Hi all, I've been testing FlashChat out for about a week just to see how the server copes with it - unfortunately it wasn't the latest version so was vulnerable to exploits I hadn't realised at the time. I've now sorted this, but it's obviously a bit late Today the server became slow due to the processor being at 100% usage all the time. I got some stats and rebooted and it's all back to normal again. From my logs, I can see the sites the hacker was using to expoilt the chat prog were: http://www.resimdunyam.com/lol1.txt http://albapower.by.ru/lal.txt http://fotologmty.com/khg/lal.txt http://www.trang2.go.th/aoc/classes/adodbt/mail.txt http://www.ortaksohbet.com/lol1.txt Some time out for me, but others look like they try and download some perl scripts and stuff onto the server. However, I don't know perl at all, and was wondering if anyone would be kind enough to have a quick look at the content in the files above to see if there's anywhere I need to check to remove files? I've cleared out the /tmp dir and changed all my admin/root passwords, so just want to make sure I've done all I can! Thanks to anyone who can help
to find uploaded files ( a year ago i had similar situation ) you need to - know your own site and all its files - know what type of files do belong into which folders - look at date stamp of files / folders and see if some of these dates mismatch your publishing dates for future have backup on your local system of all site using (Linux) rsync -ax --delete --progress .... ( and here to usual folder from to structure ) you can recover the online version and the option --delete will delete anything you don't have in your clean backup same as above syntax also is used to make daily backups into your local system in addition to your remote full backup when having option --progress it will list in details anything NEW that you backup hence looking at this backup listing may take a full ONE minute each time - but will instanly show you if any strange file appears ! on your already hacked system -. just invest the time to visually check all file dates and make sure you KNOW if a file was at a particular location or NOT in my case a number of php files were uploaded into a folder withoutz any php at all ... and a few of the files have been disguised as filenames that are common on systems but UNcommon in those folders files like index.php but with a different php code files like php-info.php but with hacker content instead of the common php-info.php code KNOWING and learning to know your site very substantially helps you to visually and isntantly identify hacker-files if combined with date stamps of files. if you want to make life easy you may update all time stamps of files to make future visual instant recogintion easy for you the Linux tool touch will update time stamp to current time just cd to the directory you want to update, then - in bash enter touch * and all files will have new timestamp without any changes to content you may also do selective time stamp modifications for certain types of files only like touch *.htm best you FIRST run a test on your offline local file system on a test folder to get familiar with "touch" - syntax and usage
Maybe he access your control panel and upload, maybe upload via web appications. For security: 1. Change all your password: hosting, email, domain... 2. Delete all files and re-upload your source code because maybe backdoor uploaded.
I hope I'm not out of line with this forum. I'm new here and I have a situation. Someone, not sure how many involved, is going into my "Tell a friend" page and keeps sending the page from them self to them self, and doing it 5 to 10 times at a time. What are they doing??? It all seems to involve hotmail addresses. We are very confused.
I would wipe all the files and restore a backup. If you have a dedicated linux server you should install tripwire Its a security program which allows you to monitor files changing on your system.