How Could This Happen

Worker Joined: Oct 26, 2004 Posts: 134 Location: Boston

Raven I need your help in trying to understand how some one could put a Bot on my site ? I just got home and for the past year I have tryed to keep the site locked down but when I went to the site tonight the hosting company deleted the whole site on me with no email beforehand just gone never to be seen again $#@$ the results of their scan is below

My site was up to date, patched . 7.8 Including the latest upgrades to v3.1x and phpBB 2.0.17 from chatserv the only thing i did not have was sentinal and i am kicking myself for not haveing it any way this is what the hosting company results of their scan is below?? Can you help me to understand what could of happend and how to stop this from ever going on again. I am just soooo peeed off right now one year of hard work on the site is now gone. What can I do so that I never have to go through this again... please any help on this

----------
SERVER LOG
----------
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sh 15297 cwd DIR 3,8 4096 13518449
/home/public_html/vwar/includes/language/bot
/home/public_html/vwar/includes/language/bot/LinkEvents
sh 15297 *** 1u IPv4 293748709 TCP
:****->London2.UK.EU.undernet.org:ircd

-----------------------------------------------------------

Site Admin Joined: Jun 04, 2004 Posts: 6432

I guess it doesn't matter now, but I'd recommend editing out your root path from future postings.

That said, 7.8, even patched, has security flaws even NukeSentinel can't protect / prevent / block. This has been widely discussed here.

I'd suggest using a patched 7.6 distribution - like the one Raven posted here - with NukeSentinel.

Be careful with upload or photo gallery scripts that allow uploading as these can also cause problems.

Posted: Mon Nov 28, 2005 8:05 pm

Seems to be a vulernability with vWar, not phpNuke itself. You'd need access logs to determine how they did it

Posted: Mon Nov 28, 2005 8:53 pm

I was going to get the logs but they did not email me they was going to delete the site so I could not.

I am just so pi$$ed off right now at the hosting company for not at lest trying to email me befor the did this. So i guess no coppermine and no vwar plus getting Ravens patched should stop this.

And I am sorry for not doing a search just too angry right now to read I would like to talk to the hosting people in person That might help also Wink

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Third party scripts that allow upload of any kind are always dangerous. Unfortunately, you had to learn the hard way. You might consider Raven Web Hosting. I would have at least warned you Smile

Posted: Mon Nov 28, 2005 9:02 pm

Now You Tell Me gezzzzzz Thanks Raven and will do that soon

Posted: Mon Nov 28, 2005 9:59 pm

Wow, I am astounded that your host deleted your account.
Most decent hosts would have simply suspended it so the problem could be verified, discussed and a possible solution drawn up.
Then if needed, it could of been activated again temporarily so you could at least have retrieved your files and DB.

Posted: Tue Nov 29, 2005 10:34 am

I agree with Gaurdian, that seems a bit harsh on the host's part.

New Member Joined: Aug 24, 2003 Posts: 11

Undernet is an IRC network. Maybe these guys uploaded eggdrop and were operating bots on your server. A couple months ago, outsiders uploaded eggdrop through a security hole in PostNuke on a few accounts at my host. They didn't go very far because our servers are scanned every few seconds, and oddball processes are immediately killed.

Although deleting an account is devastating to a customer, perhaps the host didn't catch them early enough and had no choice here. Their responsibility is to protect the server for all occupants. They should have at least notified you immediately afterwards.

Posted: Wed Nov 30, 2005 9:40 am

I do the same with my servers. Eggdrop is such a common one. They could have (should have imo) suspended the account and done what they needed to. That's the whole point, imo. Knee jerk reactions are silly.

Posted: Wed Nov 30, 2005 11:55 am

I do understand that they have to protect the hosting sys But could this bot do any thing to the msql data sys. I am still at a lost as to what could of been saved. The way I look at it what if I was some one like amazon or some thing like that do you then just go ahead and delete their whole site then they lost every thing ? We all put a lot of time and effort into the site with all the members and post now gone. I kind of want to think that the tables could of been saved ?

Also can any one let me know of some type of program that i can use to do my own scans on the site ? I do scan any thing that I upload to it here on my sys beforhand. I would like to try to stop this from ever getting to the point that they do a scan on their end and whoshhhhh GONE again.

Posted: Wed Nov 30, 2005 12:37 pm

They should still have a backup of all your stuff. I would try to get it.

Posted: Wed Nov 30, 2005 1:17 pm

It would not help me Raven This is what I got back from them so I could not use the backup to my nuke data base.

Unfortunately it appears your account may have been compromised. We found several hacking-related scripts under the ownership of your user account. These scripts when we locate them are usually found in the /tmp directory of the main server, but sometimes are located within the user account itself.

Please keep in mind that we do not explicitly go looking for these scripts, we merely suspend when we come across them and or we find them through investigation of high-resource usage stemming from your account (usually caused by those scripts themselves).

While we terminate any exploits found in /tmp upon discovery, this leads to an exploit or other abuse-related issue contained within your user accont.

As a result of this we will need to Terminate the account and reinstate it as a fresh brand new account to rid your account of the trailing abusive scripts that were installed to your site as a result of the exploit/hacking/abuse.

Please confirm this action by posting the last four digits of the Credit Card on file with the account and we will go ahead and regenerate this account for you.

Please note you will not be permitted to reload any backups dated from this suspension date or later to the server for risk of setting your account back up for exploitation again. Sad

Unfortunately security down to this account-level cannot be controlled by us, it is left up to you, the client, to maintain that level of security. We will continue to do our part with overall server security.

Upon reinstatement of your account it would be wise to change all account passwords as well as ensure you only install the latest and greatest versions of the scripts you employ.

Let us know if we can do anything further to assist.