Where was the flaw in their security? It's quite possible, even probable, that the other hacked site/server was also running a dodgy script. Without details of how the hack happened you can't attribute blame. It's remains quite possibly your fault.

Even the backup thing you cannot blame the host for as you get what you pay for. A server with decent backup usually costs just a few more bucks and oddly few people want to pay it.

However, there is a major caveat which the sense of security backups give you - if you don't know where the exploit came from, and when, restoring from backup to a fresh install could leave you wide open again!

lets say it's some cgi script with a dodgy bit of coding - if you restore to a fresh system, that dodgy cgi script isstill there, leaving you wide open to another hacked session.
Also, lets say the hack occurred 2 weeks ago, but the hacked system was only exploited yesterday - there are lots of hackers that lie dormant for a good feww weeks/months, so that when you restore from your backup a week ago, you are effectively restoring the backdoor.....

It is absolutely essential that you know how the system was exploited, so that it won't happen again....

what he said

-deleted: double post

nomatter what, restoring a server to how it was is a right royal pain in the arse. It's not just your data, but all the system tweeks, custom kernels, configs etc etc that you've been adding over the years that need replacing. A right royal arse - Chris, it isn't your provider that's at fault. There is not a single provider that would guarantee you a hack-free system. If there was, stay well away from them, because they can't.

i am not wanting a full 100% restore
i want one domains file restored
the domain had no scripts
just a fwe html pages and about 200 images

thats it
nothing major...fuck all my other sites ... i was getting tired of baby sitting em just one site i want back

the funkin hackers fault!

On any given day there is a whole slew of bots running scans on random sites/ip ranges accessing known urls to find an array of exploitable scripts. Once it finds one, it then attempts to exploit the script, usually writing files to /tmp, and then executing them. These files they write and execute are usually back doors to the server.

The best way to protect against that is to set your /tmp dir to be noexec, and link your other tmp directories there as well.

But then they ocassionally go and find other writable directories. If you find a hackers script in your domains files, then your directory is probably set writable for the apache web service to right to it.

So not only do you always want to make sure you have the latest updates of all scripts you are running, but you want to make sure your directory permissions are also secure, don't allow writing if it doesn't need to be. Be careful with setting stuff to 777, etc.

I feel for ya - a simple gzip and ftp to your home puter would have save a lot of heartache. I use rsync to monthly backup to my home, in conjunction with dailies to the backup server (the backup server is currently in the same DC as the server, so essential to make offsite backups).

Sorry, but it's simply "live and learn"

If you are not running any scripts at all on your sites on the server, then it definately sounds like something was insecure on the box.

Most hacks these days are due to exploits in scripts, you don't see security issues as often.

Do you have any information on what was found on the server? What was running, etc? I'd be really curious to know.

Hacker's fault.

Just to clarify this point - securing /tmp with noexec is not simply a chmod permissions command - /tmp needs to be chmod 0777 or things'll start going whacky. You need to mount /tmp with
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

or something similar and have it constantly mounted with noexec from fstab.

lol classic... but really, the answer is in the question, whoever's "managing" the server is at fault...

How so????
Like scannerX said - there is not a single server out there that is unhackable. The only ones which are unhackable afrom external sources re the ones unplugged from the internet.

archive.org

I've written a few HOWTOs over at SplitInfinity on a few "absolute musts" to securing your server....
nothing there on firewalls, since everyone has their own flavour (you are running a firewall aren't you?)


http://forums.splitinfinity.com/forumdisplay.php?f=7

Even if your server is managed, have a looksie at the HowTo's and if there something in them that isn't implemented, ask your managed provider to get it sorted.

This list is non-exhaustive and I'll be adding to the HowTo's, esp for security as and when, so check there regularly.

Any questions, post in the forum, or hit me up on ICQ.

I also do one-off hardening configs for $100 -if interested hit me up (this includes much more extensive hardening than those HowTo's, but over time, I'll be posting pretty much all the HowTo's so you can do it yourself if you're savvy enough!)

There's so much more then what you wrote there.
curl/fetch/wget
That's all? I can think of at least 5 more commands that would upload things, plus some 10 more ways to add it without uploading...

thanks for bumping this
now i am going to get 100 more icq from hosting companys wanting to sell me shit


fuck.

lol - sorry!:Oh crap

As it says - it HELPS
Adult websites are the most targetted sector. This was just a start to get a comprehensive security list together to help others.
So, hey, do us all a favour and add things to the threads I created
:321GFY

i'm actually responsible, i'll try not to let it happen again. :(

It depends to your level of management, but really, it's usually not directly applicable to the host.

For instance, if you are paying for a colocated server - most sites will install the basic OS, give you your IP list, and your root password. From there, it's all yours.

However, if you are paying for a managed host, you really need to see what their level of support is. Most 'managed' will monitor HTTP and do basic support, but not that many offer upgrades or updates beyond your initial install - some of them aren't even aware that they should update the OS, being that DirectAdmin/CPanel have the ability to update their specific Apache 1.3/PHP/etc support tools.

The closest experience to a fully managed system I've actually had was through a non-adult service, ICDSoft. They actually scanned all clients, and alerted those with phpBB2 to ensure they ran updates. It was surprising, being how cheap their services were. However, they DO NOT do adult, and I don't believe that they offer anything other than shared accounts at this time.

Sorry to hear you got hacked. It'd be interesting to know how they got in.

Um, i was more pointing to the fact that you did a "half job", and when security is the concern, that does more harm, then helps. If you're gona cover one subject, cover it completelly, don't write half of it, because i can assure you, 70% of webmasters are gona read that, do what you said and think "okay, i disabled uploads, how in the hell did he get that exploit on server", and they'll lose time searching in the wrong direction.

rcp, lynx, links, scp, nc, elinks, proxy, vbox, lwp, GET will all be added to the HowTO in due time.

It's not a half-assed job. It's work in progress, fuckwit.
Now, if you want to help others to help themsleves, add to the thread goddammit. 99% of the peopel who have servers here wouldn't know what to do. It's not easy putting up easy-to-follow instructions. So I did the basics and will update as and when I have the time.

it s the scripts fault