01-02-2012, 11:49 AM
|
|
Newbie
|
|
Join Date: Aug 2011
Posts: 25
|
|
Hi,
I'm helping clean my friend's site which was hacked by Hmei7.
He has cleaned the files he know was added by the attacker.
Any other specific files known to be created by this hacker and other possible malwares? And also what are other security measures we can take to prevent this?
Thanks!
|
01-02-2012, 11:53 AM
|
|
Stairway To Hosting
|
|
Join Date: Mar 2003
Location: Canada
Posts: 7,958
|
|
Do you have shell access? It might be easier to run the find command and look for any files modified within the last seven days, or on the day the attack occurred. Something like this:
find . -mtime -7 -type -f
What software was the website running? WordPress?
__________________
SYN Hosting - Affordable, Reliable & Secure Web Hosting - Proudly In Business Since 2006!
Host Unlimited Websites -/ - cPanel -/ - Softaculous -/ - CloudFlare -/ - SSH Access -/ - 24/7 Tech Support
http://www.synhosting.com - Need a Canadian budget managed dedicated server? Click here for details.
|
01-02-2012, 12:07 PM
|
|
Newbie
|
|
Join Date: Aug 2011
Posts: 25
|
|
Thanks for the response Parick,
Unfortunately we don't have shell access.
But thanks for the suggestion we'll try if we can do that via cpanel file manager.
There's just a basic html page and the latest WHMCS.
|
01-02-2012, 12:15 PM
|
|
Temporarily Suspended
|
|
Join Date: Jan 2012
Posts: 13
|
|
Quote:
Originally Posted by neo-
Thanks for the response Parick,
Unfortunately we don't have shell access.
But thanks for the suggestion we'll try if we can do that via cpanel file manager.
There's just a basic html page and the latest WHMCS.
|
You need to upgrade your whmcs to latest version and make sure you have a licensed copy
|
01-02-2012, 12:25 PM
|
|
Newbie
|
|
Join Date: Aug 2011
Posts: 25
|
|
@John Oates
Yes the latest licensed WHMCS is the one installed.
Anyone familiar with how Hmei7 hacked sites and to clean it? In the news he has attacked IBM, Seimens, Microsoft and auto companies.
|
01-02-2012, 03:21 PM
|
|
Junior Guru
|
|
Join Date: Apr 2008
Location: UK
Posts: 231
|
|
By any chance is the server cPanel based ? i would find another host to be honest, it may be the server - he's just a zone-h script kiddie who likes to attack vulnerable exim systems.
Within your web root you need to find modified files or any php shells lying around, particularly within whmcs, make sure those downloads template_c and attachment folders are placed outside the webroot.
|
01-02-2012, 03:58 PM
|
|
Web Hosting Master
|
|
Join Date: Nov 2004
Location: Australia
Posts: 1,440
|
|
Quote:
Originally Posted by neo-
@John Oates
Yes the latest licensed WHMCS is the one installed.
|
Did you install the patch released in early December? If not, odds are that you were hacked via that.
|
01-02-2012, 05:25 PM
|
|
Web Hosting Master
|
|
Join Date: Jun 2007
Posts: 911
|
|
Seems to be a big issue not related to whmcs.
zone-h.com/archive/notifier=Hmei7
@op: what version of cpanel do you have ?
__________________
█ PlotHost - Cheap Web Hosting - Visit Our Website
█ 24/7 Support | 99.9% Real Uptime | 15 Days Money Back
█ Secure and Reliable Shared Hosting & Reseller Hosting
|
01-03-2012, 08:41 AM
|
|
Stairway To Hosting
|
|
Join Date: Mar 2003
Location: Canada
Posts: 7,958
|
|
Looks like most of the hosts that user has compromised were running Exim 4.69 which is vulnerable to attack... not good.
__________________
SYN Hosting - Affordable, Reliable & Secure Web Hosting - Proudly In Business Since 2006!
Host Unlimited Websites -/ - cPanel -/ - Softaculous -/ - CloudFlare -/ - SSH Access -/ - 24/7 Tech Support
http://www.synhosting.com - Need a Canadian budget managed dedicated server? Click here for details.
|
01-03-2012, 11:10 PM
|
|
Newbie
|
|
Join Date: Aug 2011
Posts: 25
|
|
Thanks for the responses guys,
Here's the version info...
WHM/cPanel Version 11.30.5 (build 3)
exim-4.69-30_cpanel_maildir
Now tell me, are we really vulnerable? If so I should raise this up with InnoHosting, their abuse department takes days to get response and 24/7 Tech support will just categorize the issue as abuse.
@SafeSr
We did removed/restored a backup of the modified files, how do I identify these php shells? That's our failure with the downloads, template_c and attachment folders not being removed from the root. Moved it now and upgraded to the latest WHMCS version.
|
01-04-2012, 01:25 AM
|
|
.
|
|
Join Date: Sep 2003
Posts: 3,526
|
|
Quote:
Originally Posted by neo-
Thanks for the responses guys,
Here's the version info...
WHM/cPanel Version 11.30.5 (build 3)
exim-4.69-30_cpanel_maildir
Now tell me, are we really vulnerable? If so I should raise this up with InnoHosting, their abuse department takes days to get response and 24/7 Tech support will just categorize the issue as abuse.
@SafeSr
We did removed/restored a backup of the modified files, how do I identify these php shells? That's our failure with the downloads, template_c and attachment folders not being removed from the root. Moved it now and upgraded to the latest WHMCS version.
|
Open a ticket and mark the issue as FAO: Chris/Rameen and one of us will have a close look at your site for you. Open it with General.
__________________
█ InnoHosting Ltd || US: 1-888-522-INNO UK: 0800 612 8075
█ UK and USA Reseller Hosting & Managed VPS | High Spec Dedicated Servers
█ WHMCS | Preloaded KB Articles | Domain+SSL Reseller| RapidSSL | Legal Document Templates
█ Reliable Sales/Billing/Tech End-user Support - We can provide support to your customers!
|
01-04-2012, 02:05 AM
|
|
Newbie
|
|
Join Date: Aug 2011
Posts: 25
|
|
Done Rameen!
Ticket ID: FRO-547700
As mentioned on the previous abuse ticket, we're willing to pay for the service to secure my account. But didn't get a response after days.
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
