[quote]there is page where the cracker can authenticate to the web shell, yesterday i visited it and now the apache log have tracked it…so it’s strange i don’t find any other request.
all the php file of my site have changed with the date 02/01 /2009 and include (base64 encoded) another .php file of the webshell folder.
bue the site was inaccessible…so i uncovered the problem.
why the crackers modify all my php file with that encoded include? I don’t understand[/quote]
Well learn quickly. You definitely want to learn all you can about not only how to keep your Internet accounts secure but also what the crackers are capable of doing so you know what to expect. Doesn’t hurt to use Google once in a while and read about this stuff!
For instance, first hit on c99madshell is this article, Derek Fountain : c99madshell Security Review and if you read it, he goes over not only what can be done with it, but why it is encoded in base64.
Also change the passwords on the databases too. The web shell lets the cracker read all your files, including the script files that you have to store your database passwords in. (Again, this is in the artcicle I linked too)
As for as how they cracked your site, you don’t sound like you have any sort of “intrusion detection” going on, much less know what to do after the fact. Every single piece of software that accepts input from the Internet is suspect, especially the popular applications. Not only that, every system you use to access your DreamHost account is suspect too (they could have obtained your passwords from your own computer)
Keep in mind your web site is running 24/7 - would you only run your surveilance/security cameras on your store only when you do inventory? You need to keep an eye on it “under the hood” 24/7 too because crackers aren’t always going to be obvious by doing something silly like “defacing” the home page.