Hi guys, I've been battling with this issue for months now. My site was getting hacked pretty often. I was using html and a few php pages (only using php for includes). I got hacked by way of a phishing site under my root. Changed my cpanel/ftp passwords, wiped my site. Installed a CMS to manage everything rather than static files which stopped the hacks for a while. yesterday my site got hacked by way of a paypal phishing site which dumped user/passwords to a txt file which got emailed with mail(). I cleaned up everything i could think of, changed all my passwords to 25 characters, number, letters,caps, symbols. Turned my site back on, hacked again an hour later. I started pouring through my apache access log. I compared the folder date to the logs and saw a few files being hit. It turns out the hacker tested the paypal form, which i guess he didn't think about as the form records his ip and dumps it to the text file. I pulled up the access log, and marked all instances of that IP. I actually found the point where the sub-directory is created by way of his ip and watching the http codes. Below you see the hacker 85.186.185.95 getting 404's. Then some wierd ICE Browser user-agent hitting the site a few times. 30 seconds later BINGO he is getting 200's My Question: How is he doing this and how can I fix it? My hosting is with site5, they have been ok with this, but I'm sure they are going to crack down soon enough. I also found this while going through logs, maybe it will help: hxxp://www.phishtank.com/phish_detail.php?phish_id=730077&frame=details 404's 85.186.185.95 - - [16/Jun/2009:15:15:18 -0500] "GET /www.paypal.com/cc.txt HTTP/1.1" 301 456 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:19 -0500] "GET /www.paypal.com/cc.txt/ HTTP/1.1" 301 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:19 -0500] "GET /www.paypal.com/cc.txt/ HTTP/1.1" 404 3504 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:20 -0500] "GET /workspace/css/styles.css HTTP/1.1" 200 4939 "http://devkinetic.com/www.paypal.com/cc.txt/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:20 -0500] "GET /workspace/js/mootools.js HTTP/1.1" 200 27820 "http://devkinetic.com/www.paypal.com/cc.txt/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:21 -0500] "GET /workspace/js/slideshow.js HTTP/1.1" 200 5312 "http://devkinetic.com/www.paypal.com/cc.txt/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:21 -0500] "GET /favicon.ico HTTP/1.1" 200 15086 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:25 -0500] "GET /www.paypal.com/ HTTP/1.1" 404 3504 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:26 -0500] "GET /workspace/css/styles.css HTTP/1.1" 200 4939 "http://devkinetic.com/www.paypal.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:26 -0500] "GET /workspace/js/mootools.js HTTP/1.1" 200 27820 "http://devkinetic.com/www.paypal.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:27 -0500] "GET /workspace/js/slideshow.js HTTP/1.1" 200 5312 "http://devkinetic.com/www.paypal.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:15:28 -0500] "GET /favicon.ico HTTP/1.1" 200 15086 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 66.113.100.51 - - [16/Jun/2009:15:20:08 -0500] "GET /paypal/webscr.php?cmd=_login-run&dispatch=cbe89b0a7b4183dde29006d762a9c281cbe89b0a7b4183dde29006d762a9c281 HTTP/1.1" 301 545 "-" "Mozilla/6.0 (compatible; MSIE 7.01; Windows NT)" 66.113.100.51 - - [16/Jun/2009:15:20:08 -0500] "GET /paypal/webscr.php/?cmd=_login-run&dispatch=cbe89b0a7b4183dde29006d762a9c281cbe89b0a7b4183dde29006d762a9c281 HTTP/1.1" 301 - "-" "Mozilla/6.0 (compatible; MSIE 7.01; Windows NT)" 66.113.100.51 - - [16/Jun/2009:15:20:09 -0500] "GET /paypal/webscr.php/?cmd=_login-run&dispatch=cbe89b0a7b4183dde29006d762a9c281cbe89b0a7b4183dde29006d762a9c281/ HTTP/1.1" 404 3504 "-" "Mozilla/6.0 (compatible; MSIE 7.01; Windows NT)" The wierd mystery agent 209.147.127.214 - - [16/Jun/2009:15:20:32 -0500] "GET /www.paypal.com HTTP/1.1" 301 475 "-" "ICE Browser/5.05 (Java 1.4.0; Windows 2000 5.0 x86)" 209.147.127.214 - - [16/Jun/2009:15:20:32 -0500] "GET /www.paypal.com/ HTTP/1.1" 301 - "-" "ICE Browser/5.05 (Java 1.4.0; Windows 2000 5.0 x86)" 209.147.127.214 - - [16/Jun/2009:15:20:32 -0500] "GET /www.paypal.com/ HTTP/1.1" 404 3504 "-" "ICE Browser/5.05 (Java 1.4.0; Windows 2000 5.0 x86)" 209.147.127.214 - - [16/Jun/2009:15:21:04 -0500] "GET /www.paypal.com/ HTTP/1.1" 301 - "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/51 (like Gecko) Safari/51" 209.147.127.214 - - [16/Jun/2009:15:21:04 -0500] "GET /www.paypal.com/ HTTP/1.1" 404 3504 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/51 (like Gecko) Safari/51" And now it works again 85.186.185.95 - - [16/Jun/2009:15:21:37 -0500] "GET /www.paypal.com/ HTTP/1.1" 200 376 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:21:37 -0500] "GET /favicon.ico HTTP/1.1" 200 15086 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:21:37 -0500] "GET /www.paypal.com/webscr.php?cmd=_login-run&dispatch=e6b58e8a1144950f8e67a5da96938757e6b58e8a1144950f8e67a5da96938757 HTTP/1.1" 200 6959 "http://devkinetic.com/www.paypal.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:21:38 -0500] "GET /www.paypal.com/images/xpt.css HTTP/1.1" 200 138516 "http://devkinetic.com/www.paypal.com/webscr.php?cmd=_login-run&dispatch=e6b58e8a1144950f8e67a5da96938757e6b58e8a1144950f8e67a5da96938757" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:21:38 -0500] "GET /www.paypal.com/images/start.css HTTP/1.1" 200 543 "http://devkinetic.com/www.paypal.com/images/xpt.css" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:21:39 -0500] "GET /www.paypal.com/images/xptInvoice.css HTTP/1.1" 200 1196 "http://devkinetic.com/www.paypal.com/webscr.php?cmd=_login-run&dispatch=e6b58e8a1144950f8e67a5da96938757e6b58e8a1144950f8e67a5da96938757" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:21:39 -0500] "GET /www.paypal.com/images/xptObsolete.css HTTP/1.1" 200 2227 "http://devkinetic.com/www.paypal.com/webscr.php?cmd=_login-run&dispatch=e6b58e8a1144950f8e67a5da96938757e6b58e8a1144950f8e67a5da96938757" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:21:39 -0500] "GET /www.paypal.com/images/xptlive.css HTTP/1.1" 200 71 "http://devkinetic.com/www.paypal.com/webscr.php?cmd=_login-run&dispatch=e6b58e8a1144950f8e67a5da96938757e6b58e8a1144950f8e67a5da96938757" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0" 85.186.185.95 - - [16/Jun/2009:15:21:39 -0500] "GET /www.paypal.com/images/default.css HTTP/1.1" 200 317 "http://devkinetic.com/www.paypal.com/webscr.php?cmd=_login-run&dispatch=e6b58e8a1144950f8e67a5da96938757e6b58e8a1144950f8e67a5da96938757" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0"
I did an ip lookup for the odd user agent and it came up with www.internetidentity.com as the source (wierd) take a look: hxxp://ip-lookup.net/neighborhood.popup.php?ip=209.147.127.214 The hacker's IP is from romainia. Most definitively the culprit. Can I do anything to report the attach to say his/her ISP?
If you site get hacks often, specially get hacked often even changed password on a shared hosting, you may also need check if your PC get infected by Trojans.
Thanks for the reply, but I can assure you, no trojans here. I actually just did a reformat a few days ago. By day I remove viruses and work on PC's for a living. If I had an infection I would be no good at my job.
I am a security expert. If you want to pay me something reasonable for my time I can get this resolved for you. It's likely an exploit in one of your scripts. PM me if interested. 85.186.185.95 That's likely someone phished. 209.147.127.214 That's most likely a proxy that the hacker is using.