I recently noticed that my sites and forums were running slow. I contacted my hosts who said they were unable to replicate the problem. However they did tell me that my server is compromised. Im at a losss for what to do as I do not understand servers.
Any help would be appreciated. This is the email they have sent me :
A support ticket: 2501522 has been created in response to your query
Please login to your online account at https://my.ukfast.co.uk/pss/view.php?id=2501522
to respond to your support ticket.
Ticket reference 2501522
Thank you for contacting technical support.
Great to speak to you today. As discussed, the websites appear to be loading successfully and at some speed. I cannot replicate the issues you are experiencing.
With regards to the potential server compromise, I found the following line, located in the file /etc/passwd:
I have used the command, 'userdel' to remove/delete the user. It is not immediately clear how they have managed to access the server, however, I recommend that you investigate this accordingly. I suggest a further investigation, because it appears that the server remains compromised even after my deletion of the user. I see this because when I type the command, 'w', it shows that no users are connected to the server:
[root@94 ~]# w
16:04:08 up 4 days, 5:27, 0 users, load average: 1.84, 2.37, 2.17
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
This is strange because it should say at least 1 user is connected to the server since I am currently logged into the server via SSH.
I would recommend that you check the /var/log/messages and also other files within /var/log/.
As always, if you have any further questions or concerns regarding this, please don't hesitate to contact me. Have an awesome week!
For future issues you may wish to visit our comprehensive online frequently asked questions (FAQ) at https://my.ukfast.co.uk/faq/index.php
+44 800 542 2702http://www.cloudhosts.co.uk
View FAQs here https://my.ukfast.co.uk/faq/index.php