1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Can someone advise what has happened and possible outcomes of breach?

Discussion in 'Security' started by Sean Ross, Sep 14, 2012.

  1. #1
    Hi,
    SEMrush
    One of my vbulletin sites notified me today of a file in my pub html that should not be there. it was an htm file pointing to an online pharmacy. I of course did not put this there. So far nothing else has happened to the site. Site is running normally. I have the host doing a maldet scan and waiting for them to get back to me. Is it possible this is something minor that can be squashed or is my whole world about to come crashing down over this? I can't help but think if I was severely compromised that my site would be defaced by now and who knows what else. A lot of the finer points of security are over my head which is why I have a managed server. Hopefully they can give me some good info and direction but I also appreciate the thoughts here at digitalpoint.
     
    Sean Ross, Sep 14, 2012 IP
    SEMrush
  2. Sean Ross

    Sean Ross Active Member

    Messages:
    47
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    61
    #2
    ok well after a lot of looking that single file was the only one added to the server as far as I can tell. I was able to see my last rsync and rsync log had no other files update off site other than that one along with typical updates. Host says only my ip has accessed ssh or ftp last few days, no system files seem to have been touched, logs are fine etc. Maldat scan found no hits. I removed two domains off my server running lesser known php/mysql scripts. I updated any vbulletin addons I could find. I'm not sure whatelse I can do. Everything has been running fine so i guess I just play it by ear.
     
    Sean Ross, Sep 15, 2012 IP
  3. Brandon Sheley

    Brandon Sheley Illustrious Member

    Messages:
    9,719
    Likes Received:
    609
    Best Answers:
    2
    Trophy Points:
    420
    #3
    Is this a shared hosting account, have you changed your passwords since finding the rouge file?
     
    Brandon Sheley, Sep 16, 2012 IP
  4. Sean Ross

    Sean Ross Active Member

    Messages:
    47
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    61
    #4
    It's a dedicated server with 2 forums running on it, just 2 domains. I've changed all passwords, set the server to allow ftp & ssh only from my ip address. I have also spent 3 days clearing off old plugins and scripts that accumulated over the last 10yrs years (which I am ashamed to say is A LOT of crud). I've updated several plugins such as tapatalk and vbseo. The forum is already up to date. You know how it is, just keeps getting put on the back burner because you are too busy running things and trying to stay afloat. Since the incident nothing else has "happened", it was just the one file that appeared in public_html. My other forum site is pretty standard and up to date and runs under a different user. Since the rogue file that appeared was owned by my primary user account for that site seems to be some sort of breach on that particular account. I have thoroughly cleaned out public_html and /forums now continuing my clean through includes folder etc as well as manually deleting any old forum plugins. I do keep a full off-site rsync backup at home with database backups so if something major does go down I can rebuild fresh. At this point I am kind of hoping it was a one off and a cleanout, new password, etc will be fine. I simply don't have the time and resources to nuke my server and rebuild everything from scratch.
     
    Sean Ross, Sep 16, 2012 IP
  5. samirj09

    samirj09 Well-Known Member

    Messages:
    335
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    125
    #5
    The main thing is finding the source of the file. Compare the timestamps and check multiple places including, website access logs, bash history files, ftp transfer logs, and also any control panel access logs such as cPanel. If you utilize all of these logs you should be able to find what if anything was compromised to find the source of this file.
     
    samirj09, Sep 16, 2012 IP