Hack attack

  • Hi all,


    Am quite new i-mscp user, and in the last days a hack attack was performed successfully against my site. First of all I want to tell you, hat it must be probably my problem it could have happened, but following happened somehow:
    (All the information I can give about the enviroment is in my profile! I read read the warning you wrote, but these are I could provide I didnt found any other if you helped me with this wihout deleting the post that would be great!)


    Someone could somehow use the VU200X user to delete, modify and insert files.
    I checked the ubuntu user settings. and noone was logged in with this user via ssh, so it must be, that somehow they can maniulate it with http requests.
    I dont know if it's important, but it's a drupal 7.2 application.
    In most cases with the i-mscp settings I left everything on default.


    How it could have happened? Moving to the newest vesrion could solve the problem?


    Kindst regards,


    ssibal

  • Hi!


    Thats rigth: only within then /var/www/virtual/****/htdocs were the changes made, but it's still really bad.
    How could it have happened?
    For now I disabled the VU200X user, hope that prevents further actions made by the same methods (of course the info leashed I must defense in other way)!

  • Furthermore: The 1.1.x serie ( Eagle ) is no longer supported ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • So upgrading to the newest version would definately would fill the security gap?
    Is it possible to upgrade from this Eagle version to the new without loosing the existins settings I have?
    Thank you for the quick replies, btw!

  • Hi!


    Thats rigth: only within then /var/www/virtual/****/htdocs were the changes made, but it's still really bad.
    How could it have happened?
    For now I disabled the VU200X user, hope that prevents further actions made by the same methods (of course the info leashed I must defense in other way)!



    Well:


    You're talking about an attack without providing the attack type, nor any log and so on.... The vuxxx user is not responsible of your problem. The vuxxx user is required to run your PHP scripts and thus, I'm wondering what you mean here when you say "I've disabled the vu2000x user'... If a file has been modified or removed inside the document root (htdocs), this is surely related to your drupal application.


    To resume here: The problem is not i-MSCP, nor the vuxxx user. You must check your drupal application for any malware and so on ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @ssibal, can't say that that will solve the issue, because we don't know what causes the problem.
    But since 1.x there have been a lot of issues solved, so maybe it does, yes.


    Read the errdata and readme files, your settings and users will be kept.


    **edit, could you check what unix groups that vu user is in?**

  • I think the VUXXX user is the problem since listing the modificated documentums the user who made the changes was the VUXXX user, somehow they used it, if I run Drupal without i-mscp they couldnt use the VUXXX user, so somehow it must be related.
    By disabling I mean, you can disable user with Ubuntu:


    sudo passwd -l [user_name]


    I dont know the type of the attack, also I dont know how should I provide logs.
    All what happened is, they were able to add files (new index.html / jpeg, adminer.php) to the root, and remove the old index.php. All actins were done by VUXXX user.

  • Check FTP logs and auth.log.


    If your PHP script is hacked (or used right), it is possible to upload new files to accounts, also to overwrite exsisting files like index.php.
    That will be more likely

  • @ssibal, can't say that that will solve the issue, because we don't know what causes the problem.
    But since 1.x there have been a lot of issues solved, so maybe it does, yes.


    Read the errdata and readme files, your settings and users will be kept.


    **edit, could you check what unix groups that vu user is in?**


    it's in the same group as the user name: vu2003 : vu2003