New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Which account email? Is this on a VPS?
Too little information.
No cpanel
Are you using cPanel on your own server or is the server managed by some other provider?
EDIT: Are you a reseller?
Am managing myself. Have root access.
I can find the issue and bill you for the time I waste should you wish.
Other than that, check logs and modify times etc.
Check logs and you will find the problem.
If you can't then post the logs on comment.
I really hope you are running Cloudlinux on your server. I would get someone to take a look ASAP as it looks like you have a compromised server.
Someone can recommend a company that can recover this?
Go get CXS scanner that is sold by the same company which makes CSF. Pay the $60 one time license fee for the exploit scanner, it is worth it. Once installed, perform a full system scan and review the logs and remove exploits/malware/viruses or have it auto quarantine during the scan. It is likely you have failed to keep your WordPress, Joomla or other installs upgraded and the sites are full of PHP injection exploits and now malware/virii. This tool will help you figure that out quickly.
https://configserver.com/cp/cxs.html
my 2 cents.
Cheers!
ModSecurity does a pretty damn good job of stopping code injections, but definitely not SQL
ModSecurity is enabled, maybe should I configure it somehow?
The tools if used with cPanel can hook into mod_security but you do not need to have mod_security to use the tool. The tool uses the clamav engine with a special database of fingerprints developed by Way to the Web Limited. It is by far one of the best tools and most consistently updated tools for this purpose I have used.
That said, usually I do install mod_security on the server anyways, whether it is hooked into CXS or not as it is something else that helps prevent abuse. Those on the cheap I would suggest use the Free Comodo Rules.
I am willing to offer help in the form of what tools to use, but if he isn't skilled enough to review the site for SQL injections and/or restore from back-ups and upgrade once he finds the sites full of malware, then he should be hiring someone to help manage the server instead.
my 2 cents.
Cheers!
Your server got compromised? Disable public access, Reinstall. Restore scanned files from the backup before infection. Fix them.
You're heaving a completely wrong workflow in resolving this issue.
Check it isn't your email address that's hacked, if all of your servers have that in common.
They'll either be resetting password via WHMCS or whatever, or using the "lost password" functionality.
No its a shell.
The shell doesn't just appear so you have been hacked in some fashion or another. When you were hacked the hacker upload the shell for easy access to do other things with your server.