The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacked... Please help

Discussion in 'General Discussion' started by oprock, Apr 23, 2007.

  1. oprock

    oprock Member

    Joined:
    Mar 26, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    hello,

    this issue jumped from domain to domain in the server and changing the index page to look like:



    hacked cetin------------- - - - TurkHackBirligi.Org



    then after deleting the index file and replace with original index.htm , the site works fine again.

    any idea what is this and how to fix and prevent this? please help

    thank you
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    There are many users like you who had the same problem. The best way is to harden and secure your server. These threads discuss this problem:

    http://forums.cpanel.net/showthread.php?t=62821
    http://forums.cpanel.net/showthread.php?t=65013
    http://forums.cpanel.net/showthread.php?t=51664&highlight=php+inject
     
  3. oprock

    oprock Member

    Joined:
    Mar 26, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    server hacked !!! please help

    hello,

    the weird thing is almost all of my servers got infected like this suddenly.

    thanks for the link i am checking now but hope if nayone have more ideas please post it here.


    thanks
     
  4. oprock

    oprock Member

    Joined:
    Mar 26, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    server hacked !!! please help

    hello,

    i have detected Trojan.PHP.C99SHELL . i guess this is the caused.

    is deleting this trojan enough? i mean deleting and hardening server as well.

    or maybe once i hit by this, i need a reload of the server?

    thanks
     
  5. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    I wonder how they exploited your server to put that trojan there.
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Once they get that shell on there they can do alot, including read files and directories. I would at least reset all account passwords (including FTP) once you've cleaned things up.
     
  7. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    They take advantage of a poorly written upload routine by uploading an image file that contains PHP code, and once it's read the php code executes.
     
  8. oprock

    oprock Member

    Joined:
    Mar 26, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    server hacked !!! please help

    hello,

    the source was from turkey ip addresses and the file uploaded via pureFTPd. and they really get into clients account and uploaded it using ftp.

    whole server has been scanned and all the trojan is deleted.

    now changing the password of accounts.

    thanks
     
  9. oprock

    oprock Member

    Joined:
    Mar 26, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    hacked !!! please help

    hello,

    does below lines from /var/log/messages really hsow the hacker knows the user password?


    Apr 24 00:19:12 srv4 pure-ftpd: (?@85.102.216.102) [INFO] New connection from 85.102.216.102
    Apr 24 00:19:20 srv4 last message repeated 2 times
    Apr 24 00:19:21 srv4 pure-ftpd: (?@85.102.216.102) [INFO] local@ghjhg.com is now logged in
    Apr 24 00:19:37 srv4 pure-ftpd: (local@gjhhgj.com@85.102.216.102) [NOTICE] /home/ghjhg/public_html//deneme.php uploaded (163249 bytes, 25.31KB/sec)
    Apr 24 00:21:27 srv4 pure-ftpd: (local@hgjhg.com@85.102.216.102) [INFO] Logout.


    deneme.php was the infected file.

    thanks
     
  10. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    There are several phishing tools including c99shell.php, r57shell, and PhpShell. Although these scripts are not allowing direct access to the server, they can be dangerous tools. We have seen hackers download and install these scripts directly on the server. Other hackers can even insert the code of one of these scripts into a vulnerable Php script resides on your server. Scan your server very well and get rid of these malicious scripts.
     
  11. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Yes, did changing the password stop uploads? And can you grep a few spots for that IP address and see what you come up with for me?

    grep -R "85.102.216.102" /var/log/*
    grep -R "85.102.216.102" /usr/local/apache/logs/*
    grep -R "85.102.216.102" /usr/local/cpanel/logs/*
    grep -R "85.102.216.102" /usr/local/apache/domlogs/*

    Thanks! D
     
Loading...

Share This Page