Results 1 to 3 of 3
Thread: Attacking problem
-
10-04-2001, 03:09 AM #1Web Hosting Master
- Join Date
- May 2001
- Posts
- 1,041
Attacking problem
Hello,
I am hosting an account for some, and he emailed me this.
=========
Yesturday, I finally found this guy target a file name
"~httpdocs/BBS/junshi/gbsvtmp.txt"
so that this file can't be deleted or rewritten.
If he renames this file, a new file will be generated
automatically. The result is that my forum's main
page becomes blank. Obviously, it is done by a virus
kind of program.
After I modified my program to avoid using that file,
This guy changed the virus program to constently
delete a file named
"~httpdocs/BBS/junshi/gbcurrent.html"
so that my forum page becomes "not exist".
==========
How do I track/trace the attack and delete the "virus" program?
-
10-04-2001, 03:27 AM #2Web Hosting Master
- Join Date
- May 2001
- Posts
- 1,041
I have an RH 7.1 server running PLESK.
I used this command line to view the access_log of the account.
more access_log
and I found many of these in the account's access_log
35c../winnt/system32/cmd.exe?/c+dir
Is this the problem?
If so, how can I fix it?
How did it get in the account at the first place, and how can I block the attacker from doing it again?
-
10-04-2001, 12:34 PM #3Web Hosting Master
- Join Date
- Nov 2000
- Location
- Boston, MA (USA)
- Posts
- 773
the CMD.exe thingy and the thing about your forum problem is 2 different things..
The CMD.exe can have 2 possibilities.
NIMDA Worm
CodeRed Worm
Both don't affect you since you are running linux and not win servers, but they do slow down the performance of your servers such as slowing it down.
The isn't much that you can do about the scan for cmd.exe because the worm attacks a 64 or 66.*.*.* subnet (i may be wrong since i'm not a techie or junkie).
As for the file problem that you have. Are you trying to remove it via FTP? If you have root to the server, you can simple login as root with ssh (do not use telnet) and
rm /httpdocs/blah/junsi/whatever.txt
(i don't have experience in plesk and the way they set up their directories... if it was cpanel it would be rm /home/user/public_html/folder/whatever.txt)
I hope this helps....