I think my server got compromised, where some requests to the server get redirected to 185.26.182.218. I’m not even sure where on the server to start looking at to track this down.
Whats interesting is that only some requests get redirected. The redirect happens as a “302 Moved Temporarily”. I’m using Apache on CentOS.
Thanks for any pointers!
Has your .htaccess file been altered?
Are there any files or directories on your site that you don’t recognise?
Those would be the first things I’d look for.
What have you done about cleaning up and preventing further intrusion?
Thanks for the response. I dont see any changes to .htaccess, also dont see any suspicious files as far as I can tell. I’ve also checked httpd.conf, php.ini and my BIND config file etc and dont see anything out of the ordinary there.
I have changes my passwords and all, but I’m still trying to get a better sense of what exactly is going on. Any way I can see where exactly the request gets hijacked and forwarded? i.e. at the DNS level, server level or application level?
It’s possible your domain DNS records were changed.
You may have to go to the place you bought the domain, log in and then verify that the DNS is correct.
s_p,
You HAVE been hacked!
I’d provided a list of things to do when it’s been determined that you’ve been hacked:
Immediatly delete all FTP access except one (master for the account).
Change the master password (cPanel and FTP) to a VERY STRONG one using an http://strongpasswordgenerator.com password of sufficient length. DELETE ALL the files in your webspace and only then upload ALL files from your master copy (on your computer).
Use maldet scans (on an Apache server) which find and report all forms of malware (viruses, worms and SCRIPTS which can cause problems). This will enable you to find and remove scripts which can be embedded in html, php and js scripts. Repeat the maldet scans until there are no files detected then add a CRON to run maldet scans on a regular basis. Be aware that recovery will primarily consist of DELETING all html, php and js files and replacing them with originals (from your master copies).
Additionally, I use a script (via CRON) to verify that files have remain unchanged over the last xx hours for “peace of mind.” That script had been made into a SitePoint article some time ago but I have the ZIP file at http://dk.co.nz/HashScan2.zip. SitePoint is considering a major update for another article but I’ll have to send you that Zip file upon request (via PM).
Database: If you are running WordPress or the like (database verification for admin accounts), create a new admin and delete all other admin records.
Update all “canned scripts” (e.g., WP, Zencart, etc.) and be sure that they’re kept updated in order to prevent further attacks via security problems discovered in those scripts. This includes their third party plug-ins, too.
Uploaded files: Be sure to do a thorough check of any file uploaded to your website (I limit uploaded files to images and they are resized by GD before being saved to my “webspace”).
Don’t mess around with this - correct it immediately!
Regards,
DK
Run anti-virus, anti-spware, anti-malware etc scans on ALL computers that you use to access the FTP of your site, making sure that the programs being used for the scans are up to date.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.