It seems like I was hacked last night by someone last night and need help.

[waloshin]

It seems like I was hacked last night by someone jealous of my site.

The web address is waloshin.com and the sub directory is waloshin.com/blog.

So the website wont load at all, nothing. What logs can I look at to see what happened and how to fix it?

[MikeTbob]

Are you hosting you own server or is this just a blog that you post online somewhere else?

[waloshin]

Hosting on my own server running Ubuntu server 10.04.1

[oz]

What logs can I look at to see what happened and how to fix it?

Log files are usually found in: /var/log

If you're system has been compromised, you need to do a fresh install.

[waloshin]

All files are still in /var/www

All mysql databases are still intact.

So it seems like they killed apache2?

[Manko10]

It's never a good idea to run a public server machine with too few knowledge about its operating system.
But anyway. What you should check is your syslog for break-in attacks. The next thing you should do is to check /var/tmp and /tmp for malicious scripts (using ls -la, note: sometimes bad guys put scripts named like ., in there which look like the legitimate .. hardlink so be careful). Then you should consult lsof -i for open connections and ps auxw for running processes.

[waloshin]

Error log attached I think maybe apache might be misconfigured.

[Manko10]

Looks like some guy is permanently pounding your Wordpress installation. Is your WP up2date?

[Sun Aug 29 06:31:53 2010] [notice] Graceful restart requested, doing restart

Did you do this?

[waloshin]

Looks like some guy is permanently pounding your Wordpress installation. Is your WP up2date?

Did you do this?

I am running the newest version of Wordpress, so how do i fix this?

[Manko10]

Actually some strange entries I found seem to be caused by misconfiguration like this but I'm not sure about this since: this guy tried to access two different folders at the same time

Code:

[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.html denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.cgi denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.pl denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.php denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.xhtml denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.htm denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.html denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.cgi denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.pl denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.php denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.xhtml denied
[Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.htm denied

Which looks like you have configured several index files but the user doesn't have to right to see any of them.
The other thing you should do is to create a favicon.ico to prevent Apache from polluting your error.log with needless stuff.

But you didn't answer my question: did you restart your Apache several times?