| Question: |
Good day, https://*.*.* stopped working. Please urgently fix the problem. |
| Answer: |
Hello you Have a seriously compromised server. from your server the attack was carried out capacity of more than *** MB.with specify to whom you gave access to your server if you have created a backup to ftp or cloud? probably will have to transfer the website to a new server |
| Question: |
provide the server logs. etc Access were provided to us, and we did work on the website for the software part, but then yesterday it worked. today, the site is not working. Need to sort out this problem together! |
| Question: |
Start the server. |
| Answer: |
utochnyat which specific logs You need? who kraeme you had access to the server. You have had the virus running processes and from the server was the attack more than *** MB. if you turn on the server and attack again - the data center will block the ip and access will be lost completely. whether you have created a backup to ftp or cloud? |
| Question: |
Unfortunately no backups then no. We can send in queries, the server runs the parser, and yesterday his performance is fixed and launched. Perhaps the number of requests per second the big? Start the server please so we can disable the parser and to reduce the number of queries. Assume that it is because of this. This is not any malicious code and not hacking assume. but you need to check. |
| Answer: |
***MB!!! it does not GET requests on the server vypolnyali many processes as root user species gfgftf tdrydrtftf with similar names. the server was virtually inaccessible from for the outgoing server attack. this is a serious violation. we are now trying to connect the server without network access that would at least go through the motions. if you turn on the server and attack again all. the ip will be blocked yet generate a ssh key and PowerJet computer for viruses. you had simple passwords? |
| Answer: |
we understand the gravity of problesm and handling Your case that would be ka kimono to quickly restore the site. but zhalba very serious. the best solution would be to transfer the site Ana a new clean server |
| Question: |
The password was the one that was provided by the customer to generate a new password * we can`t because the server is now completely switched off. Viruses we have on computers is not present. Since we serve hundreds of sites and they all do not have any problems. We also use licensed antivirus and check the computer weekly for viruses, etc. |
| Answer: |
here are the processes you
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
**** root ** * ***** *** *** S ***.* *.* *:**.** mvmqcqkibk
**** root ** * ***** *** *** S *.* *.* *:**.** vzctl
**** root ** * ***** **** *** S *.* *.* *:**.** ioxfpkpdmq
* root ** * ***** **** **** S *.* *.* *:**.** init
* root ** * * * * S *.* *.* *:**.** ****
* root ** * * * * S *.* *.* *:**.** ****
*** root ** -* ***** *** *** S *.* *.* *:**.** udevd
*** root ** * ***m **** **** S *.* *.* *:**.** rsyslogd
*** dbus ** * ***** *** *** S *.* *.* *:**.** dbus-daemon
*** root ** * ***** **** *** S *.* *.* *:**.** sshd
*** root ** * ***** *** *** S *.* *.* *:**.** xinetd
*** root ** * ***** **** **** S *.* *.* *:**.** mysqld_safe
**** mysql ** * ****m ***m **** S *.* *.* *:**.** mysqld
**** root ** * ***m **** *** S *.* *.* *:**.** nginx
**** bitrix ** * ***m **** **** S *.* *.* *:**.** nginx
**** bitrix ** * ***m **** *** S *.* *.* *:**.** nginx
**** bitrix ** * ***m **** *** S *.* *.* *:**.** nginx
**** bitrix ** * ***m **** *** S *.* *.* *:**.** nginx
**** bitrix ** * ***m **** *** S *.* *.* *:**.** nginx
**** bitrix ** * ***m **** *** S *.* *.* *:**.** nginx
**** bitrix ** * ***m **** *** S *.* *.* *:**.** nginx
**** bitrix ** * ***m **** *** S *.* *.* *:**.** nginx
**** root ** * ***** **** *** S *.* *.* *:**.** crond
**** root ** * ****m **m **m S *.* *.* *:**.** httpd
**** bitrix ** * ****m **m **m S *.* *.* *:**.** httpd
**** bitrix ** * ****m **m **m S *.* *.* *:**.** httpd
**** bitrix ** * ****m **m **m S *.* *.* *:**.** httpd
**** bitrix ** * ****m **m **m S *.