chkservd service failes, later on, some php was injected onto server

Discussion in 'Site & Server Administration' started by Matt18, Jan 9, 2013.

0
  1. #1
    Hello

    I need some help :( I'm new to server administration :( Thank you in advance!


    I have VPS at godaddy with WHM/cpanel installed and some wordpress sites. They all run the latest version

    Today I got couple of emails that chkservd service failed, eventhough memory information was ok:

    Server:	ip-46-252-192-240.ip.secureserver.net
Primary IP:	46.252.192.240
Service:	chkservd
Notification Type:	hang  

Memory Information:	•	Used: 635MB 
•	Available: 3460MB 
•	Installed: 4096MB 
Load Information:	5.17 4.50 3.73
Uptime:	87 days, 10 hours, 25 seconds
IOStat Information:	avg-cpu:  %user   %nice %system %iowait  %steal   %idle
           8.12    1.03    1.27    0.48    0.00   89.10
Device:            tps   Blk_read/s   Blk_wrtn/s   Blk_read   Blk_wrtn
ChkServd Version:	15.1
    Code (markup):
    Then I got e-mail from whm that nameserver failed as well. Sites went offline. I restarded the appache and the sites went back online.

    Later on I found out, that there were so php files created/site was hacked. I have no idea how it happened but events above must be connected.

    I have changed the password and removed problematic files.

    Can you please help me out to somehow locate the source of the trouble?

    I would appriciate it a lot!

    Thank you in advance!

    Best regards,
    Matt
     
    Matt18, Jan 9, 2013 IP
  2. nIjaiseeyou

    nIjaiseeyou Member

    Messages:
    52
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    38
    #2
    Looks like someone uploaded a shell on to your website this is a easy fix, first of all change the admin password, then you have to look for the shell.
    search for C99.php and R57.php rmove those files now. If nothing poped up then the hacker is not a complete dumb ass and he changed the name. So now you have to manually find it. Just look in all the .php files till you find it then remove it.
    Shells look something like this: c99shell1.jpg once removed now you have to find the sql vun link. A sql vun is when the code is incorrect and mistakenly gives out information such as the database name password and the lines such as accounts, credit cards, ect. How do I did the SQL vun? I suggest you use Web Vulnerability Scanner now after downloading it go to web scanner and start URL change to your website. then it will tell you the vun links. Then you will need to do some coding till it's not vun any more. I will be able to assist you as I am pretty good with all this. If you need me just add me on Skype: Salty German.
     
    nIjaiseeyou, Jan 18, 2013 IP
  3. Cheapvpsoffers

    Cheapvpsoffers Member

    Messages:
    59
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    31
    #3
    Your server probably not well secured. You should install firewall as welll rootkit scanner like rkhunter and chkrootkit. A security of server cant be covered in this small post but many things you mus patch in order to keep your server secure. Google is best teacher.
     
    Cheapvpsoffers, Jan 18, 2013 IP