Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Server hacked : how can I find out how they are uploading files to my server?

[listenmirndt]

I am being hacked & I don't know how they are getting files on my server. They are doing it on two of my domains, I suspended one and then they got it on the other. My FTP access log does not show anything suspicious..

How can I find their doorway?

Thanks for any help.

[macooper]

As you say it's your server, I assume you know which files they are uploading. Look through your webserver logs for all occurances of the filename. They may well be using a web based form rather than FTP to upload the files. Also, check the permissions on the wget command, as they may be using that (which should show in your logs).

[listenmirndt]

Would it be possible to say : only allow files to be uploaded from a certain IP? (regardless of the method of upload)...

[macooper]

It is possible to do that in php. If your using apache, it's also probably possible to do something like that with mod_security. But you can't do it at a filesystem level, so the world writable directory (if your webhost runs php as a module) would still be there and susceptible to XSS attacks if you have a vulnerable script on another domain and they can figure out the full path to your directory. To use mod_security, you would have to ask for assistance from your webhost.

[tsj5j]

You can configure a firewall to only allow FTP (port 21) from a certain IP.
After that, you should wait and see if there are any more attacks.

If there are, rule out FTP.
Proceed to disable web form uploading/limit it via PHP.
Wait again to see if there are further attacks.

The next, and probably the worst level, would be that SSH is hacked.
I would then suggest you wipe your server, since rootkits/malicious software can be easily installed.