Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- May 2013
Help with hackers on Linux server box
Our setup is as follows: We split a server box with a few other clients, sharing amongst us four IP addresses. Each of us have only access to our own user folder. Our user folder contains game servers (Team Fortress 2 and Minecraft), a voice server (Mumble), and two installations of the newest version of phpBB that share a database, which constitutes our website.
Here are the problems we're having:
1. Our website data gets overwritten from time to time, resulting in a site where every single page links to the same thing. It's always a very simply coded HTML page of ASCII text saying something stupid. All the files in the /forums and /home directories suddenly have the same file size, as they all contain only the HTML code for this hacked page.
2. Our server box goes down daily, for times ranging from a few minutes to a few hours. Only sometimes are our files changed after this happens. We suspect it's a DoS attack, but we're confused because they're not attacking just our IP, but the IPs of everyone using our server box. No one except the clients know which IPs are used by our box, and the information is not posted anywhere. This makes us think that whatever's happening is coming from inside the server itself.
3. Our folder with our installation of Mumble got all its files wiped. Someone came into our Mumble server, followed by a superuser (not one of us) and banned everyone in the server, then apparently proceeded to delete it.
We've checked logs and everything to no avail. We've installed anti-bruteforce and anti-DoS packages, as well as scripts that read the system processes and report them to a logfile, which didn't help us narrow it down either. We think it's probably code injection, or at least we did until our voice server files got wiped. Now we just don't know.
Any help would be much appreciated.
I haven't maintained such a high traffic site. Few tips to make it secure.
> Our website data gets overwritten from time to time
That's serious security issue. Have you enabled SELinux?
Make sure only required ports are allowed through firewall.
Your admin account and password are safe enough?
Install Chapter*13.*Intrusion Detection with AIDE