Private server hacked


#1

Someone with an exploit has hacked my ps and upload the web shell c99madshell.

how can i know what operation had done on my ps and probably in my database server ? i wrote to the support but they don’t help me, they only explain me how restore db and file server, and stop.

but there aren’t some log to know what operation are done on my private server ?


#2

There are the Apache http logs. Dig through those. And start searching the Internet for what exploit(s) may exist in your software.

Support isn’t going to do a security audit of your site.

-Scott


#3

yes, i’m trying to check it but i don’t find any strange url

is it possible the web shell delete it ?


#4

and about mysql log ?


#5

[quote]yes, i’m trying to check it but i don’t find any strange url

is it possible the web shell delete it ?[/quote]
It probably won’t be a strange URL. Does anything on your site allow visitors to upload files?

Also don’t forget to check to see if the timestamp on the web shell script indicates when the attack occured. Do you even have logs that go back that far?

If it got installed by a file upload, then you will be looking for POST entries.

:cool: openvein.org -//-


#6

I’m not sure what you mean by the web shell deleting it. And I can’t think of what SQL logs will get you that Apache logs won’t. The database can’t be accessed from outside DreamHost servers unless you explicitly allow it. I’d expect that the exploit was initiated by a website request.

Or they just managed to get your password somehow. You’ve changed them all, right?

-Scott


#7

there is page where the cracker can authenticate to the web shell, yesterday i visited it and now the apache log have tracked it…so it’s strange i don’t find any other request.

all the php file of my site have changed with the date 02/01 /2009 and include (base64 encoded) another .php file of the webshell folder.

bue the site was inaccessible…so i uncovered the problem.

why the crackers modify all my php file with that encoded include? I don’t understand


#8

[quote]there is page where the cracker can authenticate to the web shell, yesterday i visited it and now the apache log have tracked it…so it’s strange i don’t find any other request.

all the php file of my site have changed with the date 02/01 /2009 and include (base64 encoded) another .php file of the webshell folder.

bue the site was inaccessible…so i uncovered the problem.

why the crackers modify all my php file with that encoded include? I don’t understand[/quote]
Well learn quickly. You definitely want to learn all you can about not only how to keep your Internet accounts secure but also what the crackers are capable of doing so you know what to expect. Doesn’t hurt to use Google once in a while and read about this stuff!

For instance, first hit on c99madshell is this article, Derek Fountain : c99madshell Security Review and if you read it, he goes over not only what can be done with it, but why it is encoded in base64.

Also change the passwords on the databases too. The web shell lets the cracker read all your files, including the script files that you have to store your database passwords in. (Again, this is in the artcicle I linked too)

As for as how they cracked your site, you don’t sound like you have any sort of “intrusion detection” going on, much less know what to do after the fact. Every single piece of software that accepts input from the Internet is suspect, especially the popular applications. Not only that, every system you use to access your DreamHost account is suspect too (they could have obtained your passwords from your own computer)

Keep in mind your web site is running 24/7 - would you only run your surveilance/security cameras on your store only when you do inventory? You need to keep an eye on it “under the hood” 24/7 too because crackers aren’t always going to be obvious by doing something silly like “defacing” the home page.

:cool: openvein.org -//-


#9

yes, i just had read that article.

but i don’t understand why the crackers damage all my files, so my site was inaccessible, i don’t find spam in my page…so i don’t understand what he done :?

i see apache log and i see only my IP visit the homepage of c99madshell, so he don’t enter in the webshell


#10

in the folder of c99madshell i find a lot of file like this name “0106288e616a134dda6df81a92756b11” created in different time and in different day, some of the content of this file is this:

POKER ONLINE FREEROLL TOURNAMENTS

are links to other wordpress blog, probably hacked


#11

[quote]in the folder of c99madshell i find a lot of file like this name “0106288e616a134dda6df81a92756b11” created in different time and in different day, some of the content of this file is this:

POKER ONLINE FREEROLL TOURNAMENTS

are links to other wordpress blog, probably hacked[/quote]
Sounds like he was adding spam to your pages to attempt to get them into search engines (no one would see the spam with coordinates like that), and possibly to spread this webshell to other sites as well.

Definitely want to make sure you upgrade WordPress to the latest version and might be a good idea to disable or uninstall any plugins that let people upload files. You can also try using your own PHP.ini file to disable functions such scripts use or exploit as suggested in that article.

Also DreamHost only keeps the past 3 days or so of server logs so you definitely want a cron job to copy the logs so you can archive them yourself.

:cool: openvein.org -//-


#12

yes,but probably the cracker make something wrong because my site got inaccessible, he add include in all the php files of entire webroot, and it overwrite some part of essential code so the functions stop to working.

i see the other wordpress hacked blog, and they have spam page in a totallt new template…how can the cracker add them ? It create a new database ?


#13

Someone using the webshell would have total control over everything that your shell user has. They could do whatever they like, including changing WP themes, adding includes, etc.

Restore your sites from backups if you have them. Failing that, you’ll need to list files by date to help find those that have been edited and manually check each one, removing the edited content.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost