New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Maybe give a bit more info first....
Whats been hacked / how? VPS, website exploit, bruteforced, etc….
Up-to-date mod_security rules.
LOL!
Bruteforce.. tried many times.. i have blacklisted that IP.
I have few Joomla sites.. after hacking.. i have updated all sites to latest. OS + Patches has been updated.
I am using 5.3.x
But still i see in few days sites are hacked.. not all but few.. J! sites.
Plugins can be the problem, it may have some security holes/vulnerabilities
You might get an idea of what they are doing by scanning the webserver access logs
site is hacked or hijacked...
check for other user account in your vps (other than root and the ones you have created)
First secure your site and then also secure your script and scan your all file. I think bad people upload shell in your server site then hack site's. secure your server and be safe
If hacker had got root access patching vulnerabilities will not solve. Scan for root kits as well!
Checking with programs may do no good. The exploit used may not be picked up. If the box was brute forced once it can be done again. The only thing he can do at this point is to wipe the infected box and reload it off a back up. Hopefully they are not compromised.
DO NOT use ZPanel for anything even for testing. The Devs do not listen for shit and will not fix it correctly. It is not a safe piece of software to even download in my book.
Check all your plugins for updates and for security patches. Even if you have to get some one to do it for you then do it. It may cost money to have some one else do it but at least then you will know if it is a software problem or not.
Set up a firewall and fail2ban or what ever else you feel comfortable using. Change you ssh port, and make it key based login only. This should be done before you even upload the back up.
These things should help if not stop someone compromising the server again. Unless the back up is compromised already. Then you may have a whole set different problems to deal with.
Edit: Sorry had this post confused with the other hacking post. I apologize for that but the advice is still sound.
If you suspect that root access has been gained by someone else or a piece of malware, the only solution is a Nuke and Pave. Back up your files, then rebuild/reinstall your OS. Then follow the good advice given in this thread so far.
Maybe I'm missing the joke, but a robust set of mod_security rules is one of the many basic security measures we implement on all of our shared hosting servers. There's no better protection against 0-day script vulnerabilities (i.e., no time to apply patches) than a robust set of mod_security rules.
Atomic Corp makes their mod_security delayed rule sets available free of charge. You can pay a small fee to get their most up to date rule sets.
That must be checked from what we call point one to point 0. Most of "hackers" even don't know how to use server exploits, they use scanners like 'joomla security scanner' to find vulnerable plugins and then they exploit them. In most of case they look for sql injection issues, like that they can get users login information. That is bad side of joomla. Wordpress can have same issue, but with new integrated system even if they get your hashed password they can't use it, or like we say, decrypt.
If hackers are coming back even after site restore from backups, you have what we call shell inside your system, for that i guess find some pentester (me
) to clean that mess. Shell can be even hidden inside images. Blocking server ports it's not solution, they didn't run ddos against your server, they just exploited script security issue. If you have shell, changing you password can't help you.
Before finding real solutions, remove admin panels from your sites.
Good luck !
Or you can use .htaccess to grant access to the admin panel folder on a per IP basis.
Using .htaccess is not real solution:
Anyway, mine or yours idea is just temporary solution.
You can go a step further and setup 2FA for both your cms and your os.
I think you need a security expert to secure your server and scan data.
@netider and to all people who choose to use Joomla. It is an incredibly insecure CMS, if you insist on using it, please invest in a license for RSfirewall, install and use it. RSfirewall is worth every penny and will save you many many hours of headaches. In my experience unless you are a true website designer and know how to review the plugins, themes and such that you are using, there is no true way to 'secure' Joomla that I have found outside using this plugin. I have dealt with hundreds upon hundred of clients using Joomla and 98% of them who do not use this package end up being attacked and exploited in some manor, most of the time from the poorly written plugins or themes that people choose to use.
Sure, its an expense to buy the license for it, but when you see how many hours of pulling out your hair it saves, you'll be more than happy to spend the money.
Cheers!
Use dynip. Or a gateway VPN/ssh node.
I'd install Virtualbox on your workstation/laptop. Make a virtual copy of your setup. Install Kali Linux on another virtual box, and then run the whole shabang against your setup.
Of course it's not a complete solution, but it's a heck of a lot better than removing the entire admin panel, lol!
It would make no difference if someone could read your .htaccess file if it contains IP allow settings. I'm not saying that you would make it readable for everyone (of course not), but even if they could read it all they'd see is what IPs are allowed... nothing would be compromised.
You would be blocked from the folder, not the entire server. Just login via SSH and add your IP to the .htaccess file. Piece of cake. If that's a hassle or if you have a constantly changing dynamic IP, then you can add IP ranges, it's simple: http://stackoverflow.com/questions/5042399/htaccess-access-to-file-by-ip-range
Again, definitely not a solution, but for your average user it's better than removing the entire admin panel.
This is exactly what has happened.. When you say secure.. Host is running maldet scan each time.. and it detects nothing
I would look our for your suggestions and try to implement. Thanks all for support!
Do you think this would also help?
parkansky.com/china.htm
okean.com/chinacidr.txt
Excluding all chinese people?, not every chinese is a hacker/spammer
Blocking an IP range is not good unless you target visitors from a specific area. Check your code and make sure no malicious code is injected. Install mod_sec rules and install CSF firewall. Keep all your plugins and scripts upto date. Moreover that cross check your logs and find how the hacker could intrude and see the possibility to prevent it.