How were you hacked ?
Who is your host ?
Ask for definitive proof – I doubt you will get it.
Thread Starter
kapsat
(@kapsat)
well… see that is part of the problem.
I am getting conflicting information. First they told me it was the xmlrpc.php on my xoops site and when i asked for the part of the log file that shows that info they sent me a part of the log that showed a wordpress site xmlrpc file.
Then they say that the times match to the hack times. So i have reminded them about the original statement they made about the xoops site and i am waiting on their response.
The host is Servint. And for the past few weeks this has been going on. The hacker uiploads files and does a DoSAttack on other sites. Well, since this has started i have been patching some things up.
Today i was watching my root temp close and noticed a huge amount of file come from nowhere. I called the host and they stopped it and that is whaen they started looking at log files.
I use mod_security to block xmlrpc.php requests by default, and only allow access using a bypass ruleset after a request is made, specific to the user’s site. I use it to audit (in realtime) blocked xmlrpc.php requests to gather live data, the actual request which may contain clues as to the type of strings that are being piped to it and/or how often and where the requests are coming from. helps quite a bit, but then again, not all hosts wants to use mod_security or even consider it.
Why shoud I allow the file to be exploited in the open when I can force a “412:precondition failed” http response?
“Today i was watching my root temp close and noticed a huge amount of file come from nowhere. I called the host and they stopped it and that is whaen they started looking at log files.”
Sounds like an attack from WITHIN the server which should be the job of your host to guard against, not just stop and certainly not blame on innocent script simply because their tech support don’t have a clue between them.
I would start looking for a host that knows the meaning of the word ‘security’
Thread Starter
kapsat
(@kapsat)
yea, i was thinking the same thing…. Today i brought that up… i asked them if i could talk to thier secirity team and they told me they don’t have one.
I am very disapointed, i thought i was happy with this host.
BTW: i just received a reply back and now they are saying it is the “xoops site that has xmlrpc files which were used for the hack”. But again, I don’t think they have a clue.
I am checking into the mode security, but it is a little over my head…. So i will need to find some help for that… i don’t think my “current” host will be much help at all.
Any suggestions on a “GOOD, Reliable and security supportive” Host? I don’t look for cheap… been down that road before.
