hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Server Hacked / Weak Pass
Reply

Forum Jump

Server Hacked / Weak Pass

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 32

Server Hacked / Weak Pass


hello all
I have a server with serverprono that was just compromised last week.
When I found out about it from my client, I went to see what had happened.
They first made a dir /.secure/form.html
and the form.htm was a page they made from bank of america trying to collect cc info.
I deleted that dir etc. and then I shut down the ftp account for this site.
My server was unplugged at this point for aup violation and was told I needed to contact abuse threw email. They are telling me they will plug it back in and give me 24hrs to fix the problem.
What do you guys sugest at this time.
The clients password was a weak 6 letter common word could this been the problem?
Thanks



Sponsored Links
  #2  
Old
Web Hosting Guru
 
Join Date: Jul 2006
Location: On top of the Servers
Posts: 320
If what you had mentioned here is only that happened, it does not seem that your server got hacked. But it could just be a website account that got compromised. Check the account activities to find out how the phishing files were uploaded. You will need to do a thorough checkup on the server and make sure that the server is safe. You may hire someone if you are not sure how to do it.

__________________
|| High Performance Server Management & Outstanding Technical Support
|| Server Optimization ::
Disaster Recovery :: Web Application Development
||
Setup Enterprise Servers:: Server Security :: Server Administration On Demand


  #3  
Old
Keep rockin' in the free world
 
Join Date: May 2002
Location: Kingston, Ontario
Posts: 1,573
Sounds like an exploit in a script and a phishing site was put up from a hole through a script on a users site or from the user themself. I'm suprised they pulled the server first and ask questions later. Interesting

__________________
Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
Instantly scan uploaded files
Get notified when released

Sponsored Links
  #4  
Old
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 32
what are the steps here to do the checkup, to make sure the server is secure?
I know I have a lot to learn here.
Thank you for helping me

  #5  
Old
Junior Guru
 
Join Date: May 2006
Posts: 232
Lizard: what scripts (e.g. phpBB, Mambo, etc.) are installed on the client's account? It is likely there is a backdoor in one of them.

  #6  
Old
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 32
tamar, I think just cgi-bin ?

Thanks

  #7  
Old
Web Hosting Master
 
Join Date: Jul 2004
Posts: 664
Hi Lizard,

Phishing is extremely common today. Im surprised they pull the plugged on you instead of getting a quick resolution by you.

Usually users with phpbb, mambo, or those upload scripts are most likely to have phishing pages uploaded by a phisher. If you look at the permission as well as the timestamp of the form I am sure you can dig it up through the logs of apache, ftp, and messages logs. But it doesnt look like a whole server will be compromised as phishers usually just find a weakness on customer account and upload their content.

__________________
:::Psychz Networks::: + :::GIGePIPE:::
★24/7 On-Site Support - Multi-Homed Network - 3 Data Center Locations
★Los Angeles, (Dallas Coming SOON) CA Premium Network & Dedicated Servers
★DDoS Protection Included with every server

  #8  
Old
Junior Guru
 
Join Date: May 2006
Posts: 232
cgi-bin is not an application. It is a folder that contains scripts (in most cases).

But if the ENTIRE user's directory is empty with the exception of a cgi-bin folder (that was also empty) and the server was still compromised, then there's your answer very likely: the weak pass.

Check the contents of the user's public_html (or www) directory and let us know what's there to verify.

By the way, how did you determine that the client's password was a weak 6 letter word? Did he tell you?

  #9  
Old
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 32
ok they just plugged it back in after a week of downtime.
I made sure the ftp was disabled on the clients site that was doing the phishing.
I have found many dirs on that clients site, with /.secure/
with a form.html, 1 was bank of america 1 was paypal 1 was netzero
they also put a script this clients /cgi-bin/ dir
i have removed all this stuff
any pointers and help would be great thank you

  #10  
Old
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 32
tamar: yes my client told me the password when he called to tell me that he has been emailed about this phishing problem.

  #11  
Old
Junior Guru
 
Join Date: May 2006
Posts: 232
Can you list the contents of his website directory for us?

Go on the server, cd to his public_html directory, type ls, and paste the results here (or attach a screenshot).

  #12  
Old
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 32
tamar:

1.jpg
10.jpg
11.jpg
12.jpg
13.jpg
14.jpg
15.jpg
16.jpg
17.jpg
18.jpg
19.jpg
2.jpg
20.jpg
21.jpg
22.jpg
3.jpg
4.jpg
5.jpg
55A1a.jpg
55B1a.jpg
6.jpg
7.jpg
8.jpg
9.jpg
DSCF0001.jpg
DSCF0003.jpg
FORMgallery.htm
FORMgallery2.htm
SELL-BUY-U Cars
ab_onlineform.htm
about.htm
auction.htm
bidders.htm
blockerror.js
brochure.html
brochure1.html
broucher
broucher.html
cake.jpg
careers.htm
cgi-bin
clients.htm
consign vehicle pics.htm
consign.htm
contact.htm
copyright-allwebco.js
copyright.js
copyrightbak.js
corporatestyle.css
corvair3.jpg
dougs docs
flash
flash.txt
form.htm
gallery
gallery.htm
gallery2.htm
graphic-logo-index.html
graphic_logo-header.js
header.js
help.html
hotel.htm
hotel2.htm
hotel_clip_image002.jpg
hotel_clip_image003.jpg
index.htm
index.html
index1.htm
index1_files
indexback.htm
indexbak.htm
indextest.html
indextest1.html
indoor.htm
judgeform.htm
lake
links.htm
logo
logo.swf
menu.js
missing.html
mouseover.js
myform.htm
new docs
new pics
news.htm
nomination.htm
onlineform.htm
phone.js
picts
pop-closeup.js
readme.txt
rock_long_banner1.jpg
search1.js
search2.js
search3.js
search4.js
search5.js
search6.js
sellers.htm
service.htm
show car pics
showcar.htm
showcar2.htm
showcar3.htm
showcar4.htm
showcar5.htm
showcarinfo.htm
showcartest.html
slide.htm
slideshow
slideshow.js
slideshowauction.js
slideshowcontact.js
slideshowform.js
slideshowindoor.js
slideshowjudge.js
slideshowshow.js
slideshowthanks.js
slideshowvendors.js
testupload.htm
thanks-payment.htm
thanks.htm
thanksupload.htm
thatsanorder.htm
ticker.swf
ticker.xml
under constrution
upload

thanks

vendors.htm

  #13  
Old
Junior Guru
 
Join Date: May 2006
Posts: 232
Your client is using Gallery. I'm not sure if that's Coppermine Gallery or Gallery from menalto, but that is VERY likely to be the problem (and the former has been an issue for me in the past, so I'd bet it's Coppermine). I suggest that you get the latest patches immediately and delete all the files.

  #14  
Old
Junior Guru Wannabe
 
Join Date: Apr 2006
Posts: 32
tamar:
Not sure if I understand what you are saying abuot my client using a Gallery?
coopermine or gallery from menalto?
can you explain what patches I will need etc please?
thanks

  #15  
Old
Junior Guru
 
Join Date: May 2006
Posts: 232
Lizard:

Go to your client's website:

http://www.domain.com/gallery

Determine what software it uses.

Click on the link on the bottom (which should say "Powered by Coppermine" or "Powered by Gallery" which should take your to one of the links that I am about to provide).

Then follow the instructions for patching the applications to the latest version.

Coppermine: http://coppermine-gallery.net/index.php
Gallery: http://gallery.menalto.com/

By the way. I hate to be blunt, but as your role being a system administrator (as far as I can tell from what you've written so far), this stuff should be pretty easy to understand. If you are not sure -- even if there is a weak password -- you should enlist in the assistance of a company to secure your server for you. From your recent posts, it appears that the weak password was not the issue but rather that it was weak system administration on your part.

Reply

Related posts from TheWhir.com
Title Type Date Posted
Server Protected with Default Password Enables Healthcare.gov Hack Web Hosting News 2014-09-05 09:51:28
Announcing the WHD.global VIP Pass Winner! Blog 2014-03-27 16:00:39
Could Website Hackers be Chasing Hosting Customers Away? Blog 2013-08-27 09:07:42
Syrian Electronic Army Targets Top US Media Websites in Outbrain Platform Hack Web Hosting News 2013-08-16 10:46:10
Apache Malware Darkleech Spreads Rapidly with Increase in Attacks Web Hosting News 2013-07-03 12:11:03


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?