Tag: hacked

  • Fetch as Google with curl

    A hacked web site got hacked. The site listed on google SERP with text “There are essentially two prescribed drugs which viagra 200mg”.

    Hacked site on google SERP

    When you visit the site in the browser and check the source, you see everything normal, no text related to Viagra. This is because malware on the site only shows that content to Google bot.

    To see the malware inserted text, you can use Fetch as Google tool in your Google webmaster center. But before using the fetch as Google tool, you need to verify ownership of the site.

    Another way is to change your browsers user agent to same as Google bot

    Googlebot/2.1 (+http://www.google.com/bot.html)

    You can see list of user agents used by google at

    https://support.google.com/webmasters/answer/1061943?hl=en

    To Fetch as site as google using curl, run

    curl --user-agent "Googlebot/2.1 (+http://www.google.com/bot.html)" https://your-site-here.extn

    Back to curl

  • VestaCP Zero-day exploit

    VestaCP Zero-day exploit

    On 07 April 2018, many servers using VestaCP got hacked. Hacker was able to get root acceess on these servers.

    VestaCP Free Hosting Control Panel

    Hacker installed some trojan software known as Chinese Chicken that is used to DDoS other servers.

    To see if your server is hacked, check if file /etc/cron.hourly/gcc.sh is present in your server.

    ls -l  /etc/cron.hourly/gcc.sh

    You can read more about this DDoS Trojan at

    https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/

    If you are running VestaCP, stop it until a solution for this exploit is released.

    service vesta stop
systemctl stop vesta

    You can find discussion on this exploit on VestaCP form

    https://forum.vestacp.com/viewtopic.php?f=10&t=16556

    Once server is rooted, it is better to take backup of all your data and restore OS.