Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Trubador
Regular
Regular


Joined: Dec 28, 2004
Posts: 94

PostPosted: Sat Oct 20, 2007 6:01 pm Reply with quote

Hi all.

Just wondered if anyone could shed light on these script files that were running processes on my server?

fb/ftp_scanner.c
fb/run
fb/ftp_scanner
hantu.tgz
fb.tar.gz
udp.tar.gz
udp.pl

and of course if anyone has found these before. My host deleted them all so I dont even know the contents.

Sadly I've no idea on how they got there but have changed all passwords to EVERYTHING.

Can anyone shed any light?

Cheers Trub
 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Sat Oct 20, 2007 6:42 pm Reply with quote

Do a search for 1. hantu.tgz 2. the rest of the files and you´ll find the answer.
I have not seen these files before. Guess someone hacked the server.
 
View user's profile Send private message
Trubador
PostPosted: Sat Oct 20, 2007 7:01 pm Reply with quote

lol..... just been doing just that and on udp.tar.gz.

My server hosts suspended my account for 8 hours with:-

"Account suspended. Please contact billing" for all my users to see for 6 hours. Oh..... and "The domain *************.com has been suspended following an abuse report. It seems that you account is hacked and malicious scripts have been uploaded to the site. We have informed you earlier also, but it seems that you have not checked your account and have not secured it. We have found the following malicious files:-

fb/ftp_scanner.c
fb/run
fb/ftp_scanner
hantu.tgz
fb.tar.gz
udp.tar.gz
udp.pl

We are awaiting an explanation."

I love that last bit.

I've sat here for hours trusting that fact that my hosts were experienced and that I'd done wrong. After a bit of invest I think it may be an SSH port 22 problem...... (a little past my limited knowledge) Smile

Anyone fancy helping me write an "explanation"? LMAO

Trub
 
Trubador
PostPosted: Sat Oct 20, 2007 7:03 pm Reply with quote

P.s. My default email is on that account....... lol....... so how do I check it...... lol
 
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Sat Oct 20, 2007 9:27 pm Reply with quote

Well, here's some wisdom...

You should always have the email associated with your website on a different server. I think 'why' should be obvious!

A busy shared server leaves your web hosting company an impossible situation to monitor all activity. It is your responsibility to keep your web space secured. This is to YOUR advantage, because when a web host starts creating an environment that's 'idiot proof' for hacking, YOU start losing services and abilities. Variables that are VERY NICE to have in PHP and MySQL start getting locked down, etc. If you don't manage your own stuff and they are forced to, typically you will end up with a lot less useful things. It's just the way the world works....

Although my feeling might not be shared by all web hosting outfits, I do believe they are responsible at this point for telling you how you got hacked (they have access to far more detailed log records than you...). They have identified the malicious scripts that were eventually uploaded and executed, but they need to tell you HOW they got there. Was an insecure script of yours used to compromise your file sytem? Was a SSH session used to upload the initial files?

They don't have many choices available except to suspend the site. I don't know why they are asking you to explain? They should TELL you how it happened

_________________
PHP - Breaking your legacy scripts one build at a time. 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Oct 20, 2007 11:12 pm Reply with quote

Most of the times its a PHP remote file inclusion exploit. Many bots are designed to automate this process and handle all kinds of exploits against your website scripts. hantu.tgz seems to be part of a modified c99shell to compromise your server

You'll need to get to your access logs and see how they got in. Your host probably doesn't want to spent the time to do that... more likely that they put the blame on your shoulders.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©