* *.* *:**.** httpd
**** bitrix ** * ****m **m **m S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** bitrix ** * ****m **** *** S *.* *.* *:**.** httpd
**** root ** * **** *** *** S *.* *.* *:**.** mingetty
**** root ** * **** *** *** S *.* *.* *:**.** mingetty
**** root ** * ***** **** **** S *.* *.* *:**.** bash
**** root ** * ***** **** **** S *.* *.* *:**.** mc
**** root ** * ***** **** **** S *.* *.* *:**.** bash
**** root ** * ***** *** *** S *.* *.* *:**.** ooqicjtkj
**** root ** * ***** **** **** R *.* *.* *:**.** top
**** root ** * **** *** *** S *.* *.* *:**.** ochthzrxas
**** root ** * **** *** *** S *.* *.* *:**.** ochthzrxas
**** root ** * **** *** *** S *.* *.* *:**.** ochthzrxas
**** root ** * **** *** *** S *.* *.* *:**.** ochthzrxas
**** root ** * **** *** *** S *.* *.* *:**.** ochthzrxas
**** root ** * **** *** *** S *.* *.* *:**.** qykpxwtnjhgnm
so that at startup # /*chkconfig --list
bvat *:off *:off *:on *:on *:on *:on *:off
crond *:off *:off *:on *:on *:on *:on *:off
httpd *:off *:off *:on *:on *:on *:on *:off
iptables *:off *:off *:on *:on *:on *:on *:off
jktjciqoo *:off *:on *:on *:on *:on *:on *:off
messagebus *:off *:off *:on *:on *:on *:on *:off
modules_dep *:off *:off *:on *:on *:on *:on *:off
munin-node *:off *:off *:off *:off *:off *:off *:off
mvmqcqkibk *:off *:on *:on *:on *:on *:on *:off
mysqld *:off *:off *:on *:on *:on *:on *:off
netconsole *:off *:off *:off *:off *:off *:off *:off
netfs *:off *:off *:off *:off *:on *:on *:off
network *:off *:off *:on *:on *:on *:on *:off
nginx *:off *:off *:on *:on *:on *:on *:off
ntpd *:off *:off *:on *:on *:on *:on *:off
ntpdate *:off *:off *:off *:off *:off *:off *:off
qmdpkpfxoi *:off *:on *:on *:on *:on *:on *:off
quota_nld *:off *:off *:off *:off *:off *:off *:off
rdisc *:off *:off *:off *:off *:off *:off *:off
restorecond *:off *:off *:off *:off *:off *:off *:off
rsyslog *:off *:off *:on *:on *:on *:on *:off
sshd *:off *:off *:on *:on *:on *:on *:off
stunnel *:off *:off *:on *:on *:on *:on *:off
sysstat *:off *:on *:on *:on *:on *:on *:off
udev-post *:off *:on *:on *:off *:on *:on *:off
xinetd *:off *:off *:off *:on *:on *:on *:off
on the server the virus. network to include in any case it is impossible! we can backup the files and database and create a new server where You restore. if bitrix has a console command to create a backup that we can perform to save time on the transfer. but this server is very badly infected. |
| Question: |
Why to a domain folder, all files deleted!*? |
| Answer: |
ask about how the \"domain folder\" in question? |
| Question: |
We stop then is not about the parser we have on another server at all. Sorry. But the site does still not Vasilii no changes. Only today started to connect |
| Answer: |
we can now provide you the files and buzz and configure a new server. your server is still under scrutiny but he Rochen highly contaminated and not worth the risk to use it |
| Answer: |
You utwt website on bitrix |
| Answer: |
unfortunately, mi does not see any backups on the site. and utochnila You where you are doing backups. to ftp or to the cloud |
| Question: |
Yes, the website on Bitrix. Grant now backup the entire site. the files and the database all that is there . What we would procaryotic of all files. Also, we need a completely all server logs for the last couple of days at least three days and better days. And what IP was also infected haply and when it started it sure. |
| Answer: |
please Wait, the Question is sent to the administrator. |
| Answer: |
we`ll do the following. we will create You a new server. You install it on a blank site. then we will copy the files of Your site and database dump. also specify what logs are required? we can scapillati you the whole folder /*log access to the server immediately want to restrict that access was only by key. and nestandartnogo port ssh / you are boring generiruet new clew Chi tell us that we have set up You access. |
| Question: |
Where to generirovanie key? |
| Answer: |
In the Linux terminal the key is generated ssh-keygen-t rsa cat ~/*id_rsa.pub If you connect using Putty *******/ how to create a key Select RSA |
| Question: |
OK. waiting for the new server. And probably better still to set the control panel I think ISPmanager and preferably * version |
| Answer: |
You want the server panel? but You will need prioritaire stress, IPO optimization servers under Beatrix. no one apanel not detekoi performance. we have installed a new server with Bitrix okruzenjem and carry backups. but if you want a panel then we`ll have to return yet. you have a website large, more ** GB only the site itself a new ip **.**.***.** waiting for a key |
| Question: |
Then let`s restore it Wake up and there already to decide what to do |
| Answer: |
the fastest way to \"pognati\" site on the new server it is on Bitrix environment than on the panel. and then you can take a test server and migrate it to the site. the new server you can take with the panel. it seems to us that this is the fastest option, because the critical vosstanovlenie site as we understand |
| Question: |
Correctly understood |
| Answer: |
You can now to pristupiti to the installation site. it`s just a setup for that would have formed the folders and database. and You expect from a key |
| Answer: |
but wait. don`t start ustanovku. we have almost uploaded backups |
| Question: |
Happened ? |
| Answer: |
the files are copied. base has suffered. waiting for your key |
| Question: |
just a couple of minutes and skins. Thank you |
| Answer: |
ok. the files are still copied. |
| Question: |
And it is extremely important to calculate the origin of infection. IP addresses, etc. and when. Can help with your hand? |
| Question: |
and how you are here to attach a file? |
| Answer: |
send it as text, as given by the program or the terminal |
| Question: |
ssh**********/***********************************************************************************************-******** |
| Question: |
The username and password here send? |
| Answer: |
please Wait, Your question engaged |
| Answer: |
the username and password have not changed. key added to the ssh port *** |
| Question: |
You have all suffered? |
| Answer: |
almost. but comes to life https://**.**.***.**/ |
| Question: |
And it is extremely important to calculate the origin of infection. IP addresses, etc. and when. Can help with your hand? Please provide the full log for the day * at least and if possible for * |
| Answer: |
what \"log\" You speak of? we can upload You the whole folder /** |
| Question: |
/** - upload please |
| Question: |
Here`s what we found: a Strange search phrase yesterday was https://clip**.*/**** and after it there are no transitions. Just like this last request, and perhaps was then infected using a search component |
| Answer: |
say You have a simple password on the Bitrix user? here is the logs authorization root ** 79.***.***.*.ipv Wed Jun * **:** - **:** (**:**)
root ** 79.***.***.*.ipv Tue Jun * **:** - **:** (**:**)
root ** ************.dyn Sat Jun * **:** - **:** (**:**)
root ** ************.dyn Sat Jun * **:** - **:** (**:**)
root ** ************.dyn Thu May ** **:** - **:** (**:**)
root ** ************.dyn Thu May ** **:** - **:** (**:**)
root ** 79.***.***.*.ipv Wed May ** **:** - **:** (**:**)
root ** 79.***.***.*.ipv Tue May ** **:** - **:** (**:**)
bitrix ** 79.***.***.*.ipv Tue May ** **:** - **:** (**:**) |
| Question: |
It you got rid of the last entries below the * which could be infected? |
| Answer: |
sense gave You the information for analysis. now just setting up the certificates and transfer the domain to the new * . you had a good password from the user bitrix`t qwety counterparts? |
| Question: |
A backup site for what? |
| Answer: |
This is not a backup and the files and database to your production site. |
| Question: |
When fully plan to do the transfer? If we can continue to check the website and if necessary, cleaning and \"patching\"? |
| Answer: |
the Website has already been copied. What else you want to transfer? |
| Question: |
https://*.*.*/ domain website will work when mean? or do we change the IP address in DNS on the domain? ? |
