Hacking attempt - how to check no files left?

Hi all,

I've been testing FlashChat out for about a week just to see how the server copes with it - unfortunately it wasn't the latest version so was vulnerable to exploits I hadn't realised at the time. I've now sorted this, but it's obviously a bit late

Today the server became slow due to the processor being at 100% usage all the time. I got some stats and rebooted and it's all back to normal again.

From my logs, I can see the sites the hacker was using to expoilt the chat prog were:
http://www.resimdunyam.com/lol1.txt
http://albapower.by.ru/lal.txt
http://fotologmty.com/khg/lal.txt
http://www.trang2.go.th/aoc/classes/adodbt/mail.txt
http://www.ortaksohbet.com/lol1.txt

Some time out for me, but others look like they try and download some perl scripts and stuff onto the server.

However, I don't know perl at all, and was wondering if anyone would be kind enough to have a quick look at the content in the files above to see if there's anywhere I need to check to remove files? I've cleared out the /tmp dir and changed all my admin/root passwords, so just want to make sure I've done all I can!

Thanks to anyone who can help

 

to find uploaded files ( a year ago i had similar situation ) you need to
- know your own site and all its files
- know what type of files do belong into which folders
- look at date stamp of files / folders and see if some of these dates mismatch your publishing dates

for future

have backup on your local system of all site
using
(Linux)
rsync -ax --delete --progress .... ( and here to usual folder from to structure )

you can recover the online version and the option --delete will delete anything you don't have in your clean backup

same as above syntax also is used to make daily backups into your local system in addition to your remote full backup

when having option --progress
it will list in details anything NEW that you backup

hence looking at this backup listing may take a full ONE minute each time - but will instanly show you if any strange file appears !

on your already hacked system -. just invest the time to visually check all file dates and make sure you KNOW if a file was at a particular location or NOT

in my case a number of php files were uploaded into a folder withoutz any php at all ...
and a few of the files have been disguised as filenames that are common on systems but UNcommon in those folders
files like
index.php
but with a different php code
files like
php-info.php
but with hacker content instead of the common php-info.php code

KNOWING and learning to know your site very substantially helps you to visually and isntantly identify hacker-files if combined with date stamps of files.

if you want to make life easy
you may update all time stamps of files to make future visual instant recogintion easy for you

the Linux tool touch will update time stamp to current time

just cd to the directory you want to update, then - in bash enter

touch *

and all files will have new timestamp without any changes to content
you may also do selective time stamp modifications for certain types of files only
like

touch *.htm

best you FIRST run a test on your offline local file system on a test folder to get familiar with "touch" - syntax and usage

 

Maybe he access your control panel and upload, maybe upload via web appications.
For security:
1. Change all your password: hosting, email, domain...
2. Delete all files and re-upload your source code because maybe backdoor uploaded.

 

I hope I'm not out of line with this forum. I'm new here and I have a situation. Someone, not sure how many involved, is going into my "Tell a friend" page and keeps sending the page from them self to them self, and doing it 5 to 10 times at a time. What are they doing??? It all seems to involve hotmail addresses. We are very confused.

 

I would wipe all the files and restore a backup.

If you have a dedicated linux server you should install tripwire Its a security program which allows you to monitor files changing on your system.