Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a CentOs server with about 10 virtual hosts configured with Apache.
A few days ago, I realised my server has been compromised and a phishing page has been hidden in some of the website root directories. I deleted them, updated Plesk, changed all my passwords (SSH, FTP, ...). I do not have any wordpress or other script like this: the websites are plain html files or based on my own php framework. But the phising scripts keep coming back, and I have no idea how to understand where they are coming from.
I can't even find my ftp logs files, but when I check my apache logs, they are so many lines, I don't really know what to look for...
Could you give me some guidances on what I should do ? For the moment, I configured a cron task to remove the files every minute, but it's not a long term solution of course. I'd like to understand how those files keep being created. I'm also afraid that those hackers could do way more damage than that eventually.
Hi,
you can take a look to /var/log/secure
there are a lot of information about access to your server in these file.
Virtual hosts? Can anybody access remotely to virtual hosts? Some virtual machines have this option of configuration.
Every virtual hosts must be secure not only the real server (passwords, etc).
what software use? proftp?.
Sorry, but I don't know more options, at this moment with this information.
Lookng at /var/log/secure and /var/log/messages, I realized they were accessing my server via an old ftp account I've created months ago. I used it with the www.net2ftp.com web-based ftp service. They probably stole the credentials through it.
Only use that switch if you know that the utils are in a clean condition and the only time that you know that is when the software has just been installed and no one has had chance to introduce 'fixed-up' (hacked) versions (and, many people don't absolutely know that, but in your particular case you have very, very good reasons for doubting it).
Well, unless you re-install, of course. Then you've got a clean situation.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.