One of my website got some malicious code in its pages .. a little investigation showed that the malicious code connects to a russian website and download some doggy stuff. lol .. I checked ftp logs and found these suspicious, same activity seems to be repeated every second day, sometime from same IP, sometime from different .. I picked up a small sample to post here .. can someone tell me what does it actually mean? Mon Jun 23 05:29:25 2008 0 77.222.40.206 18889 /home/user123/public_html/index.html a _ o r user123@domain.com ftp 1 * c Mon Jun 23 05:29:26 2008 0 77.222.40.206 18865 /home/user123/public_html/index.html a _ i r user123@domain.com ftp 1 * c Mon Jun 23 05:29:27 2008 0 77.222.40.206 18890 /home/user123/public_html/inquiry/index.html a _ o r user123@domain.com ftp 1 * c Mon Jun 23 05:29:29 2008 0 77.222.40.206 18902 /home/user123/public_html/inquiry/index.html a _ i r user123@domain.com ftp 1 * c Mon Jun 23 05:29:30 2008 0 77.222.40.206 52894 /home/user123/public_html/orthopedic-instruments/index.html a _ o r user123@domain.com ftp 1 * c Mon Jun 23 05:29:33 2008 1 77.222.40.206 52897 /home/user123/public_html/orthopedic-instruments/index.html a _ i r user123@domain.com ftp 1 * c Mon Jun 23 05:29:34 2008 0 77.222.40.206 78482 /home/user123/public_html/tc-instruments/index.html a _ o r user123@domain.com ftp 1 * c Mon Jun 23 05:29:36 2008 1 77.222.40.206 78455 /home/user123/public_html/tc-instruments/index.html a _ i r user123@domain.com ftp 1 * c Code (markup): Help will be greatly appreciated. PS. I changed actually user and domain to dummy.
I would recommend you to hire a server management company to take care of your servers if you are not aware on how to protect your servers
i would recomend you to check all your file permision specialy those with 777 permision. Also change all your password, make a system scan for virus or rootkit or again bad shell like c99 etc .. If you need help managing your service hit me back im your man !
Those requests seems to be a hacking attempt trying to retriever your FTP password. If such directories don't exist and any of them has a expressly setup FTP username/password, things will not go farther, but if either directories or users do exist, server's security needs to be improved. However, is this your server or you are on a shared hosting account? If you don't own the server, there is not much to do on your end.
Username is quite non-generic, and is not same as domain name .. thats why I don't think the guy only knows username, he might also know the password. What does this bold thing mean? 18889 /home/user123/public_html/index.html a _ o r user123@domain.com ftp 1 * c 18865 /home/user123/public_html/index.html a _ i r user123@domain.com ftp 1 * c What action this perform? About server, I am on shared hosting and pretty sure its secure .. since no other site seem to have any problem, only this one. I think the ftp account (user123) i generated for my programmer is compromised.
I'm not sure if that means the hacker accesing your site from a university-related location, due to using a Mac for doing such task or a combination. As I said before, I have seen similar attempts on mine but target directories usernames/passwords do not exist. Yours seems truly compromised and maybe the source of I found trying to clarify my own issue might serve you, http://www.unix.com.ua/orelly/networking/puis/ch10_03.htm You will see the bold terms above explained as xferlog log file.
Thank you very much buddy. Now its 100% clear that an automated software logged-in using my programmer's ftp username, downloaded a file, added malicious content and uploaded. For anyone who find this thread in future, some info: I found some malicious code (encoded) in my static website, which connects to traffurl.ru (DO NO VISIT) and downloads some trojan. While checking ftp logs, I found this: It interprets as: courtesy: http://www.unix.com.ua/orelly/networking/puis/ch10_03.htm