And I will isntall tripwire, and harden my kernel (anyone know of any good tutorial for hardening redhat kernel?)
See the section of the security references thread on kernel hardening. You might also want to take a look at grsecurity. If you are going to use an RPM based distro, then you definitely should use an automatic update tool like up2date or YUM. Both will automagically keep your box updated with the most recent security patches. Remember to turn off un-necessary services, use encryption when feasible (ssh vs. telnet), and use a decent firewall. That should eliminate most of the garbage 'sploits that can be used to compromise poorly maintained systems.

Thanks for that caveman!

Anyone who can think of stuff that I should do in addition to what caveman mentioned please tell me. I cant afford to let some Turkish script kiddies compromise my security and defaced my site with some Animated Turkish flag GIF and bad color combination and backgrounds. Hackers suck at design. Why don't we see more hackers deface sites and replacing em with nice flash templates? I will appreciate that!

I did not know that advertising was not allowed in forums, will take that into account. Forgive my attempt at humour.
I think Tripwire is good if your experienced in Linux. But a router is a lot easier to set up and offers the same security. Plus if a cracker somehow manages to bring down the network. The router will ussually automatically detect most of your network settings, upon reinstall.

Just to follow up. I suggest using tripwire aswell.

If you make master copies right after a reinstallation of operating system and configuration of your services, why would you think they'd be infected. Unless you ran your box without any security at all, they should be ok.

Get a hardware firewall/router to put in between your box and the wan.

And why is a hardware firewall better than software?
I was told the software firewall, APF, is more than enough.

A router will make an efficient firewall for you, but as its hardware it will cost you £ rather than time. You can get the same results with software firewall, like TripWire, but unless you know what you are doing, you are likely to trip yourself up rather than the hacker. Hardware will cost your £ and software will cost you time, your choice.

A hardware firewall is better simply because the code is running usually in rom, in an embedded system that cant be changed. A software firewall is just that software, that can be changed, altered, and otherwise crash. By the way cpanelskindepot are you going to reinstall? I tired to take the easy route once and left a compromised system run, and just shored up my firewall, Well it didnt matter, most firewalls are stateful, and will let out any packet that is sent from within the trusted part of the network. Who's to say that they dont have some server/client connection being established via a trojan. If they did its gonna cruise right on through your firewall, even if you block the ip addresses. Yeah man I would reinstall , install some kinda IDS, namely snort, install tripwire, and setup a honeypot that looks alot like the old system they hacked. I bet money they are bouncing from proxy to proxy so bad that you will never find them. Heck you may even want to try a deadzone. just use a network bridge and change protocols on them you could go from TCP/IP then to IPX/SPX and then back to TCP/IP. That would make it go slower though if its a webserver but they couldnt even get to it then.

I managed to get a rollback from my backup on the 14th.....thats like 10 days before I got hacked.
WHen I did, I found some traces of the hacker's activity on the server.
So that guy had been trying for sometime before he defaced my site.
BUT the script I believe he used was not present.

I bet at this point some of you wanted to see the defaced site.
WARNING : THis is not going to be pretty.

http://www.alphaillusion.com/test/Mu...%20_______.htm

If you read the lines below,it said:If you want hack this server, please go to http://www.cpanelskindepot.com/~demo/.admin.php
Dear CpanelSkindepot del it quickly

I didn't see the .admin.php in the /home/demo/ directory so I suppose the have not figured out the admin.php by that time. I am just banking on this fact.
Anyway why did they lead me to the script they used to hack my site and were kind enough to advice me to delete it instead of saying "Your server is lame, we hacked in because your security sucks!!!!"
The only thing I can think of is they actually employed another way to hack in but try to lead me to the wrong script.
I might be thinking too much about all these conspiracy theories though.

I doubt those Turkish script kiddies bothered to find proxy. It is not as if theres Bill Gates bank account password in there. Yes I sell software on my site but my licensing server is somewhere else so they get nothing out of it.

By the way what is honeypot? what is deadzone?
I have no idea what these are as I am really a Linux newbie but they sound pretty good.
I will employ any tactics to get Bozos out of my server.

IMNSHO this thread has been going on too long, with too much advice. Not that I want to hold back any, but you should focus on system restoration, making sure the system is in working order and under your control, and hardening. Honeypots and such are fine, but won't do you no good as they will not enhance security.

Maybe start with these:
Did you update all software?
What services do you run?
What measures did you take to log access?
What measures did you take to shield access?

1. Yes all updated
3. I rely on AWstats for log analysis.
4. So far I only used IPtables to block the whole of Turkey from accessing my site.

And I only need an advice on ONE THING now.

How can a hacker can compromise security and access other accounts in /home/ directory if he was ONLY given the permission to upload a phpMyshell file?
I hope by understanding this I will be able to learn from this mistake.

My server was restored from backup so I guess I am going to be OK.
And I hope others will learn from this too!

What is a honeypot, chechout this site http://www.tracking-hackers.com/papers/honeypots.html

That stuff is hurting my brain so bad.... :(

As suggested earlier. Go get yourself an decent router. Set it up and it will do most of the work that Tripwire and Honeypots can do for you. Backup your critical data, reinstall and study Tripwire and other security software, safe in the hands of the router, that will slap 90% of crackers.

2. What services do you run?
You don't know?


What measures did you take to log access?
3. I rely on AWstats for log analysis.
No, that's webstats only AFAIK. You need to watch syslog and (Chkrootkit, Rootkit Hunter, Tiger, server, IDS, filesystem integrity) application logs for anomalies, set yourself up with a remote email account you check regularly and have something like Logwatch report to you.


What measures did you take to shield access?
4. So far I only used IPtables to block the whole of Turkey from accessing my site.
Start by running everything (except high volume services like HTTP(S)) through LOG target rules. Logging rules major. It also helps you debug rules. On a public webserver the only "established, related" outbound connections are return traffic for the services you run. Initialising (that's SYN for TCP) outbound are DNS queries (TCP and UDP) for resolving and SMTP for sending email, so they need "established,related" inbound. Note some SMTP hosts require you to allow them access to "ident" service (or at least not DROPping them). The only initialising inbound you get are ident for SMTP, (SSH for your remote management caps if necessary (don't log in as root)), and the services you run (hopefully only HTTP(S)). If you're behind a shared firewall your colo ppl might be able to assist by only allowing traffic in and out for the services you need to run.


And I only need an advice on ONE THING now.How can a hacker can compromise security and access other accounts in /home/ directory if he was ONLY given the permission to upload a phpMyshell file? I hope by understanding this I will be able to learn from this mistake.
Upload and run more likely, eh? Remote shell access for unprivileged users in general is BAD NEWS. By allowing PHP to be a GUI for shell commands it's only making it easier. PHP's safe mode would have killed PHP.*shell exec's. Don't trust users to upload, make, modify and run binaries you haven't tested yourself. Don't allow users write access to public (tmp) dirs to create setuid (root) binaries. Don't allow users to execute anything outside the $PATH. Don't trust users (period)


Please read the LQ FAQ: Security references and forget about Honeypots. It ain't helping you secure your box, no matter who mentions it for whatever compelling reason (with all due respect etc, etc).