PHP hacker

kkiely

someone hacked my site and got access to my /etc/passwd info. How can i fix this? I host my page on Powweb but i dont know how to change any info other than logging onto the Powweb control panel and changing my SQL and FTP passwords

swr

Is powweb a shared host site? If so, getting access to /etc/passwd is probably very simple for anyone with an account on that server, even without any hacking.

I wouldn't worry about it if that is the case. On most systems the /etc/passwd file doesn't even store the password hashes. The hashes themselves are usually in /etc/shadow (on Linux) or /etc/master.passwd (on FreeBSD), which are only readable by root.

How did you find out that someone got access to /etc/passwd?

Weedpacket

Sounds like it's time to find a new host....

kkiely

actually entered through a hole in my PHP script but i believe he did get access to etc/shadow through this command in my PHP form
<?php print "<PRE>".cat /etc/shadow."</PRE>"; ?>

How do i change these passwords?
If he got in could it be possible he put in a backdoor to get in all the time?
How do i change these "passwords"? I only know how to change my FTP, SQL passwords.

Weedpacket

Those passwords would refer to everyone hosted on that machine. You won't be able to change them; it's something your hosting provider ought to be able to do something, though.

swr

Originally posted by kkiely
<?php print "<PRE>".cat /etc/shadow."</PRE>"; ?>

Try that. I think you'll find it doesn't work.

/etc/shadow is normally only readable by root. The web server should not be running as root. Doing cat /etc/shadow from PHP should NOT work.

swr

How about starting from the beginning...

What makes you think someone has obtained /etc/shadow?