Want Help Please Help Me, In Return I will also help you if you need any

Sir I just want to ask you one question that few days back my forum got hacked
and Now I am able to recover it but when I saw the logs then I came to know
that he has also accessed my cpanel, so I changed my password but today again a
unknown person accessed my cpanel,
sir How can I get to know that from where he is getting my passwords as on my
pc I have seen their is no keystroker, some say he must have put shell on your server, can you
please tell me what is shell and how can I get to know that he has put shell or
not in my server.

thanks

 

cPanel passwords are mostly hacked because of worms/key-loggers on the local computer from where the cPanel account is accessed. Shell is the command prompt of the Linux server and only the person with root access can investigate throughly in such a matter. You have done your part by changing the password (I assume you have scanned your computer), now you need to ask your host to find out how did that IP got access to your account. They can find out easily by looking at the server logs.

 

Sir I have scanned my pc 2-3 but I havn't find any spyware or keystroker installed in my pc and I have also checked all the processes in the task manager, but I havn't find any software running to whom I am not aware.
Moreover Sir I have asked my host also they have given me the ip of the person who accessed my cpanel and they also told me that he has only login in the cpanel and he has done nothing else.
Then sir can you tell me how can he hacked my forum ??
I have the root access, so please tell me how can I get to know that is any shell is running on our server or not.
thanks

 

Check what you have installed on your account through cpanel, take a bow-peep at your forum software, check installed software for any known exploits via CVE or an Exploit Database - if you have permission run an NESSUS (Tenable Network Security) scan or something along those lines perhaps, alternatively there are plenty of tools to use in BackTrack Linux – Penetration Testing Distribution.

 

Thanks Boss_Numbat for your reply but dude can tell me from Where I can get CVE ?? And What kind of permissions are reqd. to run NESSUS (Tenable Network Security) scan ??
and also I will be very thankful to you if you can give me the list of the tools to use in BackTrack Linux.
thanks

 

I would also suggest changing your email password for the account you have tied to your hosting account, if they have access to that, they could be gaining access to your password that way. If they have gained access to your MySQL database, then they may have your details for that as well, and are able to change things by accessing your database directly. Change the user/password that are allowed to access your db's.

Chris

 

Hey Thanks Chris for your reply.
Dude I want to tell you that I have changed my password of the users accessing the database. and I havn't changed the password of my email but I will surely change now...
thanks

 

Ok, sit tight this will be a long read.

Your own pc still could be infected, windows rootkit technology is now so good that the only way to get rid of a good rookit is to totally reformat your machine and reinstall os. Its easy to inject the process of malware into another process to hide it and it can also hook onto critical system files and hide at kernel level.

Once you do this CHANGE ALL YOUR PASSWORDS.

Log onto your server as ROOT do an update "yum clean all;yum update -y" (centos,fedora,redhat) or (apt-get).

Intsall rkhunter and chrootkit run them.

go to /var/logs/security and look through your logs.

you can check your running processes and related file by using the PS command (ps -as)

IF the person has a Shell it could be a Bind or Reverse shell in which case it would need Port access to make sure you have your firewall set up correctly (iptables)

If it is a PHP shell then check all your .php files, if you find c99.php or r57.php these are shells just look for other suspicious files.

If you see any files that contain txt like this: "TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz
IHNpbmd1bGF" This is Base64 and can be decoded into anything from commands to php files and shells.

Also check your PHP code, people can install shells and upload files via "Remote file inclusion" google it and then find a scanner to scan your site for RFI vulnerabilities.

 

Thanks Mike For Your Reply,
Dude I have following questions:-
1. How To update "yum clean all;yum update -y" (centos,fedora,redhat) or (apt-get). ??
2. What are rkhunter and chrootkit and from where I can get ??
3. What is PS command ??
4. How can I check that my firewall is set up correctly or not ??

 

1) Login to your server with SSH, as root and type: yum clean all;yum update -y
2) rkhunter stands for root kit hunter; Google is your friend.
3) ps is a process list command. You can see all processes running on your server by typing "ps uax" without the quotes.
4) Is a bit more complicated. PM me if you need help with that.

 

What is your server IP?
I will do a med level Penetration test and tell you what went wrong and how to resolve it.
It will be barter system just remember to return the favor when I ask for

 

Thanks Bro for the help but I can't perform the above things as I am using shared hosting, thats why I don't have the root access

 

sir my Shared Ip Address is:- 184.154.80.154
ya sure I will also help you just PM Me your problem or email me at