March 26th, 2012, 12:37 AM
Is this evidence of a hack? HELP!
I am running apache 2.2.4 on a computer in my home and hosting sites for a variety of people. Tonight I did a search for one domain, just to see what kind of search engine results it was getting, and I found something very odd. I have a secure virtual on my server and some shopping carts. Searching for a couple of domains that I own but which have no connection to the secure virtual server, I found Google had links to those sites and the virtual server - and they resolved but with the warning that the server certificate did not match the name on the site. In other words, I own a domain called guymerritt.net - just my name. Google says there is a page at https://www.guymerritt.net/netkwikos2/catalog connected to that site. There shouldn't be - the "netkwikos2" directory is the name of a virtual, secure directory on a site called lowestcostmattressdirect.com. I can't find any weird files in my server, no php files with weird code injected....
I'm not sure if I explained this very well, but, does this sound like some kind of hack? I've turned everything off and my butt is in a crack as I've got businesses running from this.
UPDATE: I DID find one oddball file in my apache cond folder. It was just called "lo" - no file extension. If this had been there, I'd never seen it before. This is about 50% of it - everything ended with a .pem file:
Any thoughts/idea would be appreciated.
Last edited by 88guy; March 26th, 2012 at 01:00 AM.
March 26th, 2012, 04:36 PM
Seeing a different domain name than you expect probably is a result of running multiple domains from the same IP address. Is guymerritt.net the default virtual host by any chance?
P.S. What is the upload speed of your Internet connection? If it's anything below 1.5 Mbits, you might want to think about the potential loss of revenue for your clients from slow loading e-commerce sites.