| Answer: |
If you send via DNS domain specify these: ns*.vps-dns.info
ns*.vps-dns.info If IP specify the IP of your server: ***.***.***.*** |
| Question: |
....*we gave You the information for analysis. now just setting up the certificates and transfer the domain to the new * . .....Question: you mean when these works are finished and the website will be available? you had a good password from the user bitrix * counterparts?Response: sorry we only just picked up this project for maintenance and then this happened with the site. So to say that Lee Bo which passwords were previously, etc. yet can`t. |
| Question: |
So the IP address of the server already new that: **.**.***.** ? isn`t it? |
| Answer: |
Sorry, yeah, right, new IP **.**.***.** |
| Question: |
Changed http://*.****** |
| Question: |
http://*.****** why then began to glow red? Is this normal? if not correct |
| Answer: |
do Not pay attention, it will soon be corrected. |
| Question: |
the website never responds until now, even though we already changed the IP address on the domain https://*.*.* |
| Answer: |
please Do a trace to Your domain: start - run - enter cmd - in the black window enter tracert YOUR DOMAIN - after click to highlight - making enter - copy here in the ticket
If You experience difficulty, review the instructional videos http://ded****tracert.htm |
| Question: |
http://*.*** |
| Question: |
Microsoft Windows [Version *.*.****](c) Corporation Microsoft (Microsoft Corp.), ****. All rights reserved.C:\\Users\\Diana>tracert autoparts.net.afrassiabi route to autoparts.net.ua [***.***.***.***]the maximum number of jumps **: * * ms * ms * ms ***.***.*.* * * ms * ms * ms ***.***.*.* * * ms * ms * ms ns.dks.com.ua [***.***.***.*] * * ms * ms * ms bgp-rt.dks.com.ua [***.***.***.*] * * ms * ms * ms **.***.***.*** * ** ms ** ms ** ms decix*-gw.hetzner.de [**.**.***.***] * ** ms ** ms ** ms core**.fsn*.hetzner.com [***.***.***.***] * ** ms ** ms ** ms*k*.dc*.fsn*.hetzner.com [***.***.***.***] * ** ms ** ms ** ms static.226.***.***.***.clients.your-server.de [***.***.***.***] ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request. ** * * * Timed out for the request.Trace complete.C:\\Users\\Diana> |
| Answer: |
have not yet updated DNS you will have access to the server logs? |
| Answer: |
we noticed that you are not our DNS please specify the domain then the ip **.**.***.** on the website of your Registrar. |
| Question: |
access to the server Yes. throw off the link to the old logs. Thank you |
| Answer: |
all the logs uploaded into folder /*logs |
| Question: |
Good day, https://*.*.* Dnsi changed. This website is not intended to provide a safe soedinennyh *.*.* does not meet safety standards.Certificate install please it was on the old server. Thank you |
| Answer: |
Hello. now we install the certificate |
| Question: |
Install please. And will notify when done. That we could continue working. |
| Answer: |
have you checked the logs? managed to find out something? |
| Question: |
|
| Answer: |
the root password you hardly podobrali bitrix but if he was analogichno of asemc, billing password Yes |
| Question: |
To be honest here all passwords are protected and not known what they were. At the moment, we moved on to the service website and we will take action together with the website owner security password and site code. Thank you also for help in solving this problem. Please as soon as possible to set the ssl certificate that we could finish the work to launch the website and continue to engage in the safety analysis. |
| Answer: |
Yes, we just need watashitachi with an infected machine, very carefully so as not began the attack. we haven`t removed just in case. |
| Question: |
Managed to do? |
| Question: |
Maybe easier still to install a new certificate ? |
| Question: |
We are willing to pay for a new ssl certificate if it will speed up the restoration of the site. |
| Answer: |
ready * |
| Question: |
Thank you. We work. Will contact you. |
| Answer: |
Thank you for contacting our support team.
|
