Zdravim lidicky,
stal sa mi taky indicet,ze pocas dovolenky mi google objavil na stranke ktoru bezim z mojej stranky "daky malware",hned mi zahodil web do karanteny. ludom oznamil,ze som nakazeny atd... v podstate sa mi na stranke "nwm presne kde" zobrazil iframe s url na "nakazeny web" a bolo to tu.
problem je v tom,ze neviem velmi zistit,ci to bol problem na webe,alebo rovno na servery. momentalne ten malware uz nemam. taktiez mohol byt z jednej sluzby na seo automaticbacklinks.com ale to este zistujem u nich,.
dake rady ako sa vyvarovat podobnym pokusom a bezpecnostnym chybam zaciatocnika ?: )
ochrana webserveru
Pre pridávanie komentárov sa musíte prihlásiť.
server bezi u mna na (domacom servery),spravujem ho sam,k logom nie je problem. takze ktore logy by boli asi zaujimave?
/log/apache2/access.log
/log/apache2/error.log
/log/apache2/other_vhost_access.log
/log/syslog
ono taktiez by asi nebolo zle,ci sa mi nik neprihlasil na server(kedze som v ssh,povolil pripojenie zo vsadial,kvoli dofce)ale to neviem kde hladat vobec
2. root ma take iste heslo ako tvoj user?
3. napadnuty mohol byt plugin.
4. neviem aka je navstvnost tvojho webu, skor by som v access logu hladal nieco s upload
2: nie,zvatsa ,ale pristupujem cez roota. viem robim chybu...
3: pluginy mam asi 2-3 snazim sa to minimalizovat
4: navstevnost je tak 15-20 unikatnych,nic moc... len zaluba(zacinam :)) ), a v ktorom? nemam pozerat aj daky aptitude a apt-get ?
tar: Removing leading `/' from member names
/var/www/
v cron tab to vyzera takto
mysqldump -u uzivatel -heslo --all-databases | gzip > /disk1/zaloha/database_`date '+%m-%d-%Y'`.sql.gz
mysqldump -u uzivatel -heslo webforgym | gzip > /disk1/zaloha/webforgym_`date '+%m-%d-%Y'`.sql.gz
tar -cvf /disk1/zaloha/`date '+%m-%d-%Y'`-zaloha_webu.gz /var/www
je daka moznost,preoc by mi mal chodit denne tak 10x e-mail o veci,co sa spravi raz za den? :)
nemam problem to pastnut,ani sem: www.forgym.eu nemam snad zaco hanbit...:)
Hi
Unfortunately attackers managed to gain access to edit one of the files on our link server, injecting a common malware exploit via means of an iframe pointing to another site. As this happened outside of our normal working hours, with links still being served alongside this malicious content, we were not notified of the issue until a few hours later. This means that any requests for new links made during this time period brought with them this exploited code, which may have caused warnings on your site from some anti-virus systems. From our investigation there is nothing that indicates that the hackers have in any way been able to utilize our link display code to directly infect our users’ sites; our link server was pushing the iframe code directly to our users’ servers as if it were normal links.
We have since located and addressed the exploited code and we are working to locate the source of the attack and tighten security to ensure it does not happen again.
In the meantime, we recommend that you completely delete your cache folder to make certain that your site is no longer displaying the malware. Your link cache is typically a folder located in the root of your site and is called “automaticbacklinks_cache”. If your site uses additional caching systems, such as Wordpress, Joomla or Drupal built-in output caching, you will also need to purge this cache. We will additionally be refreshing all displayed links to purge out any remaining issues from our members sites.
If you were unfortunate enough to have had the malicious code displayed on your site and also to have had your site crawled by Google during this time you may need to consult this page for more information: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328
While we have yet to see any direct evidence of the attackers having accessed our databases, there is a possibility that the intruders gained access to our main database containing information such as user names, hashed and salted passwords and PayPal e-mail addresses.
As we do not store user passwords in plaintext or store any PayPal passwords or credit card details ourselves there is little risk of authentication or financial data being misused, however it is good practice to use long, strong passwords, change them frequently and not reuse the same password for several sites/services and we recommend that you carry out this practise if you do not already.
The investigation into this issue is ongoing: we treat this incident very seriously and are currently investigating its origin and will hand any relevant information over to the authorities.
We are deeply sorry for any inconvenience this may have caused you and are doing everything in our power to guarantee that something like this will not happen again.
Regards
Helen
a este jedna drobnost scim potrebujem poradit
chodi mi dost casto e-mail s obsahom,ze
tar: Removing leading `/' from member names odvtedy co som dal do cronu
*/30 */3 * * * root sh ~/backup.sh
a backup.sh je:
tar -cvf /disk1/zaloha/`date '+%m-%d-%Y'`-zaloha_webu.gz /var/www
existuje ako by som mohol zamedzit tym e-mailom? su dost otravne,... plusmi minaju moj limit na smtp :-/
Ale, skôr by som vliezol do /var/www a zálohoval od aktuálneho adresára všetko. teda takto:
Tá správa, že
tarvyhadzuje prvé lomítko z cesty súborov v archíve. Je to aby si náhodou nedojebabral niečo na druhom systéme kde to budeš rozbalovať do iného adresára bez použitia parametra-C. Nechci vedieť, koľko ľudí sa takto ojebabralo keď uzákonili elimináciu daného preklepu ako bezpečnostné rozlíšenie.tar: disk1/zaloha/08-02-2012-zaloha_webu.gz: Cannot open: No such file or directory
a to iste aj ked,vyhodim z dalsej zlozky co sa ma komprimovat.
takze je daka ina cesta,ako zabranit tym e-mailom?
MAILTO=""
Ale, to mailto by som nemazal. Niektoré veci je potrebné aby chodili z časovača do pošty.