May have been hacked


#1

Hi,
I think I may have been hacked. I ran a scan across my space and discovered the following:

-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-19 00:22 ./Elearningconsultancy.com/comics/storage/insta2.php

-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-19 00:22 ./Elearningconsultancy.com/comics/storage/private/insta2.php

-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-19 00:22 ./Elearningconsultancy.com/comics/storage/plugins/insta2.php

-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-19 00:22 ./Elearningconsultancy.com/comics/storage/templates/insta2.php

-rw-r–r-- 1 dezcombz pg1577697 1593 2012-02-21 00:08 ./theirtake.com/gallery2/g2data/insta2.php

You can see that these files (all with the same name and filesize) are owned by somebody called ‘dezcombz’, and have a file date in February 2012. I think that’s when the big hacking attack was made on Dreamhost.

They have ‘read/write’ permissions for the owner (‘dezcombz’) and read permissions for other users.

I can’t do anything with those files, because they aren’t owned by the my username . So I can’t remove their permissions or delete them.

Can someone at Dreamhost delete or disable them (remove their permissions), assuming you agree they are probably part of a hacking attempt?

Looking at the code in the file, it looks like it might be pulling something in from another IP address.

Many thanks,

Nick


#2

Open up a ticket with Dreamhost to have them kill those if you cannot change their ownership and get rid of them yourself.

Also, read up on the info at http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites to get some ideas about how to get rid of the compromised files on your server.