I have a server hacked
when i try to log in i type root but won't let me type a passwd

there are no services up, can't see page mail nothing...

anyone ?

What do you expect anyone to be able to tell you from this??? You give NO details at all. Things like version/distro of Linux, your server or hosted server, what you've tried/done, etc. Only hint any of us can give you is to reboot it, and either boot to single-user mode, or via rescue CD, and change your password, if you've forgotten it. Then look at the logs from there.

Provide information, you might get help. Provide nothing, and you'll get just that.

How do you mean, won't let me type password?

If you're in a console, you will not see the password when you type it (nor something else as in a GUI login).

If you really think this has been cracked, then pull the network plug on the thing so only you have access. I would not try to either power down or reboot the machine until you've had a chance to do some investigation into how the crack happened. If you must power down, the best way to preserve any incriminating evidence is to simply pull the power plug. If you do that, you'll need to boot from a clean and trusted CD distro.

If you can get information from the machine, log files are worth examining as are the output of some commands:
There is also the CERT Checklist which is worth going through.

I respectfully disagree. If the machine has been cracked, changing the root password is a pretty futile gesture and rebooting gives the crack the opportunity to cover its tracks.

sorry my bad... don't get to stressed
ok
the distro is fedora 6 or so , this was not setup by me and it's a server in front of me...
The server has virtouzzo from parallels some of the clients can't access their websites and mail accounts...
i did not changed the password , the server got hacked by sarbot511 or some guy like that...

The first time i got to the server it had no video , so i had to restart it
In the boot process you see errors about logs files fw and so on...
Then it fail to start X , after that i'm able to see the login promt with no GUI, so when i type root and press enter it won't recognize the user... Just ask for username
I can boot to single and see the fs , i did a fs check and also set some services to start up automatically, after that it just goes to the process described above and won't let me log in


when i type in root and hit enter it goes back to user not to type a password

i did not chenged the password but i did have to restart it since it had no video no network , nothing at all...

Not stressed at all, but puzzled as to how you think ANYONE can answer your question, when you don't bother to provide any details. First, FC6 is ANCIENT. If it's been 'hacked' at all, it's a perfect time to reload it from scratch, and upgrade. Chances are, FC6 is the *REASON* it got hacked, since there have been so many security patches/upgrades. And how do you know the guys name? What gives you ANY indication that the server has been cracked?? Did you check the system logs? Anything??
So, did you check the errors in the logs? What did they say?? Again, if you want help, PROVIDE DETAILS. And first you say you CAN log in, then you say you can't...which is it??? Do you mean you can log in as a regular user, but not SU? And since you took the server over from someone else, how do you know the password just hasn't been changed by someone?

Do you see any messages about failing hardware in your system logs? At boot time?? Anything happen recently?



when i type in root and hit enter it goes back to user not to type a password


i did not chenged the password but i did have to restart it since it had no video no network , nothing at all...[/QUOTE]

[/QUOTE]
as i mention before , it was my mistake...
now, here the servers are not fixed or updated or anything until they break...

when i type in root and hit enter it goes back to user not to type a password
the index.html,htm, php etc were all changed... by that name
i can't see the log files cuz there are none...
I'm only able to "log in" in single mode that's where i saw the files
When yo are about to log in you type root (or the user name) press enter and then the password right?
Well i type in root , hit enter and it goes back to type the user... it won't let me type the password...

OK, so you can boot into single user mode. Does that allow you to log in as root? And for Pete's sake, tell me that this thing no long has any network access.

If you can, post the results from the command I gave you in my earlier post. If you want to diagnose what happened, those are a starting point. If you can't get results from those, that may mean resorting to a live CD to diagnose.

I agree with you, but the only reason I'd do this, is so I could get into the box to assess the damage. And what you say about unplugging the box is great advice too, and I neglected to mention it.

So you can get into the box in single-user? And there are NO log files anywhere? Do you see that user registered in the system (/etc/passwd)? Do you know who it is?
Again, are you sure you don't have broken hardware? What message(s) come up when the thing is booting? Since it's FC6, it's old, and so then is the hardware. You say the files are 'changed'....how? Defaced? Deleted? Or modified, somehow. Since you took the server over, do you KNOW that someone else isn't also an administrator on the box? That these changes weren't on purpose???

To add to what's been said already:
Google for its name and you'll find accounts of breakins all over the place. Inj3ct0r lists at least one PHP-related web stack vuln it exploited.


That was a bad move as rebooting removes information one would want.


Please be specific about things. A description of errors is not the same as posting exact error messages. The first does not help us help you, the latter might.


Boot your distributions installer CD in rescue mode or boot a Live CD like KNOPPIX or HELIX. This will allow you to mount the system read-only, peruse the filesystem and retrieve all system and daemon logs for cheking. Do not alter things further by writing to the filesystem.

And please don't mark threads "SOLVED" unless they are. If you solved this all by yourself please add a short account of things.

Did the main server get hacked, or just your VPS?

If its just your VPS you probably can't unplug it or look at it from a live CD.

You probably want to have parallels make a clone of your VPS and have them send that to you for analysis, or pay them to analyse it.

If the hacker changed your root password he had root access, so you need to find how he got in. IE. through a php exploit, and then another exploit to get root.

Find out how to correct that, then have Parallels, recreate a fresh VPS for you and restore user level data, insuring you are not restoring any compromised files or the files exploited in the attack.