Web Hosting Buzz Reseller and Dedicated Server Hosting Forums  

Go Back   Web Hosting Buzz Reseller and Dedicated Server Hosting Forums > Dedicated Servers & VPS

Reply
 
Thread Tools Display Modes
  #1  
Old 06-02-2009, 10:16 AM
nolimit2 nolimit2 is offline
New Bee
 
Join Date: Nov 2007
Posts: 24
Unhappy Lions Tigers and Bears oh my

Ok I guess i am a New BEE but whatever I am on the VPS and have been for a year no problems however i guess someone decided to report there site to search engine people and now my server is under constant attack.

The price of a successful site is that the lions tigers and bears (nigeria, china, russia hackers) will come and try to tear it apart or at the very least exploit it to their own advantage.

I am no hacker and defiantly not a webmaster for that matter but the repercussions of the lions tigers and bears in only the last 4 days have been multiple down times where server needs a restart, blacklist reference and five spam authorities, 2 phishing pages that resulted in my account getting suspended.

I take full responsibility of being ignorant of the dangers in the forest now that i am starting to develop some sites that are worth while I am scared because i could really lose thousands of dollars over these mistakes.

Where can i find the references to take my understanding of appache and web servers security to the next level as i want to be confident that not only the application web site are well designed and secure but that the server itself is secure.

Thanks in advance
Reply With Quote
  #2  
Old 06-02-2009, 01:12 PM
Alan B's Avatar
Alan B Alan B is offline
WHB Helper
 
Join Date: Jul 2007
Location: Toronto, Canada
Posts: 1,134
Default

If you are on a VPS plan that includes fully managed support, then WHB Support should take care of security updates for you. That would include Apache, if I understand correctly how the managed support works.

It sounds, though, as if you had some scripts or boards installed that were not entirely secure, which allowed spammers and phishers access. You would have to learn how to secure those, or to choose better, more secure ones.
__________________
I am not WHB staff and I am not paid.
I provide help in these forums on my own time.
Reply With Quote
  #3  
Old 06-02-2009, 09:30 PM
Matt R's Avatar
Matt R Matt R is offline
Administrator
 
Join Date: Jul 2006
Posts: 1,406
Default

There are no software level issues with Apache/PHP etc, we take care of that for you. It sounds like like script/application level security issues which is something you have to be careful with, and careful what your clients can install.

You can force Fantastico script updates etc from your WHM.
__________________
Matt R.
WHB Chief Ninja
Reply With Quote
  #4  
Old 06-03-2009, 04:26 AM
nolimit2 nolimit2 is offline
New Bee
 
Join Date: Nov 2007
Posts: 24
Question Thanks for reply

Well thanks for the info but how then do i go about getting rid of the problem once you get it both of you have other people developing on your machines and i am sure they are always doing silly things thus you get attacked how do you go about removing it delete the accounts and start again I am seriously asking here cause i still got the problem???

I have gone through this email issuse round and round with tech support and am so confused how it is happening tech support already said they have stoped emailing from those who dont have accounts on the server but then today i open the mail que and there they are again 1000 messages sent to 20 addresses apiece cloggin the mail system its the damn secure@commonwealth.netbank.com.au. the craziest thing is that the server is sending them back when they aren't deliverable???

I am going to delete every single account today and start over to see if that helps I have manually blocked the ip senders message it seems to stop but then they just seem to route somewhere else and start their attacks all over again.

Any way if it is insecure script then I should delete all the accounts and start over or will those lions tigers and bears just come growling back and exploit the same thing I really dont know even how to diagnose which account is the vulnerable one any ideas would be greatly appreciated
Reply With Quote
  #5  
Old 06-03-2009, 04:43 AM
Alan B's Avatar
Alan B Alan B is offline
WHB Helper
 
Join Date: Jul 2007
Location: Toronto, Canada
Posts: 1,134
Default

If any of your accounts use form-to-mail scripts, delete them until you learn how to choose more secure ones and how to install them for maximum security.
__________________
I am not WHB staff and I am not paid.
I provide help in these forums on my own time.
Reply With Quote
  #6  
Old 06-03-2009, 05:27 AM
nolimit2 nolimit2 is offline
New Bee
 
Join Date: Nov 2007
Posts: 24
Default Ok thanks

Wow what are you doing up or where in the world are you Alen B. Ok i am going through all the sites now and will start changing all passwords and things.

What do you think of putty is there anything special i should know in terms of securing it????
Reply With Quote
  #7  
Old 06-04-2009, 12:52 PM
Wayne R's Avatar
Wayne R Wayne R is offline
Administrator
 
Join Date: Jul 2007
Posts: 146
Default

Deleting all of your accounts is a little extreme, but maybe not if you don't know where to start looking for these issues. The problem is, if there is an insecure script, it will just get exploited again and now you've wasted time removing & re-adding accounts.

The mail log can tell you where these emails are being sent from (/var/log/exim_mainlog), and you can then take appropriate action - whether the offender is an actual user sending spam, or if it is an exploited script. Either way, you want to stop it ASAP or your sending IP will quickly be blacklisted. You can watch the mail log in realtime, or search it for specific message IDs to get additional information on a particular email that went out.

The option is always there to purchase Premium support, which one of our techs and help you do a thorough audit and let you know exactly what is going on and why. Not really trying to sell you on it, just letting you know the option is available and may be a time/money saver for you.
__________________
Wayne R
WebHostingBuzz.com

Be sure to check out our wiki for common support queries, tips, and tutorials.
Reply With Quote
  #8  
Old 06-09-2009, 09:28 PM
omniuni's Avatar
omniuni omniuni is offline
Jewbergeek!
 
Join Date: Jul 2007
Posts: 174
Default

Hey NoLimit

Let's take a step back, and see what we can figure out.

First, from a domain level, disable generic MX accounts. In other words, make sure that only mail sent to REAL eMail addresses gets through. If you must have a "catch all" mail account, make it something that you don't link to your main inbox.

Now, make sure SpamAssassin is turned on. You should have 10 levels; if it's on, increase the level. If it's not on, start with level 3, and increase to 5, 7, and 10 until you can see what gets rid of most of the spam without creating false positives.

Make sure that any of your scripts use some kind of session naming techniques to prevent basic attacks of that sort. In other words, instead of having a login script set $_SESSION['login'] = true; try hashing the person's IP address, and use that instead of "true". It's an easy way to make sure that the person loading the page is most likely who logged in.

Use a captcha on form eMail pages, or at least something that will keep robots from really obviously sending mails. You can make a very simple captcha by creating just 5 or 10 images with a few letters on them, warped a bit, and numbering them, and having the script randomly select one, and check the users input against what you have recorded for it. There are also several good captcha libraries and API's, such as ReCaptcha, which is a pretty cool project.

Turn off directory indexing, set a logical 404 page, and verify eMail addresses of people who register.

If you have any more questions, let us (or me) know.

Hope that helps a bit!

-OmniUni
__________________
http://d-site.net/
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Forum Jump


All times are GMT. The time now is 08:23 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright WHB Networks LLC. All rights reserved.
SEO by vBSEO 3.2.0