Results 1 to 15 of 15
  1. #1
    Join Date
    Apr 2006
    Posts
    32

    Server Hacked / Weak Pass

    hello all
    I have a server with serverprono that was just compromised last week.
    When I found out about it from my client, I went to see what had happened.
    They first made a dir /.secure/form.html
    and the form.htm was a page they made from bank of america trying to collect cc info.
    I deleted that dir etc. and then I shut down the ftp account for this site.
    My server was unplugged at this point for aup violation and was told I needed to contact abuse threw email. They are telling me they will plug it back in and give me 24hrs to fix the problem.
    What do you guys sugest at this time.
    The clients password was a weak 6 letter common word could this been the problem?
    Thanks

  2. #2
    Join Date
    Jul 2006
    Location
    On top of the Servers
    Posts
    323
    If what you had mentioned here is only that happened, it does not seem that your server got hacked. But it could just be a website account that got compromised. Check the account activities to find out how the phishing files were uploaded. You will need to do a thorough checkup on the server and make sure that the server is safe. You may hire someone if you are not sure how to do it.
    || Techbrace :: 24 x 7 Outsourced Web Hosting Support since 2006
    || For Hosting Companies & Data Centres :: Helpdesk / Chat / Phone / Social Media :: cPanel / Plesk / DirectAdmin
    || Dedicated / VPS / Cloud Server Management :: Server Support On Demand :: Fully Managed Servers

  3. #3
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    Sounds like an exploit in a script and a phishing site was put up from a hole through a script on a users site or from the user themself. I'm suprised they pulled the server first and ask questions later. Interesting

  4. #4
    Join Date
    Apr 2006
    Posts
    32
    what are the steps here to do the checkup, to make sure the server is secure?
    I know I have a lot to learn here.
    Thank you for helping me

  5. #5
    Join Date
    May 2006
    Posts
    244
    Lizard: what scripts (e.g. phpBB, Mambo, etc.) are installed on the client's account? It is likely there is a backdoor in one of them.

  6. #6
    Join Date
    Apr 2006
    Posts
    32
    tamar, I think just cgi-bin ?

    Thanks

  7. #7
    Hi Lizard,

    Phishing is extremely common today. Im surprised they pull the plugged on you instead of getting a quick resolution by you.

    Usually users with phpbb, mambo, or those upload scripts are most likely to have phishing pages uploaded by a phisher. If you look at the permission as well as the timestamp of the form I am sure you can dig it up through the logs of apache, ftp, and messages logs. But it doesnt look like a whole server will be compromised as phishers usually just find a weakness on customer account and upload their content.
    Psychz Networks - Dedicated Servers, Co-location | PhotonVPS - SSD Cloud | YardVPS - Storage VPS
    True Layer 7 DDoS Mitigation | BGP Optimized by Noction Intelligent Routing | Asia-Pacific Low Latency Routes
    Los Angeles, CA | Dallas, TX | Ashburn, VA | London, UK | Amsterdam, NL | Johannesburg, ZA

  8. #8
    Join Date
    May 2006
    Posts
    244
    cgi-bin is not an application. It is a folder that contains scripts (in most cases).

    But if the ENTIRE user's directory is empty with the exception of a cgi-bin folder (that was also empty) and the server was still compromised, then there's your answer very likely: the weak pass.

    Check the contents of the user's public_html (or www) directory and let us know what's there to verify.

    By the way, how did you determine that the client's password was a weak 6 letter word? Did he tell you?

  9. #9
    Join Date
    Apr 2006
    Posts
    32
    ok they just plugged it back in after a week of downtime.
    I made sure the ftp was disabled on the clients site that was doing the phishing.
    I have found many dirs on that clients site, with /.secure/
    with a form.html, 1 was bank of america 1 was paypal 1 was netzero
    they also put a script this clients /cgi-bin/ dir
    i have removed all this stuff
    any pointers and help would be great thank you

  10. #10
    Join Date
    Apr 2006
    Posts
    32
    tamar: yes my client told me the password when he called to tell me that he has been emailed about this phishing problem.

  11. #11
    Join Date
    May 2006
    Posts
    244
    Can you list the contents of his website directory for us?

    Go on the server, cd to his public_html directory, type ls, and paste the results here (or attach a screenshot).

  12. #12
    Join Date
    Apr 2006
    Posts
    32
    tamar:

    1.jpg
    10.jpg
    11.jpg
    12.jpg
    13.jpg
    14.jpg
    15.jpg
    16.jpg
    17.jpg
    18.jpg
    19.jpg
    2.jpg
    20.jpg
    21.jpg
    22.jpg
    3.jpg
    4.jpg
    5.jpg
    55A1a.jpg
    55B1a.jpg
    6.jpg
    7.jpg
    8.jpg
    9.jpg
    DSCF0001.jpg
    DSCF0003.jpg
    FORMgallery.htm
    FORMgallery2.htm
    SELL-BUY-U Cars
    ab_onlineform.htm
    about.htm
    auction.htm
    bidders.htm
    blockerror.js
    brochure.html
    brochure1.html
    broucher
    broucher.html
    cake.jpg
    careers.htm
    cgi-bin
    clients.htm
    consign vehicle pics.htm
    consign.htm
    contact.htm
    copyright-allwebco.js
    copyright.js
    copyrightbak.js
    corporatestyle.css
    corvair3.jpg
    dougs docs
    flash
    flash.txt
    form.htm
    gallery
    gallery.htm
    gallery2.htm
    graphic-logo-index.html
    graphic_logo-header.js
    header.js
    help.html
    hotel.htm
    hotel2.htm
    hotel_clip_image002.jpg
    hotel_clip_image003.jpg
    index.htm
    index.html
    index1.htm
    index1_files
    indexback.htm
    indexbak.htm
    indextest.html
    indextest1.html
    indoor.htm
    judgeform.htm
    lake
    links.htm
    logo
    logo.swf
    menu.js
    missing.html
    mouseover.js
    myform.htm
    new docs
    new pics
    news.htm
    nomination.htm
    onlineform.htm
    phone.js
    picts
    pop-closeup.js
    readme.txt
    rock_long_banner1.jpg
    search1.js
    search2.js
    search3.js
    search4.js
    search5.js
    search6.js
    sellers.htm
    service.htm
    show car pics
    showcar.htm
    showcar2.htm
    showcar3.htm
    showcar4.htm
    showcar5.htm
    showcarinfo.htm
    showcartest.html
    slide.htm
    slideshow
    slideshow.js
    slideshowauction.js
    slideshowcontact.js
    slideshowform.js
    slideshowindoor.js
    slideshowjudge.js
    slideshowshow.js
    slideshowthanks.js
    slideshowvendors.js
    testupload.htm
    thanks-payment.htm
    thanks.htm
    thanksupload.htm
    thatsanorder.htm
    ticker.swf
    ticker.xml
    under constrution
    upload

    thanks

    vendors.htm

  13. #13
    Join Date
    May 2006
    Posts
    244
    Your client is using Gallery. I'm not sure if that's Coppermine Gallery or Gallery from menalto, but that is VERY likely to be the problem (and the former has been an issue for me in the past, so I'd bet it's Coppermine). I suggest that you get the latest patches immediately and delete all the files.

  14. #14
    Join Date
    Apr 2006
    Posts
    32
    tamar:
    Not sure if I understand what you are saying abuot my client using a Gallery?
    coopermine or gallery from menalto?
    can you explain what patches I will need etc please?
    thanks

  15. #15
    Join Date
    May 2006
    Posts
    244
    Lizard:

    Go to your client's website:

    http://www.domain.com/gallery

    Determine what software it uses.

    Click on the link on the bottom (which should say "Powered by Coppermine" or "Powered by Gallery" which should take your to one of the links that I am about to provide).

    Then follow the instructions for patching the applications to the latest version.

    Coppermine: http://coppermine-gallery.net/index.php
    Gallery: http://gallery.menalto.com/

    By the way. I hate to be blunt, but as your role being a system administrator (as far as I can tell from what you've written so far), this stuff should be pretty easy to understand. If you are not sure -- even if there is a weak password -- you should enlist in the assistance of a company to secure your server for you. From your recent posts, it appears that the weak password was not the issue but rather that it was weak system administration on your part.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •