Website Hacked - TICKET GNQ-927258 & #PVE-610193

hayesb2 · January 10th, 2007, 11:36 PM

My main website on my dedicated server was hacked approx 1/9 in the early hours of the morning. So far I'm not receiving timely responses from support in regards to my ticket. (TICKET GNQ-927258 & #PVE-610193 for any support people out there)

Can anyone help me figure out what to do? I'm not well educated in analyzing all of my server logs and info to determine what caused the hack and how to prevent it.

So far it seems as if supports solution was to terminate all running processes under that user and then suspend the user's account. Since thats happened, I havent heard a word from them...Seeing that this is the main website of our business and they only reason we can pay for this server in the first place, suspending that acct is not a solution.

So I'm hoping someone can help me out here...possibly support if you are reading this. Or another user, pinpoint me in the direction of where or what I should look for to plug up whatever hole is the cause of this hack.

hayesb2 · January 11th, 2007, 7:17 AM

I just wanted to update that support has sent me an email with an explanation of where the attack possibly occured..so thank you for that support.

If anyone else has any general suggestions where I can go for help on how one goes about tracking down and fixing something like this I'm all ears. All I know to do at this point is open the cpanel raw access logs, look for something suspicious, and block the IP.

Also, what is weird is the user 'turnkey' is suspended, yet the 'top' command in SSH is showing that user still executing a perl command. How can the user be executing something when the acct is suspended? Again, I'm not a server guy, can anyone point me in a direction where I can go to find out exactly where this perl script is executing under the turnkey user? So I can delete the perl script...

Thanks.

hayesb2 · January 11th, 2007, 8:47 AM

Ok, so I unsuspended the user with the problem on the CPU on the server shot to 100%

27191 xxxxxxx 0 100 0.4 /usr/libexec/kidfecth

I went into the /usr/libexec/ folder and I dont see any file or folder called kidfecth

I went ahead and re-suspended the user account and it stopped the near 100% CPU usage on that file above...but I cannot keep this account suspended. It is the lifeblook of my business. Any help is appreciated.

**Bigjohn** · January 11th, 2007, 9:24 AM

You'll need to look for any and all files OWNED by that user account.

Check for hidden files (with a . in front of the file name).

Do you know what files are SUPPOSED to be in that account- if it's the lifeblood of your business, can you restore a backup?

hayesb2 · January 12th, 2007, 8:49 AM

I just wanted to update this thread and let everyone know support was able to resolve my problem. And they provided a very detailed and helpful response on how to help prevent any future attacks from occuring on my site due to the exploit the attacker used.
Thanks again Surpass Support !!

**Bigjohn** · January 12th, 2007, 8:52 AM

Thanks for the update!

**tch3** · January 18th, 2007, 8:02 PM

Quote:

Originally Posted by hayesb2

I just wanted to update this thread and let everyone know support was able to resolve my problem. And they provided a very detailed and helpful response on how to help prevent any future attacks from occuring on my site due to the exploit the attacker used.
Thanks again Surpass Support !!

Would you mind posting it?

January 10th, 2007, 11:36 PM	#1 (permalink)
hayesb2 Registered User Fresh Surpasser Joined in Jan 2006 20 posts Gave thanks: 0 Thanked 0 times	Website Hacked - TICKET GNQ-927258 & #PVE-610193 My main website on my dedicated server was hacked approx 1/9 in the early hours of the morning. So far I'm not receiving timely responses from support in regards to my ticket. (TICKET GNQ-927258 & #PVE-610193 for any support people out there) Can anyone help me figure out what to do? I'm not well educated in analyzing all of my server logs and info to determine what caused the hack and how to prevent it. So far it seems as if supports solution was to terminate all running processes under that user and then suspend the user's account. Since thats happened, I havent heard a word from them...Seeing that this is the main website of our business and they only reason we can pay for this server in the first place, suspending that acct is not a solution. So I'm hoping someone can help me out here...possibly support if you are reading this. Or another user, pinpoint me in the direction of where or what I should look for to plug up whatever hole is the cause of this hack.

January 11th, 2007, 9:24 AM	#4 (permalink)
Bigjohn minor deity Super #1 Joined in Apr 2004 Lives in Georgia Hosted on XEON 7,365 posts Gave thanks: 25 Thanked 94 times	You'll need to look for any and all files OWNED by that user account. Check for hidden files (with a . in front of the file name). Do you know what files are SUPPOSED to be in that account- if it's the lifeblood of your business, can you restore a backup? __________________ Proud to be a Surmunity Mod! XEON PASS60 PASS61 Make a fundamental difference! My Sites: Curious about Brewing Beer? Join the community! >>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax Get into an Art museum Victorian London It's your brain -*ON WEB* - mybrainhost.com (under development) What SHOULD Government do? Much Less than it Does!

January 12th, 2007, 8:52 AM	#6 (permalink)
Bigjohn minor deity Super #1 Joined in Apr 2004 Lives in Georgia Hosted on XEON 7,365 posts Gave thanks: 25 Thanked 94 times	Thanks for the update! __________________ Proud to be a Surmunity Mod! XEON PASS60 PASS61 Make a fundamental difference! My Sites: Curious about Brewing Beer? Join the community! >>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax Get into an Art museum Victorian London It's your brain -*ON WEB* - mybrainhost.com (under development) What SHOULD Government do? Much Less than it Does!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

January 11th, 2007, 7:17 AM	#2 (permalink)
hayesb2 Registered User Fresh Surpasser Joined in Jan 2006 20 posts Gave thanks: 0 Thanked 0 times	I just wanted to update that support has sent me an email with an explanation of where the attack possibly occured..so thank you for that support. If anyone else has any general suggestions where I can go for help on how one goes about tracking down and fixing something like this I'm all ears. All I know to do at this point is open the cpanel raw access logs, look for something suspicious, and block the IP. Also, what is weird is the user 'turnkey' is suspended, yet the 'top' command in SSH is showing that user still executing a perl command. How can the user be executing something when the acct is suspended? Again, I'm not a server guy, can anyone point me in a direction where I can go to find out exactly where this perl script is executing under the turnkey user? So I can delete the perl script... Thanks.

January 11th, 2007, 8:47 AM	#3 (permalink)
hayesb2 Registered User Fresh Surpasser Joined in Jan 2006 20 posts Gave thanks: 0 Thanked 0 times	Ok, so I unsuspended the user with the problem on the CPU on the server shot to 100% 27191 xxxxxxx 0 100 0.4 /usr/libexec/kidfecth I went into the /usr/libexec/ folder and I dont see any file or folder called kidfecth I went ahead and re-suspended the user account and it stopped the near 100% CPU usage on that file above...but I cannot keep this account suspended. It is the lifeblook of my business. Any help is appreciated.

January 12th, 2007, 8:49 AM	#5 (permalink)
hayesb2 Registered User Fresh Surpasser Joined in Jan 2006 20 posts Gave thanks: 0 Thanked 0 times	I just wanted to update this thread and let everyone know support was able to resolve my problem. And they provided a very detailed and helpful response on how to help prevent any future attacks from occuring on my site due to the exploit the attacker used. Thanks again Surpass Support !!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)