Results 1 to 3 of 3
  1. #1

    Attacking problem

    Hello,

    I am hosting an account for some, and he emailed me this.

    =========
    Yesturday, I finally found this guy target a file name
    "~httpdocs/BBS/junshi/gbsvtmp.txt"
    so that this file can't be deleted or rewritten.
    If he renames this file, a new file will be generated
    automatically. The result is that my forum's main
    page becomes blank. Obviously, it is done by a virus
    kind of program.

    After I modified my program to avoid using that file,
    This guy changed the virus program to constently
    delete a file named
    "~httpdocs/BBS/junshi/gbcurrent.html"
    so that my forum page becomes "not exist".
    ==========

    How do I track/trace the attack and delete the "virus" program?

  2. #2
    I have an RH 7.1 server running PLESK.

    I used this command line to view the access_log of the account.

    more access_log

    and I found many of these in the account's access_log

    35c../winnt/system32/cmd.exe?/c+dir


    Is this the problem?
    If so, how can I fix it?

    How did it get in the account at the first place, and how can I block the attacker from doing it again?

  3. #3
    Join Date
    Nov 2000
    Location
    Boston, MA (USA)
    Posts
    773
    the CMD.exe thingy and the thing about your forum problem is 2 different things..


    The CMD.exe can have 2 possibilities.

    NIMDA Worm
    CodeRed Worm

    Both don't affect you since you are running linux and not win servers, but they do slow down the performance of your servers such as slowing it down.
    The isn't much that you can do about the scan for cmd.exe because the worm attacks a 64 or 66.*.*.* subnet (i may be wrong since i'm not a techie or junkie).

    As for the file problem that you have. Are you trying to remove it via FTP? If you have root to the server, you can simple login as root with ssh (do not use telnet) and

    rm /httpdocs/blah/junsi/whatever.txt
    (i don't have experience in plesk and the way they set up their directories... if it was cpanel it would be rm /home/user/public_html/folder/whatever.txt)

    I hope this helps....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •