Somebody tries to HACK my site

notset

Hello,

today when i had connected to my website via FTP i saw file s.php which was created a few hours ago. It's content [URL="http://***.net/hack.txt"]here[/URL].

I guess that somebody tries to hack because my project is connected with e-commercial.

What i need to know, it's how someone put the file into my server? There is no upload function in my site. What others gaps can be?

Thank you.

[Edit: We've seen the attack file, no need to leave it up for others to download, now 🙂, Your neighbourhood moderator]

MarkR

I have successfully decoded the file. I will not provide a decoded version for obvious security reasons. It's obviously a "Remote access trojan". I believe it is a remote access trojan called "r57shell.php".

Your application or server has been compromised.

Take the server down and notify the systems administrator immediately!

Take the server offline straight away and leave it offline
Rebuild the server from your existing deployment plan, or your sysadmin's (on another physical box, or switch HDs)
Restore all source code from a backup on another machine (e.g. your last code deployment), restore all data from a clean backup before the compromise
DO not allow the server to be put back online until you've identified the vulnerable application / facility.
Before putting it back online, ensure that all passwords on anything related to the machine are changed. Audit all legitimate users' PCs.

Under no circumstances restore a backup of any code from the compromised box, you might be letting the intruder straight back in.

Mark

notset

Thank you.

What i did:

Checked database (everything was ok)
Checked script files (no modifications were made)
Set new cPanel password

What else i could do?

The most important for me is how to prevent from such injections.

scrupul0us

check your server logs... thatd be one of my first checks... see what ip and how it was uploaded

scrupul0us

http://www.sarc.com/avcenter/venc/data/php.rstbackdoor.html

MarkR

You absolutely must contact the host and have them take the server down with immediate priority.

To leave an obviously compromised machine connected to the internet without a complete reinstall is irresponsible to the wider community. You're providing nefarious people with a useful resource.

There is no guarantee that they haven't used this powerful backdoor program to compromise the entire server, and are continuing to collect private data, passwords etc using some other route in, even if you removed their original method of entry.

Mark

Kudose

Oh yeah, you got hacked.

Mark is absolutely right. You could even be held legally responsible for negligence for not reporting it if something disastrous does happen.

notset

I reported about that to hosting administrator. He promised to do a full security scan to ensure the server is clear.

But maybe somebody could answer me how this trojan was putted in my server?

MarkR

Doing "a full security scan" is insufficient.

A reinstall and restore from clean backups is the minimum acceptable response.

No scan can necessarily detect any potentially installed "rootkits", which are designed to hide their own presence.

I would severely recommend that you question your administrator's capability / trustworthiness.

I wouldn't get hosting from someone who would allow a compromised machine to continue to operate.

Mark

stolzyboy

on that note... who is the host so i don't ever use them?

notset

stolzyboy wrote:
on that note... who is the host so i don't ever use them?

http://bytestech.com/

I haven't had any problems with it yet.

bradgrafelman

notset wrote:
I haven't had any problems with it yet.

Based upon the first post of this thread, I must disagree. 😉

EDIT: Also, without posting your entire code in a forum like Code Critique and actively seeking flaws in your script, you can't rule out the possibility that the exploit used a hole in the security of your code.