First of all, I discoverd this forum during my quest to unravel the mysteries of how my site was hacked. I hope this is an appropriate forum to discuss the issues even though I am not a web hosting provider, but merely a customer of a web hosting company, hostrocket.com

I have an installation of WordPress 2.1 WordPress creates a couple world writable directories such as Uploads and Cache which are owned by nobody. Apparently (according to the tech support at hostrocket.com) someone was able to insert and exectue a php script in my world writable Uploads directory. Over 40MB of scripts, executables and files were uploaded. As best I can tell, my space was being used as some sort of link farm or perhaps acting as a server in my webspace. I do not have much knowledge about these things and consequently can't talk very inetlligently about them. But I am trying to grasp what little I am able to absorb about how this could have happened, what I can do to mitigate it from reocurring in the future.

Some of the stuff that was in the directory is as follows...

2421
bindz
h4ckerz
mass.pl p
trace-kmod
2421.1
brk
help.php
mybindshell
ptrace24
99.php
coredump
idf.php
netcat
pwned
CMD.php
dc.pl
index.html
online
r0nin
TMT.htm
elfdump
kmod2
online.tar.gz
raptor
TTdummyfile
gcc
krad3
prctl2
uselib24
bind.pl g
cc.1
list.txt
ptrace

The "online" directory contained over 40MB of directories such as...

abortion diethylpropion
accounting diflucan
accupril diovan
acne distance-education
actonel dospan
actos dovonex
acyclovir doxycycline
adderall drug
adipex drug-rehab
adventure-travel drug-test
adware dvd
adware-spyware e-pathto
affiliate-program effexor
air-travel elavil
aldara enalapril
alprazolam equity-loan
altace estradiol
amaryl evista
ambien fioricet
amitriptyline flexeril
amoxicillin flonase
amoxil florida-lottery
antivirus fluoxetine
atenolol fosamax
ativan free-poker
avandia free-slots
avapro free-spyware
baclofen furniture
bankruptcy gambling
bextra home-equity-loan
biaxin home-loan
bingo hosting
black-jack hotel
blackjack hydrocodone
blackjack-game images
bontril imitrex
britney-spears insurance-life
business internet-betting
buspar internet-gambling
buspirone loan
butalbital loans
buy-hardware lortab
buy-phentermine lottery
california-lottery lotto
captopril mesothelioma
car mortgages
car-insurance online-black-jack
carisoprodol online-casino
cars online-gambling
cartia online-loan
cash-loan online-pharmacy
casino online-poker
casino-games online-roulette
casino-las-vegas online-slot
celebrex payday-advances
celebrex-online phentermine
celexa poker
celexa-online poker-chips
cephalexin poker-game
cialis poker-tables
cigarette refinance
cigarettes refinance-house
cipro refinance-loan
claritin refinancing
clindamycin ringtones
clonazepam roulette
clonidine slot-machine
codeine slot-machines
consolidate-card slots
cozaar steroids
credit structured-settlement
credit-card texas-holdem
credit-card-debt texas-holdem-poker
credit-card-debt-consolidation texas-holdem-rules
creditcard texas-lottery
cyclobenzaprine tramadol
darvocet travel
dating travel-insurance
debt-consolidation ultram
debtcard valium
denavir viagra
diazepam vicodin
diclofenac video-poker
didrex wagering
diet-pills xanax

As you can see, I was had in a BIG way.

So the first thing my webhost had me do was to change ownership of the directories owned by nobody to me. Then I was able to change permissions from 777 to 755. However in so doing, I am no longer able to use the Dashboard of WordPress to upload images anymore, unless I temporarily change permissions back to 777.

The other thing the tech support guy did is to create an .htaccess file with,
php_flag engine off
I guess this basically renders php scripts impotent from running.

So without flaming me, can you help me understand how someone in a shared server environment is able to put a php script into one of my directories?

What amazed me was this particular script, "99.php" actually when viewed in a browser window titled phpshell was called "c99adult v. 1.0 pre-release build #16". It basically enabled whoever had access to the URL, to view my webspace, and do all sorts of nasty things. Talk about a wake-up call!

Obviously this enabled the hacker to view my config.php file and ascertain my database password and everything else. Whether he did, or whether there is a logfile of that info that could enable him to hack the database at some time in the future is unknown to me but it's really freaking me out.

any help or guidance at this point would be appreciated.

First questions is should I be looking for a more "secure" web host other than HostRocket? I had a PHPwebsite CMS website hacked in a similar fashion that was being hosted on pair.com as well. they've got a good reputation so I don't really know what I should be doing at this point.

Hi,
The wordpress version 2.1.1 resease was hacked by some hacking group and all dopwnloads of this reselase contained some code by hackers.

As soon as wordpress get to know they instantly released a new release.
My several blogs got hacked as well because of this version, I deleted them with all data as soon as i got to see them.

This is none wrong with host, But the hacked version can create this same problem at safest and costliest host.

Your host has absolutely nothing to do with the terrible software you choose to install on your web space. That's like getting mad at city hall when your house falls down after you buy a plot of land and build a straw shack on it.

I didn't say I as mad at my webhost. If I'm mad at anybody it would be the hacker. I was inquiring about whether the webhost had anything to do with the security of my WordPress installation and whether I should -consider- another host. And I'm not so sure that WordPress is "terrible software." In my research it happened to be one of the most respected blogs out there which is why I chose it. They seem to issue frequent updates so that indicates they are responsive developers. Your reply didn't really help me much.

if you can sedn me those idrectorys i might be able to run through them to maybe find a site or something..

maybe even a finger print..

Well known hacker:

R0nin Raptor.
he uses trace and krad3
hapened to me..

That's cool. The entire thing is over 40MB. You don't want it all do you? I could zip it which would save a huge amount since it's mostly text stuff. Where would you like me to send it?

cnymike, If you send these files, you would be sending a complete set of hacking tools. Yes they are all available on the net, but do you really want to be sending this to people?

well based on the list of commands you have provided, i can identify several of them:

mass.pl - udp flooder
mybindshell - binds a shell to a certain port
ptrace24 - local kernel root exploit against 2.2.x and 2.4.x kernel versions
99.php - c99 php backdoor
netcat - utility used to connect/listen to tcp/udp ports (usually compiled with insecure features like -e that allows bind shells)
dc.pl - IRAN HACKERS SABOTAGE connect back shell
kmod2 - another version of krad
raptor - local root exploit for kernels 2.6.13-2.6.17.4 (other version for prctl)
krad3 - <=linux 2.6.11 CPL 0 kernel exploit
prctl2 - prctl core dump handling exploit for again kernels 2.6.13-2.6.17.4
uselib24 - uselib() priviledge escallation local root exploit for kernels version 2.4.x
bind.pl - another bind shell in perl
ptrace - same as ptrace24

These are pretty widely available tools, and it looks like the scriptkiddie who uploaded these didn't know a lot about it because he tried to root your web hoster's box with exploits for both 2.6 and 2.4 kernel version

cnymike, If you send these files, you would be sending a complete set of hacking tools. Yes they are all available on the net, but do you really want to be sending this to people?

that's a good point. I hadn't really considered that. I guess it's best that I just secure the hatches and toss the stuff out. A better defense should help to prevent future intrusions.

At this point I'm mostly concerned about a re-occurence since they got in the first time, they probably figure they can try again.

A really negative side effect of this is that I have completely lost my ranking in Google. I can't even find my site unless I literally search for my name or business name specifically. That really irritates me as much as getting hacked because I don't know if or when Google will restore my ranking.