Clicky
Last visit was: Fri Jul 04, 2014 7:32 pm
It is currently Fri Jul 04, 2014 7:32 pm

Intrusion in my webhotel


All times are UTC - 5 hours [ DST ]


 [ 7 posts ] 
Author Message
 PostPosted: Tue Mar 23, 2010 9:51 am   
Spam Observer
User avatar

Joined: Tue Oct 14, 2008 8:20 pm
Posts: 72
I don't know where to ask this so I try here.
I am webmaster on ellebaek1.dk, and yesterday when I should update I found two folders that I didn't know of so I deleted them. I searched them, and tatsk gave nothing, but faczw did. Can somebody tell me what this is?
I have changed my password, but is that enough?


Top
 Profile WWW  
 PostPosted: Tue Mar 23, 2010 10:00 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
I will PM you some more info, instead of posting it all here.

The one thing that comes to mind is your website is probably on a shared webserver with other domains (customers), so I would report the findings to your webhost, because the shared webserver itself could be compromised and not just your website. Definitely change all your FTP / administrator passwords now if you have not yet. I hope this helps you.

EDIT:
From the cursory search of the file names, I think this is SEO poisoning where a spammer provides links to his products to boost his search results. SEO (Search engine optimization). There is probably more to this.


Top
 Profile  
 PostPosted: Tue Mar 23, 2010 12:49 pm   
Spam Observer
User avatar

Joined: Tue Oct 14, 2008 8:20 pm
Posts: 72
Thanks, Meep.
I looked again today, and now there was som new files: .bash_logout, .bash_profile, .bashre, .wsre. They seems to be related to some linux-code.
On the other hand I could now delete the empty folder faczw, that I could not yesterday, when I could only delete the contents.
I have changed my password, but it has not yet taken effect, and I was not allowed to use anything but letters and numbers.
I have also notified my webhost and await an answer.


Top
 Profile WWW  
 PostPosted: Tue Mar 23, 2010 3:41 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Thu Mar 01, 2007 3:01 am
Posts: 5915
There are also some trojans that alter websites by infecting the PC belonging to the webmaster and using stored passwords to log in and update the site every night, no matter how many times the webmaster tries to fix it. How many people have passwords to log in, and from how many computers have you/they accessed the website control panel? Any computer that has been used is suspect.


Top
 Profile  
 PostPosted: Tue Mar 23, 2010 6:53 pm   
Spam Observer
User avatar

Joined: Tue Oct 14, 2008 8:20 pm
Posts: 72
I am the only one who has access to my machine and have the pw to this website. That is - there must be another one whom I have not invited. If I have a trojan, then it must be thoroughly buried as a rootkit. I use Mailwasher, just to be sure, that malware sent to me never come near my machine. And I do not use msn, facebook or twitter.
I have an answer from my webhost. He think I might be infected through the contact form. It is in a cgi-script and only plain text is allowed.


Top
 Profile WWW  
 PostPosted: Tue Mar 23, 2010 9:56 pm   
Spammers' Nightmare
User avatar

Joined: Thu Apr 05, 2007 4:10 pm
Posts: 2777
Quote:
I have an answer from my webhost. He think I might be infected through the contact form. It is in a cgi-script and only plain text is allowed.


Thanks for the update on that issue. I am glad to hear your own PC does not appear to have been infected, good news, Knitter! At least your host gave you a detailed response, many times they stay rather vague if their servers get infected.


Top
 Profile  
 PostPosted: Wed Mar 24, 2010 11:39 am   
Spammers' Nightmare
User avatar

Joined: Thu Apr 12, 2007 6:55 pm
Posts: 2549
Knitter wrote:
Thanks, Meep.
I looked again today, and now there was som new files: .bash_logout, .bash_profile, .bashre, .wsre. They seems to be related to some linux-code.
On the other hand I could now delete the empty folder faczw, that I could not yesterday, when I could only delete the contents.
I have changed my password, but it has not yet taken effect, and I was not allowed to use anything but letters and numbers.
I have also notified my webhost and await an answer.

Those dot bash files were created when someone accessed the server using SSH. If they were not there before, that means SSH was never
used previously to access the server with a userid that has a starting directory at the location you found those files. This could have been
your hosting provider checking things out or it could have been the person who put those other folders in your sites directory. You just may
not have noticed these files before and they were there all along. Check the date and time for those files to see when they were created in
comparison to those other folders. You might want to ask your hosting provider if they SSH'ed into your website at that time too. If you or
your hosting provider has not used SSH, then the userid and password for ssh access needs to be changed immediately, otherwise you will
be continually removing unwanted files and folders. I say both the userid and password because by only changing the password, the hacker
still has half of the login and may regain access in a short period of time.


Top
 Profile  
 [ 7 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine, Yahoo [Bot] and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008