Someone gained access to my some of my server on virtualmin in installed a web script with over 600l thousand redirects.
I didn’t notice it until I saw it google analytics.
The question is how did this happen. I only access my Vps with my personal computer. And TBH I haven’t seen such with Cpanel
This is not something that can be solved on a forum. You really need to hire a computer forensics specialist to take a look at your server.
If for whatever reason you can’t do that, you might want to take a look at recent vulnerability bulletins (these would be a good place to start) to see if you’re running any of the affected software.
If you’re running software that’s been abandoned, then stop using it and remove it from your server. Ancient Web apps with well-known vulnerabilities, in particular, are playgrounds for script kiddies, cybercriminals, and other miscreants.
Also have another pair of eyeballs review any pages you’ve written that accept user input, either by way of a Web form or (especially) passed as part of a URL. Never trust user input.
Also be careful to secure form processors so they won’t execute if the parent form is bypassed. One of the methods I use is to create a token file with some basic data about the visitor and stash it outside the Web root (for example, in /home/[user]/tmp) when the form page is loaded. The processing script then looks for the file and compares its contents when it’s called.
Without knowing the specifics, that’s all I can really suggest; and you probably shouldn’t post the specifics. Publicizing an existing vulnerability on your server would be… well, dumb. If at all possible, have a forensic specialist check it instead.
Richard
Do you have ssh turned on. It’s a good idea to do key based authentication. Did you see some unusual files on your server? If you have a program that doesn’t check user input, someone could have uploaded a php file and can execute it from your server if you are not careful.
like at yoursite.com/dir/bad_script.php and then someone just has to go to that URL to make the script to do it’s dirty deeds.
The downside is you never know what is compromised and where so in the end you may have to do a complete new install.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.