Account hacked many times.Help urgent!

filth80

Well-Known Member
Dec 11, 2009
89
0
56
Hello, the account of one client is hacked many times in a day.He is running last version of php fusion.The attacker replaces the index.php with index.html.I tried chainging the password for ftp, cpanel, etc, but no chance.What can I do to help him?Please help, I need it urgent.
 

ModServ

Well-Known Member
Oct 17, 2006
337
5
168
Egypt
cPanel Access Level
Root Administrator
Install maldet, Scan on it:

For installing:
Code:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz; tar -xfz maldetect-current.tar.gz; cd maldetect-*; ./install.sh
For scanning:
Code:
maldet --scan-all /home?/USER/public_html
Replace USER with its accoun'ts username or replace the whole path to the path of his files.
 

filth80

Well-Known Member
Dec 11, 2009
89
0
56
Thanks for this, great tool, but sadly, without help.Didn't find anything on scan.
 

crazyaboutlinux

Well-Known Member
Nov 3, 2007
939
1
66
make sure that you scanned properly, we had a same problem since we using it everything is working fine. our DC has installed it & Scanned entire server & found some suspected files, which we got removed from the server thereafter everything is working fine.
 

Cindu

Well-Known Member
Feb 7, 2011
46
0
56
Hello,

Yes, you need to scan the entire server. Also please check whether your /tmp partition is secured and whether there are any scripts running in it.
It will be also good if you enable open base dir security in the server.
 

filth80

Well-Known Member
Dec 11, 2009
89
0
56
maldet --scan-all /home?/?/public_html I used this command to scan the entire server and found nothing.This comand is not good?Open_basedir Protection is enabled.
 
Last edited:

Cindu

Well-Known Member
Feb 7, 2011
46
0
56
Hello,

I could see that the command is correct. Don't you get log file or hits of the infected files. If so it seems there are no vulnerable files in the server. You also need to check the logs of services, how this has been done!
 

filth80

Well-Known Member
Dec 11, 2009
89
0
56
I rescanned and found 2 infected files.I removed them and for now everything seems ok.I'll keep you informed.Thanks for your great help, I appreciate it.
 

Cindu

Well-Known Member
Feb 7, 2011
46
0
56
Hello,

You are entirely welcome and it is good hear that now everything seems to be okay! Keep us informed ! Cheers!
 

filth80

Well-Known Member
Dec 11, 2009
89
0
56
The hacker attacked again.He is using c99 shell.How can i protect from it?Please help!I'm desperate.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Have you reviewed the domlogs for the domain to see how this attacker keeps accessing the account? Check the file stamps for the files uploaded, then go through the domlogs at /usr/local/apache/domlogs/domain.com to see what command was passed for which script to get onto the account. Disable that script or have the user update it to a secure version.

Next, are you allowing register_globals to be on? If so, switch this to off for the php.ini file.

Finally, next time you see the processes running for that user, do not kill them if you have been but first run lsof -p on the process and also cat the environmental details to get which script they attacked and where they uploaded files and what they are doing:

Code:
lsof -p PID#
Where PID# is the process PID number for the user that is running perl or whatever script. This will show the libraries and what the script is doing.

Code:
cat /proc/PID#/environ
Again, here PID# is the process PID number for that user for the perl script. This will show the environmental data for the process, which shows what script they passed commands into to upload file(s) onto the account.

If you cannot get the account secured, you probably simply need to have them entirely wipe their account and start fresh, or suspend their account.

Thanks.
 

filth80

Well-Known Member
Dec 11, 2009
89
0
56
register_globals are off.The thing is, I'm not online when the attacker is doing it.I can access the logs but i can't understand them, i mean, everything seems ok.If I install mod_security it helps?And how do i install the rules for mod_security?Thank you.

LE: I found some lines in the logs with the attacker's ip but i don't understand how he did the attack.I found in logs "c99.php" file.If anyone can help me, i'll PM the log to him.Please help.
 
Last edited:

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Are you killing the processes or checking the processes for that user to see if any are running? When the account is hacked, the very first thing that should be done is to check for suspicious processes by that user:

Code:
ps aux | grep username
Then to run the lsof and cat processes I noted to get the details on the process and what script was hit. You also need to view the timestamps for the file(s) uploaded and go through the domlogs for those specific times.

As for not understanding the logs, what is not understood specifically about them? They normally look like this and are pretty straightforward:

12.12.12.12 - - [16/Feb/2011:13:01:00 -0500] ""GET /scriptname.php?spgmGal=someword%20another%20another&spgmPic=5 HTTP/1.1" 200 14423 "http://www.domain.com/scriptname.php?spgmGal=someword%20another%20another&spgmPic=4" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 SearchToolbar/1.2"
The 12.12.12.12 is the IP, the date is the date, the GET part is the action and script that had the action performed along with it being HTTP/1.1 protocol, the 200 is the status code (200 is success, you can see a list of codes at this location), the 14423 is the size, the http portion is the url that called the GET action, the Mozilla portion contains the browser and opearating system details.

