Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Server Hacked / Weak Pass

[Lizard_king825]

hello all
I have a server with serverprono that was just compromised last week.
When I found out about it from my client, I went to see what had happened.
They first made a dir /.secure/form.html
and the form.htm was a page they made from bank of america trying to collect cc info.
I deleted that dir etc. and then I shut down the ftp account for this site.
My server was unplugged at this point for aup violation and was told I needed to contact abuse threw email. They are telling me they will plug it back in and give me 24hrs to fix the problem.
What do you guys sugest at this time.
The clients password was a weak 6 letter common word could this been the problem?
Thanks

[TechBrein]

If what you had mentioned here is only that happened, it does not seem that your server got hacked. But it could just be a website account that got compromised. Check the account activities to find out how the phishing files were uploaded. You will need to do a thorough checkup on the server and make sure that the server is safe. You may hire someone if you are not sure how to do it.

[Ramprage]

Sounds like an exploit in a script and a phishing site was put up from a hole through a script on a users site or from the user themself. I'm suprised they pulled the server first and ask questions later. Interesting

[Lizard_king825]

what are the steps here to do the checkup, to make sure the server is secure?
I know I have a lot to learn here.
Thank you for helping me

[tamar]

Lizard: what scripts (e.g. phpBB, Mambo, etc.) are installed on the client's account? It is likely there is a backdoor in one of them.

[Lizard_king825]

tamar, I think just cgi-bin ?

Thanks

[clanosiris]

Hi Lizard,

Phishing is extremely common today. Im surprised they pull the plugged on you instead of getting a quick resolution by you.

Usually users with phpbb, mambo, or those upload scripts are most likely to have phishing pages uploaded by a phisher. If you look at the permission as well as the timestamp of the form I am sure you can dig it up through the logs of apache, ftp, and messages logs. But it doesnt look like a whole server will be compromised as phishers usually just find a weakness on customer account and upload their content.

[tamar]

cgi-bin is not an application. It is a folder that contains scripts (in most cases).

But if the ENTIRE user's directory is empty with the exception of a cgi-bin folder (that was also empty) and the server was still compromised, then there's your answer very likely: the weak pass.

Check the contents of the user's public_html (or www) directory and let us know what's there to verify.

By the way, how did you determine that the client's password was a weak 6 letter word? Did he tell you?

[Lizard_king825]

ok they just plugged it back in after a week of downtime.
I made sure the ftp was disabled on the clients site that was doing the phishing.
I have found many dirs on that clients site, with /.secure/
with a form.html, 1 was bank of america 1 was paypal 1 was netzero
they also put a script this clients /cgi-bin/ dir
i have removed all this stuff
any pointers and help would be great thank you

[Lizard_king825]

tamar: yes my client told me the password when he called to tell me that he has been emailed about this phishing problem.

[tamar]

Can you list the contents of his website directory for us?

Go on the server, cd to his public_html directory, type ls, and paste the results here (or attach a screenshot).

[Lizard_king825]

tamar:

1.jpg
10.jpg
11.jpg
12.jpg
13.jpg
14.jpg
15.jpg
16.jpg
17.jpg
18.jpg
19.jpg
2.jpg
20.jpg
21.jpg
22.jpg
3.jpg
4.jpg
5.jpg
55A1a.jpg
55B1a.jpg
6.jpg
7.jpg
8.jpg
9.jpg
DSCF0001.jpg
DSCF0003.jpg
FORMgallery.htm
FORMgallery2.htm
SELL-BUY-U Cars
ab_onlineform.htm
about.htm
auction.htm
bidders.htm
blockerror.js
brochure.html
brochure1.html
broucher
broucher.html
cake.jpg
careers.htm
cgi-bin
clients.htm
consign vehicle pics.htm
consign.htm
contact.htm
copyright-allwebco.js
copyright.js
copyrightbak.js
corporatestyle.css
corvair3.jpg
dougs docs
flash
flash.txt
form.htm
gallery
gallery.htm
gallery2.htm
graphic-logo-index.html
graphic_logo-header.js
header.js
help.html
hotel.htm
hotel2.htm
hotel_clip_image002.jpg
hotel_clip_image003.jpg
index.htm
index.html
index1.htm
index1_files
indexback.htm
indexbak.htm
indextest.html
indextest1.html
indoor.htm
judgeform.htm
lake
links.htm
logo
logo.swf
menu.js
missing.html
mouseover.js
myform.htm
new docs
new pics
news.htm
nomination.htm
onlineform.htm
phone.js
picts
pop-closeup.js
readme.txt
rock_long_banner1.jpg
search1.js
search2.js
search3.js
search4.js
search5.js
search6.js
sellers.htm
service.htm
show car pics
showcar.htm
showcar2.htm
showcar3.htm
showcar4.htm
showcar5.htm
showcarinfo.htm
showcartest.html
slide.htm
slideshow
slideshow.js
slideshowauction.js
slideshowcontact.js
slideshowform.js
slideshowindoor.js
slideshowjudge.js
slideshowshow.js
slideshowthanks.js
slideshowvendors.js
testupload.htm
thanks-payment.htm
thanks.htm
thanksupload.htm
thatsanorder.htm
ticker.swf
ticker.xml
under constrution
upload

thanks

vendors.htm

[tamar]

Your client is using Gallery. I'm not sure if that's Coppermine Gallery or Gallery from menalto, but that is VERY likely to be the problem (and the former has been an issue for me in the past, so I'd bet it's Coppermine). I suggest that you get the latest patches immediately and delete all the files.

[Lizard_king825]

tamar:
Not sure if I understand what you are saying abuot my client using a Gallery?
coopermine or gallery from menalto?
can you explain what patches I will need etc please?
thanks

[tamar]

Lizard:

Go to your client's website:

http://www.domain.com/gallery

Determine what software it uses.

Click on the link on the bottom (which should say "Powered by Coppermine" or "Powered by Gallery" which should take your to one of the links that I am about to provide).

Then follow the instructions for patching the applications to the latest version.

Coppermine: http://coppermine-gallery.net/index.php
Gallery: http://gallery.menalto.com/

By the way. I hate to be blunt, but as your role being a system administrator (as far as I can tell from what you've written so far), this stuff should be pretty easy to understand. If you are not sure -- even if there is a weak password -- you should enlist in the assistance of a company to secure your server for you. From your recent posts, it appears that the weak password was not the issue but rather that it was weak system administration on your part.