#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Lansing, MI
    Posts
    239
    Rep Power
    11

    Is this evidence of a hack? HELP!


    I am running apache 2.2.4 on a computer in my home and hosting sites for a variety of people. Tonight I did a search for one domain, just to see what kind of search engine results it was getting, and I found something very odd. I have a secure virtual on my server and some shopping carts. Searching for a couple of domains that I own but which have no connection to the secure virtual server, I found Google had links to those sites and the virtual server - and they resolved but with the warning that the server certificate did not match the name on the site. In other words, I own a domain called guymerritt.net - just my name. Google says there is a page at https://www.guymerritt.net/netkwikos2/catalog connected to that site. There shouldn't be - the "netkwikos2" directory is the name of a virtual, secure directory on a site called lowestcostmattressdirect.com. I can't find any weird files in my server, no php files with weird code injected....

    I'm not sure if I explained this very well, but, does this sound like some kind of hack? I've turned everything off and my butt is in a crack as I've got businesses running from this.


    UPDATE: I DID find one oddball file in my apache cond folder. It was just called "lo" - no file extension. If this had been there, I'd never seen it before. This is about 50% of it - everything ended with a .pem file:



    PHP Code:
    /usr/share/doc/m2crypto-0.16/tests/dhparams.pem
    /usr/share/doc/m2crypto-0.16/tests/dsa.param.pem
    /usr/share/doc/m2crypto-0.16/tests/dsa.priv.pem
    /usr/share/doc/m2crypto-0.16/tests/dsa.pub.pem
    /usr/share/doc/m2crypto-0.16/tests/ec.priv.pem
    /usr/share/doc/m2crypto-0.16/tests/ec.pub.pem
    /usr/share/doc/m2crypto-0.16/tests/recipient.pem
    /usr/share/doc/m2crypto-0.16/tests/recipient_key.pem
    /usr/share/doc/m2crypto-0.16/tests/rsa.priv.pem
    /usr/share/doc/m2crypto-0.16/tests/rsa.priv2.pem
    /usr/share/doc/m2crypto-0.16/tests/rsa.pub.pem
    /usr/share/doc/m2crypto-0.16/tests/server.pem
    /usr/share/doc/m2crypto-0.16/tests/signer.pem
    /usr/share/doc/m2crypto-0.16/tests/signer_key.pem
    /usr/share/doc/m2crypto-0.16/tests/x509.pem
    /usr/share/doc/perl-IO-Socket-SSL-1.01/certs/client-cert.pem
    /usr/share/doc/perl-IO-Socket-SSL-1.01/certs/client-key.pem
    /usr/share/doc/perl-IO-Socket-SSL-1.01/certs/my-ca.pem
    /usr/share/doc/perl-IO-Socket-SSL-1.01/certs/server-cert.pem
    /usr/share/doc/perl-IO-Socket-SSL-1.01/certs/server-key.pem
    /usr/share/doc/perl-IO-Socket-SSL-1.01/certs/server-rsa384-dh.pem
    /usr/share/doc/perl-IO-Socket-SSL-1.01/certs/test-ca.pem
    /usr/share/doc/perl-Net-SSLeay-1.30/examples/server_key.pem
    /usr/share/purple/ca-certs/AOL_Member_CA.pem
    /usr/share/purple/ca-certs/America_Online_Root_Certification_Authority_1.pem
    /usr/share/purple/ca-certs/CAcert_Class3.pem
    /usr/share/purple/ca-certs/CAcert_Root.pem
    /usr/share/purple/ca-certs/Entrust.net_Secure_Server_CA.pem
    /usr/share/purple/ca-certs/Equifax_Secure_CA.pem
    /usr/share/purple/ca-certs/Equifax_Secure_Global_eBusiness_CA-1.pem
    /usr/share/purple/ca-certs/GTE_CyberTrust_Global_Root.pem
    /usr/share/purple/ca-certs/Microsoft_Internet_Authority.pem
    /usr/share/purple/ca-certs/Microsoft_Secure_Server_Authority.pem
    /usr/share/purple/ca-certs/StartCom_Certification_Authority.pem
    /usr/share/purple/ca-certs/StartCom_Free_SSL_CA.pem
    /usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
    /usr/share/purple/ca-certs/VeriSign_Class3_Extended_Validation_CA.pem
    /usr/share/purple/ca-certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
    /usr/share/purple/ca-certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5_2.pem
    /usr/share/purple/ca-certs/VeriSign_International_Server_Class_3_CA.pem
    /usr/share/purple/ca-certs/Verisign_Class3_Primary_CA.pem
    /usr/share/purple/ca-certs/Verisign_RSA_Secure_Server_CA.pem 
    Any thoughts/idea would be appreciated.
    Last edited by 88guy; March 26th, 2012 at 12:00 AM.
  2. #2
  3. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,124
    Rep Power
    4304
    Seeing a different domain name than you expect probably is a result of running multiple domains from the same IP address. Is guymerritt.net the default virtual host by any chance?

    P.S. What is the upload speed of your Internet connection? If it's anything below 1.5 Mbits, you might want to think about the potential loss of revenue for your clients from slow loading e-commerce sites.
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).

IMN logo majestic logo threadwatch logo seochat tools logo