Hacked and now i can't delete the file...Operation not permitted :(

ttmw

Member
Mar 30, 2011
13
0
51
I've just noticed someone hacked my site and placed files on the server (.xcache folder full of links etc.). Now i know this isn't a cpanel or WHM issue and is a back door in my site somwhere, but now the file is there, they have changed something so i cannot change it's permissions or delete the file, the only thing i can do via either FTP or file manager on cpanel is rename it i think.

I have control of my WHM too, how can i delete the file if it tells me 'Operation not permitted' on file manager and sim,ilar on FTP, can i do anything via WHM? :(

Any information on how hackers manage this would be great too if anyone happens knows the basics of it.
 

fearmydesign

Well-Known Member
Aug 24, 2009
94
1
56
This same thing happened to me about two weeks ago. I don't have an answer for you, but in my case it happened to a site that had an OsCommercer installation, nothing else happened to any other sites, so I am 'guessing' they broke in through the website itself, maybe through the database... don't know enough to determine.
Because this was a site that was not beinged used yet, I was able to delete all the files via FTP and delete the Databases created for the site... but I could not delete that .xcache folder you are talking about, so it would be good to know!!! I tried several times to delete it throught FTP and at first it looked as if it was, but then showed right back up... weird.
 

ttmw

Member
Mar 30, 2011
13
0
51
It's such a pain! My site is also osCommerce based, but with a load of changes here and there. It's a common osCommerce hack apparently, im not sure how they get in yet, but if i find anything i'll let you know.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You can check the file and ownership permissions as well as if the file is set to immutable with these commands in root SSH:

Code:
ls -lah /home/username/public_html/pathtofile
lsattr /home/username/public_html/pathtofile
Here username would be the cPanel username and pathtofile would be the path to the set file. The first command will show the file and ownership permissions. If they are 000 or root:root, the root user should still be able to remove the file regardless with this command:

Code:
cd /home/username/public_html/pathtofolder
rm filename
Above username is again the cPanel username, pathtofolder is any subfolder where the file exists, and filename is the name of the file. You will be prompted to remove the file when typing the rm command as I do not like to put the -f flag to force without prompting a y/n response. I also have you changing to the directory (cd portion) to ensure you aren't removing any file at the / or any higher level. People can really get into trouble by running rm commands without ensuring they are at the correct directory path for the removal.

Next, the "lsattr" command above, the second one, will show if there are any attributes set on the file. If you see a -i on the lsattr command, then run this command to unset that attribute:

Code:
chattr -i /home/username/public_html/pathtofile
This will remove that immutable file attribute. What immutable does would be preventing changing and removing a file. If the file has that set on it, even the root user cannot remove the file and this is my suspicion on what might be happening if you haven't been able to remove it even as the root user in root SSH.

If you only have cPanel and WHM but do not have root SSH, then please ask your hosting provider to look into the file permissions, ownership permissions and attributes on the file. They should be able to remove it for you.
 

fearmydesign

Well-Known Member
Aug 24, 2009
94
1
56
It's such a pain! My site is also osCommerce based, but with a load of changes here and there. It's a common osCommerce hack apparently, im not sure how they get in yet, but if i find anything i'll let you know.
Thank you... I'll do the same. Question for you, how did you get your site back up and running? Did you restore from an earlier backup on the server? or did you keep an backup of the files and database on your local computer? ... because now I am worried, I have other OsCommerce sites.

btw cPanelTristan, thank you.
 

ttmw

Member
Mar 30, 2011
13
0
51
Thank you... I'll do the same. Question for you, how did you get your site back up and running? Did you restore from an earlier backup on the server? or did you keep an backup of the files and database on your local computer? ... because now I am worried, I have other OsCommerce sites.

btw cPanelTristan, thank you.
The hack hasn't completely removed my site or even stopped it functioning yet at all...i don't know how long the files have been there...there are others i have found just today as well. There's some great contributions for the eCommerce sites i have just modified and put up today....you can find them here : How to secure your osCommerce 2.2 site. - osCommerce Support Forum
 

ttmw

Member
Mar 30, 2011
13
0
51
I've been searching all over but cant find how to access SSH and where to put these commands in...could you point me in the right direction? I'm on a Mac if that matters for any clients or whatever else i need?
 

fearmydesign

Well-Known Member
Aug 24, 2009
94
1
56
I've been searching all over but cant find how to access SSH and where to put these commands in...could you point me in the right direction? I'm on a Mac if that matters for any clients or whatever else i need?
On your MAC go to Applications and then you will see the "Utilities" folder, click on that.... it will open all your utilities, in there you should see an icon labeled 'Terminal"... you can use that to connect via shell (SSH)... you have root access correct?
 

ttmw

Member
Mar 30, 2011
13
0
51
On your MAC go to Applications and then you will see the "Utilities" folder, click on that.... it will open all your utilities, in there you should see an icon labeled 'Terminal"... you can use that to connect via shell (SSH)... you have root access correct?
I have access to WHM, i'm guessing that's root? What do i use to log in before the code cPanelTristan suggested above? thanks
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Are you logging into WHM as the root user? If you are not, then you do not have root level access to the machine but reseller access. WHM is not the same as root SSH. If you do have root user WHM access (logging into WHM as root username), then you should also have root SSH access.

Please confirm the username you are logging into WHM as. If it is root user, then go to Finder on your Mac and type in Terminal to open up an SSH prompt window, then run the following to log into SSH:

Code:
Here IP# is the IP number of your machine. If you aren't certain the IP number, you can use the machine's hostname or a main domain on the machine instead of the IP number. At the prompt for the password, then enter the root password.
 

ttmw

Member
Mar 30, 2011
13
0
51
ok here's the first few lines of what it returns...cutting the long list of similar files off.

