cnymike
04-07-2007, 01:38 PM
First of all, I discoverd this forum during my quest to unravel the mysteries of how my site was hacked. I hope this is an appropriate forum to discuss the issues even though I am not a web hosting provider, but merely a customer of a web hosting company, hostrocket.com
I have an installation of WordPress 2.1 WordPress creates a couple world writable directories such as Uploads and Cache which are owned by nobody. Apparently (according to the tech support at hostrocket.com) someone was able to insert and exectue a php script in my world writable Uploads directory. Over 40MB of scripts, executables and files were uploaded. As best I can tell, my space was being used as some sort of link farm or perhaps acting as a server in my webspace. I do not have much knowledge about these things and consequently can't talk very inetlligently about them. But I am trying to grasp what little I am able to absorb about how this could have happened, what I can do to mitigate it from reocurring in the future.
Some of the stuff that was in the directory is as follows...
2421
bindz
h4ckerz
mass.pl p
trace-kmod
2421.1
brk
help.php
mybindshell
ptrace24
99.php
coredump
idf.php
netcat
pwned
CMD.php
dc.pl
index.html
online
r0nin
TMT.htm
elfdump
kmod2
online.tar.gz
raptor
TTdummyfile
gcc
krad3
prctl2
uselib24
bind.pl g
cc.1
list.txt
ptrace
The "online" directory contained over 40MB of directories such as...
abortion diethylpropion
accounting diflucan
accupril diovan
acne distance-education
actonel dospan
actos dovonex
acyclovir doxycycline
adderall drug
adipex drug-rehab
adventure-travel drug-test
adware dvd
adware-spyware e-pathto
affiliate-program effexor
air-travel elavil
aldara enalapril
alprazolam equity-loan
altace estradiol
amaryl evista
ambien fioricet
amitriptyline flexeril
amoxicillin flonase
amoxil florida-lottery
antivirus fluoxetine
atenolol fosamax
ativan free-poker
avandia free-slots
avapro free-spyware
baclofen furniture
bankruptcy gambling
bextra home-equity-loan
biaxin home-loan
bingo hosting
black-jack hotel
blackjack hydrocodone
blackjack-game images
bontril imitrex
britney-spears insurance-life
business internet-betting
buspar internet-gambling
buspirone loan
butalbital loans
buy-hardware lortab
buy-phentermine lottery
california-lottery lotto
captopril mesothelioma
car mortgages
car-insurance online-black-jack
carisoprodol online-casino
cars online-gambling
cartia online-loan
cash-loan online-pharmacy
casino online-poker
casino-games online-roulette
casino-las-vegas online-slot
celebrex payday-advances
celebrex-online phentermine
celexa poker
celexa-online poker-chips
cephalexin poker-game
cialis poker-tables
cigarette refinance
cigarettes refinance-house
cipro refinance-loan
claritin refinancing
clindamycin ringtones
clonazepam roulette
clonidine slot-machine
codeine slot-machines
consolidate-card slots
cozaar steroids
credit structured-settlement
credit-card texas-holdem
credit-card-debt texas-holdem-poker
credit-card-debt-consolidation texas-holdem-rules
creditcard texas-lottery
cyclobenzaprine tramadol
darvocet travel
dating travel-insurance
debt-consolidation ultram
debtcard valium
denavir viagra
diazepam vicodin
diclofenac video-poker
didrex wagering
diet-pills xanax
As you can see, I was had in a BIG way.
So the first thing my webhost had me do was to change ownership of the directories owned by nobody to me. Then I was able to change permissions from 777 to 755. However in so doing, I am no longer able to use the Dashboard of WordPress to upload images anymore, unless I temporarily change permissions back to 777.
The other thing the tech support guy did is to create an .htaccess file with,
php_flag engine off
I guess this basically renders php scripts impotent from running.
So without flaming me, can you help me understand how someone in a shared server environment is able to put a php script into one of my directories?
What amazed me was this particular script, "99.php" actually when viewed in a browser window titled phpshell was called "c99adult v. 1.0 pre-release build #16". It basically enabled whoever had access to the URL, to view my webspace, and do all sorts of nasty things. Talk about a wake-up call!
Obviously this enabled the hacker to view my config.php file and ascertain my database password and everything else. Whether he did, or whether there is a logfile of that info that could enable him to hack the database at some time in the future is unknown to me but it's really freaking me out.
any help or guidance at this point would be appreciated.
