Domains hacked

Check you PC for some spy ware or some kind of zombies, or bots. If you did not give out your password, someone is getting it another way. If you can, go to another PC and change the passwords, and see if it stops.

You can try this program so spyware programs. I seen it clean up some garbage. http://www.lavasoftusa.com/software/adaware/

And I think this was another good one as well.

Are you running some sort of script on your site? Had it been checked for expolits? Any of the stuff running on your site exploitable ? (check your versions and make sure its all patched up)

nope, if dathorn changed that it would break allot of peoples programs.

change your passwords. are they words or phrases? use random letters numbers and symbols.

Andrew, as i know php safe mode off is not your problem, look into your scripts in sites, and as Andy told maybe someone is getting passwords right from your computer with just a keylogger. check for Intrusions in your PC also.

Use a program like Lavasoft Ad-Aware or Spybot Search and Destroy to find any trojans or spyware on your PC. You can also use TrendMicro's free HouseCall program to find any viruses on your computer. It's at http://www.trendmicro.com

Here's a way to come up with good passwords that are not found in the dictionary, and would be hard for a hacker to guess. Dictionary words are fairly easy for a hacker to break using the brute force method. There are only about 90,000 common words in most dictionaries. And most people use one of those for their passwords.

Use a "substitution cipher" ... substituting a number or another letter for each letter in a phrase. Do it with 3 or 4 letters in a word, and you have a fairly complex password. The possible number of combinations is at least 62 to the power of the number of characters in the password, if I'm remembering the math correctly.

For instance, using a phrase like "elvissings" and applying a substitution cipher to replace each "i" with a number 1, each "e" with a capital "T", and each "u" with a number 2, the phrase looks like:

Tlv1ss1ngs

Expand the phrase to "elvissingstheblues", and your encrypted password now looks like:

Tlv1ss1ngsthTbl2Ts

Once you learn your cipher, you can easily remember the passwords and type them as quickly as you can a normal phrase.

Using "elvis" as a password can easily be hacked, because its a word found in a dictionary. Even for these short words, a substitution cipher makes "elvis" "Tlv1s" ... and a brute force hacker would have to be prepared to try up to 62*62*62*62*62 combinations to ensure finding the right one (26 letters + 26 capital letters + 10 numbers could be used in each letter position, if I counted those right). That's 916,132,832 possible combinations. Not impossible for a computer to guess using brute force, but harder.

Going out to 10 characters, as in "elvissings" = "Tlv1ss1ngs", makes something like 839,299,365,868,340,224 possible combinations. Very unlikely that someone would be able to guess it, or use a brute force method to gain access.

If you are already using complex passwords, then it is more likely to be a script that is giving them a way to hack in, as others have mentioned. One common problem is not removing the "install.php" or "configure.php" programs in common scripts. Or not updating them as the authors react to the little beady-eyed bastards who hack into our systems.

Look in your site stats and logs

Here's some suggestions.

(a) Immediately run up-to-date spyware and anti-virus apps on your home PC, and if any spyware or trojans or viruses are found, nuke them and do a fresh re-boot;

(b) Immediately change all your cPanel, WHM, Dathorn CCP passwords to something new and secure (ie long and complex), and if possible make unique passwords for each of those services. Then DON'T store those passwords on your PC;

(c) Immediately disable all FTP accounts, and certainly all anon FTP if you have it enabled;

(d) Immediately disable all SSH/shell access for those domains if it is turned on and you don't need it yourself (via WHM);

(e) Immediately disable the Frontpage server extensions on your sites, if you aren't using them or don't need them to update them.

Then look at the date and time stamp on those altered files.

From within cPanel check your web stats for the hacked domains to see what pages or scripts were being accessed immediately before those files were modified or those files were dropped into your site. Where did those folks come from (IP addresses) and which pages or services were they using prior to your files being altered or new files being dropped onto your site.

If necessary, download your raw log files and have a closer look (open them up in Excel if necessary -it works). Also have a look at the error logs for your site to see if they show anything.

This might give you some clues about who and what went on. And don't just check out what they looked at or used immediately prior to your site being hacked - also check your site to see if anything else was added or altered at around about the time they visited the site. They might have hidden something away on your site.

When you are able to better identify the vector they used to get into your site, then you are in a better position to stop them doing it again.

You need to figure out, for example, whether they came in via the web, or via FTP, or via something else like SSH. And if it was via the web, you need to figure out what they did or used on your site.

Assuming it was a web-based vector, if necessary, check that all your PHP apps are up-to-date. Check that you haven't left any files around on your site (eg install files) from the last time you installed or upgraded one of your PHP apps. If you find any such files, nuke them. And, once again, check to see that there are no unfamiliar PHP or other files floating around - they could have been left behind by your hackers.

Also now would be a good time to have a good general look around your apps and your files, and if there are any files or scripts that are not really doing anything important to you, nuke them too. This reduces your surface area for attack.

Check that all your file and folder permissions are also OK, for all your main folders, and that they don't give the world full write access to your file system. Chmod everything as tight as you can, and then progressively roll things back if issues or problems occur until you get it OK. Do this especially tight on your home page, if you can get away with it.

And think about adding on extra layers of protection too into your sites - for example, if you can do it without affecting public users of your site, password protect specific or sensitive files or directories - cPanel makes this easy to do. In particular, try it on those areas where the hackers are getting in.

If you are still keen to stomp on the hackers, you may need to do some drastic stuff like a clean re-install your apps into a new empty filesystem. This may also be a good idea if you are not sure what might have been modified by your attackers. This time, when you do re-install your apps, also do things (if you can) like change the default install directories to names that you choose. This makes it a bit more tricky for script kiddies.

And don't turn back on anonymous FTP, or the Frontpage extensions, or SSH unless you REALLY need them, and you are sure you have a bead on what has been going on.

There is more one could say on this subject, but this might get you started.

I'd also, of course, let Andrew know via a trouble ticket and see what his suggestions might be.


.

try using "thecleaner"

its an anti-trojan scanner. finds trojans that norton/mcafee might not.

its definatly a problem with YOU tho.. not the webservers.
you either have...
1. bad script
2. easy password
3. keylogger/spyware on your computer
4. possibly someone found out your password some how and might have uploaded more software to your server (probably hidden) and its also doing more stuff... i suggest using ssh and finding all hidden files just to make sure.

check for spyware etc, scan viri, trojans etc, use both ad-aware from www.lavasoftusa.com and "spybot search & destroy" both found at www.download.com for a shortcut. if you need a free virus scanner, google for "AVG anti virus"

hell before doing that change the password, and change it again after that. Tips for password above, cause someone could be using a brute force tactic on you. look at your logs, logs usually tell a large portion of your story.

The mosConfig_absolute_path exploit (http://www.securitytracker.com/alert...n/1008765.html) seems to be all the rage with the script kiddies right now - if you're running mambo, you should upgrade or patch it.

Things have gone from bad to worse...

Thank you everyone for your suggestions, I really appreciate your help.

I checked for spyware and changed my passwords but to no avail. The hackers got in via my PHP include script.

I got word tonight that Dathorn has suspended my WHM account, all my sites are off-line. I'm distraught and really peeved off. Not with Dathorn - with the hackers. I don't understand their motivation.

Now I have to think of what to do next...