Code:
drwxr-xr-x 11 myusername myusername  52K Mar 30 20:49 ./
drwxr-x--- 35 myusername nobody    12K Mar 30 17:22 ../
drwxr-xr-x  2 nobody   nobody   4.0K Mar 28 09:53 12/
-rw-r--r--  1 myusername myusername 3.4K Feb 15 02:17 account_notifications.gif
-rw-r--r--  1 myusername myusername 3.5K Feb 15 02:16 account_orders.gif
-rw-r--r--  1 myusername myusername 3.5K Feb 15 02:17 account_personal.gif
How do i tell the permissions? thanks :) ..getting there slowly :)
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
The permissions are 644 for the files and myusername:myusername for the owner. You can actually get a graphical listing of the file permissions if you run this command instead:

Code:
stat -c '%a %n' /home/myusername/public_html/pathtofile
Above myusername would be the cPanel username and pathtofile the path to the set file you are trying to get the permissions for. If you are getting 644 and myusername:myusername for the file that is an exploit file mentioned previously, then the file permissions and ownership are not the issue. At that point, check the attributes using that lsattr command previously provided instead.

Also, if you want to understand how to count the file permissions, this is how it works:

r = 4 (r is read)
w = 2 (w is write)
x = 1 (x is execute)

You count up the permissions for each section for the files you've listed:

rw- = 4 + 2 + 0
r-- = 4 + 0 + 0
r-- = 4 + 0 + 0
total = 644

If any of this is confusing, please let me know.

Thanks!
 

ttmw

Member
Mar 30, 2011
13
0
51
The permissions are 644 for the files and myusername:myusername for the owner. You can actually get a graphical listing of the file permissions if you run this command instead:

Code:
stat -c '%a %n' /home/myusername/public_html/pathtofile
Above myusername would be the cPanel username and pathtofile the path to the set file you are trying to get the permissions for. If you are getting 644 and myusername:myusername for the file that is an exploit file mentioned previously, then the file permissions and ownership are not the issue. At that point, check the attributes using that lsattr command previously provided instead.

Also, if you want to understand how to count the file permissions, this is how it works:

r = 4 (r is read)
w = 2 (w is write)
x = 1 (x is execute)

You count up the permissions for each section for the files you've listed:

rw- = 4 + 2 + 0
r-- = 4 + 0 + 0
r-- = 4 + 0 + 0
total = 644

If any of this is confusing, please let me know.

Thanks!
I just ran the lsattr command and it just outputs the list of the file paths of the .xcache and contents of the file, i can't see any '-i' anywhere on any files.

Can i try and use the :

Code:
cd /home/username/public_html/pathtofolder rm filename
like previously mentioned, i don't want to try unless i'm told because i know i have the potential to screw things over big style here if i type the wrong thing.lol

Also, when i run:

Code:
stat -c '%a %n' /home/myusername/public_html/pathtofile
it returns '750'
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
For the previously provided commands to remove the file, please please ensure to do first:

Code:
cd /home/username/public_html/pathtofolder
Then ensure you are in the right folder:

Code:
pwd
This command shows the current working directory (it means specifically print working directory). At that point, you can try to remove the file:

Code:
rm .xcache
 

ttmw

Member
Mar 30, 2011
13
0
51
it says "rm: cannot remove directory `trashxcache': Is a directory" i have thousands of files within that folder, i wont be able to go through them all, how do i remove the lot? thanks :)
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
So this is a folder not a file? I thought it was a file for some reason. That's problematic as you are going to have to use the -rf flags, which I really hate to use. You are certain this is an exploit directory, right? If you aren't, it's better to move it instead:

Code:
mv .xcache /root
The prior files you pasted from the folder were all gif files and wouldn't be exploits at all, so that's why I'm a bit concerned you are removing something that you might not want to be removing that's needed for this site to work.

Before removing the folder, please run the following and paste the output here:

Code:
ls -ld .xcache
The command to remove the folder would be (ensure again you are in the right directory before running this):

Code:
rm -rf .xcache
Of note, the rm -rf will remove the directory and its contents.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
This explains why you couldn't remove it using cPanel, since it is owned by nobody:nobody and I am still wondering if this is truly an exploit. What are the entire contents of that folder? If all happen to be .gif files, then it cannot be an exploit as those are image files.

Do you happen to run XCache for OPCode caching for PHP on the machine? If so, this might be what is happening.
 

ttmw

Member
Mar 30, 2011
13
0
51
i think i may have got the wrong dir in that previous reply...

ls -lah /home/myusername/public_html/images/.xcache returns

Code:
drwxr-x---  2 nobody   nobody   364K Mar 16 10:58 ./
drwxr-xr-x 11 myusernme myusername  52K Mar 30 20:49 ../
-rw-r--r--  1 nobody   nobody    26K Mar  4 14:12 100-methyl-alcohol-reagent-acs-grade.htm
-rw-r--r--  1 nobody   nobody    19K Mar  1 20:17 100-reagent-alcohol.htm
-rw-r--r--  1 nobody   nobody    24K Mar  6 06:25 1980s-new-wave-artists.htm
-rw-r--r--  1 nobody   nobody    24K Mar  6 06:10 1980s-new-wave-hits.htm
Sorry about that! i must have got the dir below with all images. All files are similar spam .htm files. Sorry for the mistake! :eek:
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Ah, then simply run:

Code:
cd /home/myusername/public_html/images
rm -rf .xcache
If that is indeed the folder with the spam contents.