Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 16
It seems like I was hacked last night by someone jealous of my site. The web address is waloshin.com and the sub directory is waloshin.com/blog. So the website wont load ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2009
    Posts
    12

    It seems like I was hacked last night by someone last night and need help.


    It seems like I was hacked last night by someone jealous of my site.

    The web address is waloshin.com and the sub directory is waloshin.com/blog.

    So the website wont load at all, nothing. What logs can I look at to see what happened and how to fix it?

  2. #2
    Administrator MikeTbob's Avatar
    Join Date
    Apr 2006
    Location
    Texas
    Posts
    7,864
    Are you hosting you own server or is this just a blog that you post online somewhere else?
    I do not respond to private messages asking for Linux help, Please keep it on the forums only.
    All new users please read this.** Forum FAQS. ** Adopt an unanswered post.

    I'd rather be lost at the lake than found at home.

  3. #3
    Just Joined!
    Join Date
    Jul 2009
    Posts
    12
    Hosting on my own server running Ubuntu server 10.04.1

  4. $spacer_open
    $spacer_close
  5. #4
    oz
    oz is offline
    forum.guy
    Join Date
    May 2004
    Location
    arch linux
    Posts
    18,733
    Quote Originally Posted by waloshin View Post
    What logs can I look at to see what happened and how to fix it?
    Log files are usually found in: /var/log

    If you're system has been compromised, you need to do a fresh install.
    oz

  6. #5
    Just Joined!
    Join Date
    Jul 2009
    Posts
    12
    All files are still in /var/www

    All mysql databases are still intact.

    So it seems like they killed apache2?

  7. #6
    Linux User Manko10's Avatar
    Join Date
    Sep 2010
    Posts
    250
    It's never a good idea to run a public server machine with too few knowledge about its operating system.
    But anyway. What you should check is your syslog for break-in attacks. The next thing you should do is to check /var/tmp and /tmp for malicious scripts (using ls -la, note: sometimes bad guys put scripts named like ., in there which look like the legitimate .. hardlink so be careful). Then you should consult lsof -i for open connections and ps auxw for running processes.

  8. #7
    Just Joined!
    Join Date
    Jul 2009
    Posts
    12
    Error log attached I think maybe apache might be misconfigured.
    Attached Files Attached Files

  9. #8
    Linux User Manko10's Avatar
    Join Date
    Sep 2010
    Posts
    250
    Looks like some guy is permanently pounding your Wordpress installation. Is your WP up2date?

    [Sun Aug 29 06:31:53 2010] [notice] Graceful restart requested, doing restart
    Did you do this?

  10. #9
    Just Joined!
    Join Date
    Jul 2009
    Posts
    12
    Quote Originally Posted by Manko10 View Post
    Looks like some guy is permanently pounding your Wordpress installation. Is your WP up2date?

    Did you do this?
    I am running the newest version of Wordpress, so how do i fix this?

  11. #10
    Linux User Manko10's Avatar
    Join Date
    Sep 2010
    Posts
    250
    Actually some strange entries I found seem to be caused by misconfiguration like this but I'm not sure about this since: this guy tried to access two different folders at the same time
    Code:
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.html denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.cgi denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.pl denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.php denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.xhtml denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /waloshi /index.htm denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.html denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.cgi denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.pl denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.php denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.xhtml denied
    [Tue Aug 24 19:16:30 2010] [error] [client xxx.xxx.xxx.xxx] (13)Permission denied: access to /forums /index.htm denied
    Which looks like you have configured several index files but the user doesn't have to right to see any of them.
    The other thing you should do is to create a favicon.ico to prevent Apache from polluting your error.log with needless stuff.

    But you didn't answer my question: did you restart your Apache several times?

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •