Current time: 04-24-2014, 11:12 PM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
03-13-2012, 11:33 PM (This post was last modified: 03-13-2012 11:53 PM by sXi.)
Post: #281
RE: Sites hacked
Using things like find . -iname "*utf*.php" is a terrible solution.

Did you back up your original website files before deleting them?


(03-13-2012 11:10 PM)Spasso Wrote:  In my mysql database under information_schema in processlist i found but cannot delete :
ID# USERNAME humandisorder.com:47496 information_schema Query 0 executing SELECT * FROM `PROCESSLIST`LIMIT 0, 30

I think you'll find that the domain listed there is hosted with DH and that PROCESSLIST is actually reporting on your own perusal of the information_schema. If you're auditing information_schema then look at USER_PRIVILEGES.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-14-2012, 12:38 AM
Post: #282
RE: Sites hacked
(03-13-2012 10:56 PM)sXi Wrote:  I seriously doubt "DH were unable to delete the files", and the only thing that could stop you deleting them yourself is if they have been set to a different owner. The files you mention are common names for remote shells, so it would seem whomever used it against you didn't even take the time to edit the bot config before running it.

Example: http://www.3desa.ru/content/resource_icons_file/

If you want someone else to take a look send me an email. I'll be happy to help.

Hi sXi,

I sent you an email but I can't get the forum to confirm that it has been sent. There are no sent messages in my sent box. The sytem confirmed that I'm registered to send emails. It's one of those days......

Kerry
Find all posts by this user
Quote this message in a reply
03-14-2012, 12:44 AM (This post was last modified: 03-14-2012 12:57 AM by sXi.)
Post: #283
RE: Sites hacked
Hi Kerry,

Just noticed that I received your mails about 25 minutes ago. Reading them now Wink


--- begin edit

The email you received from DH is full of really good advice and it's apparent that the coders who wrote the preliminary scanner have their finger on the pulse. I'd hazard a guess that they are not automatically removing flagged files because if any automatic editing process left a website in ruin then that would allow a user to claim that DH are at fault for "something". For example, I might have some base64 stuff in a file called r.php that is my own custom code and some Happy Dreamhost Delete Everything robot might wreck everything if it removed it.

After which I'd storm over to this forum and post in ALL CAPS about "LOOSING THOUSANDSSS" Big Grin

imho their method is correct in every sense.

--- end edit

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost
Visit this user's website Find all posts by this user
Quote this message in a reply
03-15-2012, 10:52 AM
Post: #284
RE: Sites hacked
Just finishing up cleaning up after this fun :sick:

All sites check clean with the two web site checkers that were in this thread.
All sites check clean with the script given in this thread.

Sites split into multiple users now,
All passwords changed (database, FTP/Account , root account)
users accounts that were compermised, have had all sites pulled from them.

But when I log in under the Old Users (They're not listed as having access to the domains now) but they still show the folders for the domains even though they've been moved to new users. :confused:

Also I'm seeing directories from Old sites (no longer hosted / used) and I can't delete them with the Ajax FTP Browser. I'm also running across "Empty" (I don't see anything in them) directories that I can't delete. Do I have to go in via a shell account to delete these directories?
Find all posts by this user
Quote this message in a reply
03-15-2012, 12:07 PM (This post was last modified: 03-15-2012 12:47 PM by stephensmith.)
Post: #285
RE: Sites hacked
I'm working my way through all 29 pages of this thread. I see some posts on the rr.nn hack, but I don't think this situation has been specifically addressed:

A number of my websites were hit with this hack, which creates a .logs folder in my root directory. Within the folder is a single text file, in my case log1.txt. The text file is simply a listing of a dozen or so URLs that the hacker is trying to get my website to redirect to (I assume).

When I delete the file and the folder, they are recreated -- sometimes within minutes. I have tried to find other files that might be doing this, but so far no luck.

Elsewhere, someone described this same hack happening to him. He said that deleting all of the non-used Wordpress themes stopped the folder/file from being re-created. I tried this, too, but it didn't work.

Does anyone have a clue as to where I should look for the file(s) that is re-creating the .logs folder and the log1.txt file? I assume that this same file or another one is attempting to redirect my site as well.

Thanks,
Steve

P.S: I have also updated all my plug-ins, and deleted those I am not using.
Find all posts by this user
Quote this message in a reply
03-15-2012, 12:45 PM
Post: #286
RE: Sites hacked
I keep finding this added to the beginning of my php files:

Code:
<?php /**/?>


what does this do?

I also find a folder titled ".logs" with a text file list of spam sites. I delete them and they return a day or so later.
Find all posts by this user
Quote this message in a reply
03-15-2012, 12:55 PM
Post: #287
RE: Sites hacked
My sites were hacked a couple of weeks back and injected with Google UA pharma code. The clean-up process included:
- deleted all non-critical content from the server;
- deleted all non-critical databases;
- upgraded all software;
- deleted all hacker shells and malicious scripts that I could find;
- changed my passwords;
- disabled FTP access to my account;
- removed all 777 and 666 permissions;
- manually combed remaining database for suspicious activity.

After all this, DH scan and sucuri.net confirmed my remaining site was clean. For about a week.

As of last weekend the malicious code re-appeared and I'm completely lost as to where from. To add insult to injury, DH has not responded to any of my support tickets or Twitter reminders in the last 4 days!!!

I've already wasted days on this. I've taken desperate measures like removing content I didn't really want to. I've completed all the steps DH suggested as well as other solutions I've researched on my own.
Throughout this ordeal I have to say I've been completely unimpressed with DH's level of involvement and assistance.

At this point I am really starting to believe that the intrusion has absolutely nothing to do with the settings on my account, but with the security of the server in general.

I've been a DH client for 7 years but this is really the last drop.
Find all posts by this user
Quote this message in a reply
03-15-2012, 01:09 PM
Post: #288
RE: Sites hacked
(03-15-2012 10:52 AM)pgp_protector Wrote:  But when I log in under the Old Users (They're not listed as having access to the domains now) but they still show the folders for the domains even though they've been moved to new users. :confused:
The panel language is confusing it specifically says "Move the files to the new user" where it means to say "Copy the files to the new user". After you make sure everything works and you no longer need the directories under the old user, you have to delete the directories from the old user.
Quote:Also I'm seeing directories from Old sites (no longer hosted / used) and I can't delete them with the Ajax FTP Browser. I'm also running across "Empty" (I don't see anything in them) directories that I can't delete. Do I have to go in via a shell account to delete these directories?
probably. Ajaxexplorer is not friendly, you may have better luck with a real FTP client. rm -rf works wonders via the shell.


(03-15-2012 12:55 PM)bb6600 Wrote:  My sites were hacked a couple of weeks back and injected with Google UA pharma code. The clean-up process included:

Jump over to this post in another thread and give SXI's new scanner a shot, he seems to have developed a more complete tool.
Find all posts by this user
Quote this message in a reply
03-15-2012, 01:29 PM
Post: #289
RE: Sites hacked
(03-15-2012 12:55 PM)bb6600 Wrote:  I've been a DH client for 7 years but this is really the last drop.

yep, I've been a satisfied customer for about the same, but this incident has really thrown my confidence in DH. I finally had to move one of my more important sites to another host. I don't have the time, money or expertise to thwart these attacks. I too, have my suspicions about the origin of these attacks, it appears as if they have carte blanche control of all my remaining web sites.
Find all posts by this user
Quote this message in a reply
03-15-2012, 02:15 PM
Post: #290
RE: Sites hacked
(03-15-2012 01:09 PM)LakeRat Wrote:  The panel language is confusing it specifically says "Move the files to the new user" where it means to say "Copy the files to the new user". After you make sure everything works and you no longer need the directories under the old user, you have to delete the directories from the old user.
probably. Ajaxexplorer is not friendly, you may have better luck with a real FTP client. rm -rf works wonders via the shell.
Thanks, that helped clarify the issues.
Did a full site backup first, then purged the compromised users directories.

Only been with DramHost for about 5 years now, Few hickups but I've been much happier with them than my old Host Big Grin (They decided to modify the default 404 pages to generate ads for them, and got heavy with the ban hammer when people complained about it)
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: