SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Feb 2005
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Website keeps been hacked - dont know what to do

    A website that I own keeps been hacked and a backdoor.R57Shell Trojan
    horse file is been added each time. It has happened 3 times in the past 10 days and I dont know what to do.

    Do you think an attack like this is done through some security
    loophole in the site itself or is the hacker using FTP or something to
    place files on the server

    Any advice greatly appreciated

  2. #2
    SitePoint Addict ArunB's Avatar
    Join Date
    Jun 2008
    Location
    Hyderabad
    Posts
    252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you hosting your website using a Web hosting service provider or hosting it in your own system?

    Probably the virus is in your system, and your FTP software may be infected with that and when you are uploading files (or after particular interval) it is uploading the virus. This could be one of the possibilities. First scan your system for Virus.

  3. #3
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    what services do you run and do you use some kind of CMS ? if so, it can be a security hole that's being exploited

    This trojan of yours is a russian reverse shell script which have some interesting features like:

    1. file browser
    2. file search
    3. local and remote fileserver support
    4. file compression and unpacking
    5. mail sending
    6. database access
    7. execution of C and php code, SQL Queries and script code
    8. botnet features

    with the ftp it can send and receive files. it can download files and send txt and files by mail, dump db tables and run SQL Query. edit files, create, edit and delete files and directories, search for text in files, you can CHMOD, CHGRP and CHOWN from the interface... it will attempt to access and read etc/passwd and it has an ftp bruteforce menu.

    it is quite advanced, but easy to operate.

    You will have to look for and scann your server for suspicious files and folders as it can be reproduced to other directories. also scann your local pc, just to be sure. look for any suspicious file, not only .php but also .txt, .jpg etc.. and files containing two extensions like f.ex "evil.jpg.php" Also look for hidden files and folders.

    When you have gone throught your folders and files on your server and local puter, then change all your passwords and you should be ok. Make sure you look through all folders before changing usernames and passwords.

    and if you have any services, cms etc running, then see if there are some updates to it.

    Good luck
    Who's to doom when the judge himself is dragged before the bar


    Home | Web | Facebook

  4. #4
    SitePoint Enthusiast
    Join Date
    Feb 2005
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the replys.

    The site is ran on a hosting companies servers - We changed hosting companies about 1 month ago as we kept been hacked on the old host too but they werent helpful at all in telling us the problem.

    The site is a free CMS script so there is possibilities that there are issues with that.

    Im going to do what ye adviced with scanning the local computers etc and take it from there.

  5. #5
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    I would guess there is an issue with your CMS that has been exploited.

    just remember to clean all your files and folders on the server and look for, and delete if you find any hidden files and directories before you change your usernames and passwords.

    check your local files as well, so you don't upload new infected files and folders.

    and update your CMS and any plugins to it with new fresh ones.
    Who's to doom when the judge himself is dragged before the bar


    Home | Web | Facebook

  6. #6
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,514
    Mentioned
    37 Post(s)
    Tagged
    1 Thread(s)
    Check your ftp/http logs against the timestamps of any uploaded malicious or altered files to ascertain whether the ftp or your cms is the base point of entry.

  7. #7
    SitePoint Evangelist stonedeft's Avatar
    Join Date
    Aug 2009
    Posts
    586
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ive been attacked twice with that script it was disguised as a .jpg file and I missed it. I downloaded it and tried to review the script too bad I can't run it on my localhost kaspersky says it's a trojan.

    Anyway it got uploaded via an upload script on my CMS program.

    As a security I check for mime types before moving uploaded files from temp to destination. Also I rename uploaded files so the hacker can't use it even if he successfully uploaded it on the server and as an added security I assign md5-ed id's on my upload form w/c will check if the upload is in fact coming from my form.

    I no longer use php session for my CMS log-in, I use .htaccess to protect the whole directory. Though I'm pretty sure a good hacker can fish username and passwords.

    The best bet right now is to spend a couple more dollars for ssl certificates.

    Well good luck and one last thing don't copy paste scripts in your site if you don't know what the script does.
    Don't Panic

  8. #8
    SitePoint Addict reboltutorial's Avatar
    Join Date
    Jan 2009
    Posts
    309
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try to use SSH instead of FTP ?

  9. #9
    SitePoint Member
    Join Date
    Sep 2009
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    use a web vulnerability scanner if your worried about other issues. Like Wikto or Paros.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •