Smart hackers on my server!help!

tjsniper

So i don't know how they did it,or what hey were trying to do.

I check my Server logs and see that somebody tried to trick my server into port scanning my IP using PHProxy.

I went on to figure out who this was and it was my servers IP address.

I'm on a shared server with shared IP addresses.

I contacted the admin of the server about this.

My question is how did they use my own server IP to connect to a proxy on that server then use that proxy to port scan my IP and where did they get my IP?.

thanks

Khannie

That's a serious question.

The answer is: There are a hundred ways to do it. Your servers IP may be shared among many websites for example. The server admin should be much better able to track down how this happened.

tjsniper

ya i know how they got the servers IP but they used my own site to port scan my home pc!

The guy who owns the server is a friend of mine.

I informed him and he doesn't know what to do.

hes just told everybody to change the passwords.

I took down the cgi proxy and configured my server that whenever theres a connection to run a script that will email me of the IP,whois,tracert at the time as much info as i can get.

it seems crazy,hackers using your own site to portscan you.

Khannie

That's an easy one....he would have gotten your home IP from the server logs. You log into the server from your home IP, that IP is logged, anyone with root access on the box can then see that IP.

I presume the server box is linux or some other unix?

Changing your passwords is probably not gonna cut it tbh.

irlrobins

Agreed. I'd take server off line, backup data and wipe. The reinstall and ensure all patches are installed. You'd have to be careful that when you reimport the data you're not reintroducing any bad (as virus, scripts, etc) created by the hack.

tjsniper

admin reformatted,and got a lot of complaints from customers!

but hackers attack again here a log

Host: 69.61.33.250


*


/proxy/connect.php?address=66.249.72.43&port=80
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=2350
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=3124
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=2301
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=2344
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=2621
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=50050&debug=1
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=3128
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=8000
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=6588
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=66.249.72.43&port=8080
Http Code: 404 Date: Sep 19 12:19:51 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=86.40.203.97&port=80
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=8080
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=50050
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=3124
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=2344
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=3128
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=2350&debug=1
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=6588
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=8000
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=2301
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)





*


/proxy/connect.php?address=<my ip removed>&port=2621
Http Code: 404 Date: Sep 19 13:11:01 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)



/proxy is removed by me!
but the host is still my servers IP

any help or ideas??
anybody have a clue how they got into the server?

thanks a million!

tjsniper

UPDATE!

theyve now started attacking my users IPs
i just noticed when i posted the log!
in the log there attacking me and googlebot!

ok this is turning out bad I need help very bad!

This hacker is serious.
is there anybody I can turn to for hack attempts?like a PC garda if you know what i mean

thanks

BaconZombie

.....

Just a quick note the IP listed in the log's is from Google...

crawl-66-249-72-43.googlebot.com [66.249.72.43]

Try adding a Robots.txt file.

[HTML]http://www.searchtools.com/robots/robots-txt.html[/HTML]