following link to ensure that you have secured your accounts properly.

http://www.jaguarpc.com/support/kbase/731.html

[thisisit3]

A very powerful hack system has been going around for the past few years and uses FTP passwords stolen from client machines (Windoze mainly) so the actual server was never compromised.

If the attacker has been adding iframe tags in your index files then its probably this kind of attack and the simple solution is to disable the ftp server and go reset every single password on the server+clients. Once done you may re-enable your ftp server.

[Vin DSL]

Hi,
I have secured my VPS very well, but I do not know how Hacker can change all the indexes for my clients at same time !!

I searched to see if any file the haker created is hidden on the VPS, however, no luck. Any suggestions on what or where to look to fix this??
Is there any special script or program can be install to stop this kind of thing?

Anybody running Joomla!?!?

http://www.zone-h.org/index.php?opti...4981&Itemid=92

Most of the recently reported defacements have been on Linux systems running Joomla - hackers love it!

Once they get in, they upload a root kit of sorts...

EDIT

BTW, if you visit Zone-H (above) look at the number of attacks on Linux vs BSD (top left sidebar)...

[jason]

I'll throw in my 2 cents in saying that this is either an FTP attack (as thisisit suggests) or a script-exploit attack. If you are running any scripts (such as CMSes, blogs, discussion forums, etc.) check that you are running the newest version of the application and of any plugins you might be using. Very often the attackers go after bugs in these common programs to gain access to your system.

--Jason

[rashad]

You can open a support ticket if you already have not and get the basic security hardening measures performed on your VPS which includes APF Firewall and BFD Brute Force Detection Software installation among other things, You also need to follow guidelines in the following link to ensure that you have secured your accounts properly.

http://www.jaguarpc.com/support/kbase/731.html

JPC Dream Team installed all that on my VPS, also I hired a security company, but still the Hacker having fun !!

[rashad]

A very powerful hack system has been going around for the past few years and uses FTP passwords stolen from client machines (Windoze mainly) so the actual server was never compromised.

If the attacker has been adding iframe tags in your index files then its probably this kind of attack and the simple solution is to disable the ftp server and go reset every single password on the server+clients. Once done you may re-enable your ftp server.

Actually I told all my clients to change their passwords (FTP.CP...), maybe some of them done it ,the rest not.

I think I will do it for them, than I will inform them.
Yes, I will go with your suggestion.

[rashad]

Anybody running Joomla!?!?

http://www.zone-h.org/index.php?opti...4981&Itemid=92

Most of the recently reported defacements have been on Linux systems running Joomla - hackers love it!

Once they get in, they upload a root kit of sorts...

EDIT

BTW, if you visit Zone-H (above) look at the number of attacks on Linux vs BSD (top left sidebar)...

No one running Joomla.
I will visit Zone-H, maybe I will get some hints.

[rashad]

I'll throw in my 2 cents in saying that this is either an FTP attack (as thisisit suggests) or a script-exploit attack. If you are running any scripts (such as CMSes, blogs, discussion forums, etc.) check that you are running the newest version of the application and of any plugins you might be using. Very often the attackers go after bugs in these common programs to gain access to your system.

--Jason

script-exploit attack !! Y not !

Sometimes it’s very hard to search for that script or bug among many sites of clients!!

[rashad]

The strange thing is, he does not change only one index (NO) , actually he changes all the indexes at once !!
The temporary solution is , I told my clients to go to their forum admin , and change only the style, it works

[Vin DSL]

Wild!

[JPC-NickO]

Hi,
I have secured my VPS very well, but I do not know how Hacker can change all the indexes for my clients at same time !!

I searched to see if any file the haker created is hidden on the VPS, however, no luck. Any suggestions on what or where to look to fix this??
Is there any special script or program can be install to stop this kind of thing?

If the attacker is changing every site it a the same time then the issue is likely that one of your services that is running with root privileges has been exploited or another service with lesser privileges was exploited and then they used a local root exploit.

1) Change your root password to something secure:
http://www.pctools.com/guides/passwo... generate=true

2) run rkhunter and chkrootkit

3) check your log files

If your VPS has been rooted you are best to backup all your files and have support do a fresh install.