Hey guys, I'm very concerned right now. I'm not sure what's going on, but it's not good. Someone (or something) is hacking onto my server space and installing phishing scams into inconspicuous folders, and then emailing the schemed link to my site....I've found 3 folders already.... Folders have been named: 'ws' 'ok' 'ads' It has been going on for several days, and every time I delete the folder, it's back within the day. Preventative measures I have taken include changing my password and updating my phpbb forums to the latest version. My host has been very uncooperative in helping identify how this is happening. Has this ever happened to you guys? Any ideas on what else I can do? The URL is www dot knowledgebed dot com Please help! Thanks, Sanzbar
See what timestamp those folders had and check for that date/time in all your logs (apache and all the other logs you can access) to see if you can identify what caused this so you can close it down.
Shared hosting. They're back again today....this is driving me nuts!! "What does the logs says?" What do you mean by this?
Well.. they certainly don't seem to give a rats ass for security. It's running an old version of apache, hasn't had the ServerTokens removed, has frontpage extensions and what not. Anyways, it's a shared host, I assume you have changed your password and it's the providers responsibility to secure the machine.
That's what I told them, but they didn't seem to care....I'll never host with this again. I just found this patch...I'm hoping it works... http://infosyssec.com/forum/viewtopic.php?t=1935
What many of these crackers tend to do once they've cracked a system is to install a web interface through which they can upload files - I suggest you have a good look at everything on the system and at your logs (presuming you have access to them) to see if you can find one. If one is installed changing your password or anything else you do will have no affect, as they've already got a direct route in. Also look at the ownership of the files being created - it could be that they've compromised the whole system and aren't getting in through your account at all. In any case, I think you need to change host...
If your Host doesn't seem to care about your problem, then just Dump them & find another one. I'm sure they may take a different stance once they find out that you would get rid of them. Legends