First questions is should I be looking for a more "secure" web host other than HostRocket? I had a PHPwebsite CMS website hacked in a similar fashion that was being hosted on pair.com as well. they've got a good reputation so I don't really know what I should be doing at this point.
I have an installation of WordPress 2.1 WordPress creates a couple world writable directories such as Uploads and Cache which are owned by nobody. Apparently (according to the tech support at hostrocket.com) someone was able to insert and exectue a php script in my world writable Uploads directory. Over 40MB of scripts, executables and files were uploaded. As best I can tell, my space was being used as some sort of link farm or perhaps acting as a server in my webspace. I do not have much knowledge about these things and consequently can't talk very inetlligently about them. But I am trying to grasp what little I am able to absorb about how this could have happened, what I can do to mitigate it from reocurring in the future.
Some of the stuff that was in the directory is as follows...
2421
bindz
h4ckerz
mass.pl p
trace-kmod
2421.1
brk
help.php
mybindshell
ptrace24
99.php
coredump
idf.php
netcat
pwned
CMD.php
dc.pl
index.html
online
r0nin
TMT.htm
elfdump
kmod2
online.tar.gz
raptor
TTdummyfile
gcc
krad3
prctl2
uselib24
bind.pl g
cc.1
list.txt
ptrace
The "online" directory contained over 40MB of directories such as...
abortion diethylpropion
accounting diflucan
accupril diovan
acne distance-education
actonel dospan
actos dovonex
acyclovir doxycycline
adderall drug
adipex drug-rehab
adventure-travel drug-test
adware dvd
adware-spyware e-pathto
affiliate-program effexor
air-travel elavil
aldara enalapril
alprazolam equity-loan
altace estradiol
amaryl evista
ambien fioricet
amitriptyline flexeril
amoxicillin flonase
amoxil florida-lottery
antivirus fluoxetine
atenolol fosamax
ativan free-poker
avandia free-slots
avapro free-spyware
baclofen furniture
bankruptcy gambling
bextra home-equity-loan
biaxin home-loan
bingo hosting
black-jack hotel
blackjack hydrocodone
blackjack-game images
bontril imitrex
britney-spears insurance-life
business internet-betting
buspar internet-gambling
buspirone loan
butalbital loans
buy-hardware lortab
buy-phentermine lottery
california-lottery lotto
captopril mesothelioma
car mortgages
car-insurance online-black-jack
carisoprodol online-casino
cars online-gambling
cartia online-loan
cash-loan online-pharmacy
casino online-poker
casino-games online-roulette
casino-las-vegas online-slot
celebrex payday-advances
celebrex-online phentermine
celexa poker
celexa-online poker-chips
cephalexin poker-game
cialis poker-tables
cigarette refinance
cigarettes refinance-house
cipro refinance-loan
claritin refinancing
clindamycin ringtones
clonazepam roulette
clonidine slot-machine
codeine slot-machines
consolidate-card slots
cozaar steroids
credit structured-settlement
credit-card texas-holdem
credit-card-debt texas-holdem-poker
credit-card-debt-consolidation texas-holdem-rules
creditcard texas-lottery
cyclobenzaprine tramadol
darvocet travel
dating travel-insurance
debt-consolidation ultram
debtcard valium
denavir viagra
diazepam vicodin
diclofenac video-poker
didrex wagering
diet-pills xanax
As you can see, I was had in a BIG way.
So the first thing my webhost had me do was to change ownership of the directories owned by nobody to me. Then I was able to change permissions from 777 to 755. However in so doing, I am no longer able to use the Dashboard of WordPress to upload images anymore, unless I temporarily change permissions back to 777.
The other thing the tech support guy did is to create an .htaccess file with,
php_flag engine off
I guess this basically renders php scripts impotent from running.
So without flaming me, can you help me understand how someone in a shared server environment is able to put a php script into one of my directories?
What amazed me was this particular script, "99.php" actually when viewed in a browser window titled phpshell was called "c99adult v. 1.0 pre-release build #16". It basically enabled whoever had access to the URL, to view my webspace, and do all sorts of nasty things. Talk about a wake-up call!
Obviously this enabled the hacker to view my config.php file and ascertain my database password and everything else. Whether he did, or whether there is a logfile of that info that could enable him to hack the database at some time in the future is unknown to me but it's really freaking me out.
any help or guidance at this point would be appreciated.
First questions is should I be looking for a more "secure" web host other than HostRocket? I had a PHPwebsite CMS website hacked in a similar fashion that was being hosted on pair.com as well. they've got a good reputation so I don't really know what I should be doing at this point.