Finally, mod_security installable in EasyApache (Apache Update) in WHM or using /scripts/easyapache in root SSH for the default rulesets we provide.
 

filth80

Well-Known Member
Dec 11, 2009
89
0
56
This is the part of the logs when the attacker appeared yesterday:

62.42.192.56 - - [16/Feb/2011:15:11:05 +0200] "GET / HTTP/1.1" 200 19744 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:11 +0200] "GET /news HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:11 +0200] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:11 +0200] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:12 +0200] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /themes/UnderCover/styles.css HTTP/1.1" 200 6863 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /images/favicon.ico HTTP/1.1" 200 1598 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /infusions/user_info_panel/uip_css.css HTTP/1.1" 200 123 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:15 +0200] "GET /news.php HTTP/1.1" 200 20734 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /themes/UnderCover/images/bullet.png HTTP/1.1" 200 4016 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /themes/UnderCover//fader.js HTTP/1.1" 200 5229 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /includes/lib_ignas2526.js HTTP/1.1" 404 - "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:16 +0200] "GET /includes/jquery.js HTTP/1.1" 200 72173 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /includes/jscript.js HTTP/1.1" 200 5843 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /includes/lib_ignas2526.js HTTP/1.1" 404 - "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/printer.gif HTTP/1.1" 200 83 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/2.gif HTTP/1.1" 200 241 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/3.gif HTTP/1.1" 200 292 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/panel_on.gif HTTP/1.1" 200 355 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/bullet.gif HTTP/1.1" 200 296 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /images/smiley/smile.gif HTTP/1.1" 200 854 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /images/hi5.jpg HTTP/1.1" 200 11099 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/nav-bg.png HTTP/1.1" 200 585 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/nav-up.png HTTP/1.1" 200 1663 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /images/facebook.jpg HTTP/1.1" 200 5003 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/side_left.png HTTP/1.1" 200 278 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /infusions/user_info_panel/images/welcome.gif HTTP/1.1" 200 42409 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/stiri.png HTTP/1.1" 200 95 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/meniu.png HTTP/1.1" 200 16029 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /images/news/top.jpg HTTP/1.1" 200 59610 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/capmain.png HTTP/1.1" 200 1893 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /images/youtube.jpg HTTP/1.1" 200 9870 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /asculta.m3u HTTP/1.1" 200 100 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/stiri.jpg HTTP/1.1" 200 10694 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/header.swf HTTP/1.1" 200 277994 "http://orbitalfm.ro/news.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/button.png HTTP/1.1" 200 9092 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:18 +0200] "GET /themes/UnderCover/images/side_right.png HTTP/1.1" 200 278 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:19 +0200] "GET /themes/UnderCover/images/backgroundfooter.png HTTP/1.1" 200 2270 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:11:17 +0200] "GET /themes/UnderCover/images/fundal.jpg HTTP/1.1" 200 2192757 "http://orbitalfm.ro/themes/UnderCover/styles.css" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"

And this is the part where "c99" appears:


62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php HTTP/1.1" 200 6286 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=home HTTP/1.1" 200 209 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=search HTTP/1.1" 200 250 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=forward HTTP/1.1" 200 119 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=refresh HTTP/1.1" 200 200 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=back HTTP/1.1" 200 119 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=up HTTP/1.1" 200 199 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=buffer HTTP/1.1" 200 163 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=sort_asc HTTP/1.1" 200 85 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=ext_lnk HTTP/1.1" 200 572 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=ext_diz HTTP/1.1" 200 1027 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=ext_php HTTP/1.1" 200 79 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=small_dir HTTP/1.1" 200 164 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=download HTTP/1.1" 404 - "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=change HTTP/1.1" 200 290 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:40 +0200] "GET /themes/c99.php?act=img&img=arrow_ltr HTTP/1.1" 200 88 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:42 +0200] "GET /themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 7014 "http://orbitalfm.ro/themes/c99.php" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_htaccess HTTP/1.1" 200 117 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=download HTTP/1.1" 200 161 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_jpg HTTP/1.1" 200 175 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_pls HTTP/1.1" 200 1034 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_m3u HTTP/1.1" 200 1034 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_gif HTTP/1.1" 200 175 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_html HTTP/1.1" 200 230 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_swf HTTP/1.1" 200 254 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_eml HTTP/1.1" 200 1034 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
62.42.192.56 - - [16/Feb/2011:15:32:43 +0200] "GET /themes/c99.php?act=img&img=ext_error_log HTTP/1.1" 200 1034 "http://orbitalfm.ro/themes/c99.php?act=ls&d=%2Fhome%2Ftygerone%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"

Any suggestions?It might be from some sort of uploadin application in php-fusion which my client is using?And another question: can this be done if the attacker knew the admin password from php-fusion?Because ftp and cpanel password was changed several times using password generator in WHM, but without success.
 
Last edited:

LinuxTechie

Well-Known Member
Jan 22, 2011
502
10
68
cPanel Access Level
Root Administrator
Hello,

Please block the IP asap. Did you install mod security in the server? As it is a web based firewall it will help to resolve this issue.
 
Last edited:

filth80

Well-Known Member
Dec 11, 2009
89
0
56
I blocked the ip, but he could use proxy I guess.I installed mod_security but how do i configure it?I have it in plugins in WHM, but how to add the rules?What I need to add in httpd.conf and where?
 
Last edited:

filth80

Well-Known Member
Dec 11, 2009
89
0
56
Yes, this is what i'm trying to do.I installed mod_security, but how can i configure it and how to add rules?