I got hacked! what next?

Dev Shed Forums Sponsor:

Generate data entry and reporting .NET Web apps in minutes, straight from your database. Read our FREE whitepaper “Build Web 2.0 Applications Without Hand-Coding” Download now!

May 4th, 2008, 07:11 AM

IgotHacked

Registered User

Join Date: May 2008

Posts: 2

Time spent in forums: 16 m 36 sec
Reputation Power: 0

I got hacked! what next?

Today I found a php file in my website root dir called 0.php
I copied to my computer and deleted it off my server.
Theses are all the detailes I could find on the file. NetworkFileManagerPHP (© #hack.ru) Version: 1.7.private ([final_english_release])

The web site is still running, I can't find anyother files and databases all seem ok. So what is my next step? what should I check and do now?

Thanks,

May 4th, 2008, 03:51 PM

B-Con

Crypto-Con

Dev Shed God 4th Plane (6500 - 6999 posts)

Join Date: Apr 2004

Location: UC Davis

Posts: 6,643

Time spent in forums: 1 Month 5 Days 17 h 32 m 10 sec
Reputation Power: 841

You'll want to figure out how the attacker got in. Check FTP, etc, logs for unaccounted for successful logins. Check your server/server software for critical security updates.

Comments on this post

Joseph Taylor agrees!

__________________
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started.
- Why know the ordinary when you can understand the extraordinary?

- Sponsor my caffeine addiction! (36.70 USD recieved so far -- Latest donor: Mark Foxvog)

May 4th, 2008, 04:01 PM

fishtoprecords

Contributing User

Join Date: Sep 2007

Location: outside Washington DC

Posts: 942

Time spent in forums: 1 Week 3 Days 13 h 18 m 29 sec
Reputation Power: 419

Actually, I would just reformat the hard disk, reinstall the OS, and restore the html/php from your last good backup. Then make sure you have all the latest security patches.

Once a bad guy gets in, you can't trust that he didn't change your kernel to allow later attacks.

There are different tools for different OS/distros, do things like run md5sum on every file in the system and look for changes. But you have to set that up before you get attacked.

Comments on this post

AstroTux agrees: Great advice!

May 5th, 2008, 05:07 AM

IgotHacked

Registered User

Join Date: May 2008

Posts: 2

Time spent in forums: 16 m 36 sec
Reputation Power: 0

After looking at the log files i could it seems the hacker uploaded the file via FTP from looking at the FTP log. The password was 12 letters, did the hacker guess or find out someother way?

Code:

Wed Apr 30 22:48:05 2008 1 80.76.176.239 127439 /var/www/vhosts/mydomain.com/httpdocs/0.php b _ i r mydomain ftp 0 * c

I'v changed all FTP users/passwords.
I could not find anything in the access_log but in the error_log I found lots of errors from the uploaded script (below). So i know what didn't work but I have know idea what did work. Also the script was uploaded on the 30th of Apr and the server is still alive?.. that worries me more. How can I check if the server is being used a spammer.
Are there any other log files I should be looking at? My linux knowledge is limited.

Code:

[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Warning:  Call-time pass-by-reference has been deprecated - argument passed by value;  If you would like to pass it by reference, modify the declaration of fsockopen().  If you would like to enable call-time pass-by-reference, you can set allow_call_time_pass_reference to true in your INI file.  However, future versions may not support this any longer.  in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 4138
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Warning:  Call-time pass-by-reference has been deprecated - argument passed by value;  If you would like to pass it by reference, modify the declaration of fsockopen().  If you would like to enable call-time pass-by-reference, you can set allow_call_time_pass_reference to true in your INI file.  However, future versions may not support this any longer.  in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 4138
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: action in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 34
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: action in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 34
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: pass in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1185
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Warning:  set_time_limit() [<a href='function.set-time-limit'>function.set-time-limit</a>]: Cannot set time limit in safe mode in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 5198
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined offset:  0 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1407
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined offset:  0 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1409
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined offset:  1 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1403
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined offset:  2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1403
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined offset:  3 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1403
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined offset:  4 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1403
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined offset:  5 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1403
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: HTTP_X_FORWARDED_FOR in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1436
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Warning:  is_file() [<a href='function.is-file'>function.is-file</a>]: open_basedir restriction in effect. File(/var/www/vhosts/mydomain.com/httpdocs/..) is not within the allowed path(s): (/var/www/vhosts/mydomain.com/httpdocs:/tmp) in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1507
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Warning:  is_dir() [<a href='function.is-dir'>function.is-dir</a>]: open_basedir restriction in effect. File(/var/www/vhosts/mydomain.com/httpdocs/..) is not within the allowed path(s): (/var/www/vhosts/mydomain.com/httpdocs:/tmp) in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1525
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579
[Wed Apr 30 22:48:27 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: style2 in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1579

[Wed Apr 30 22:48:31 2008] [error] [client 80.76.176.239] PHP Warning:  Call-time pass-by-reference has been deprecated - argument passed by value;  If you would like to pass it by reference, modify the declaration of fsockopen().  If you would like to enable call-time pass-by-reference, you can set allow_call_time_pass_reference to true in your INI file.  However, future versions may not support this any longer.  in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 4138, referer: http://mydomain.com/0.php
[Wed Apr 30 22:48:31 2008] [error] [client 80.76.176.239] PHP Warning:  Call-time pass-by-reference has been deprecated - argument passed by value;  If you would like to pass it by reference, modify the declaration of fsockopen().  If you would like to enable call-time pass-by-reference, you can set allow_call_time_pass_reference to true in your INI file.  However, future versions may not support this any longer.  in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 4138, referer: http://mydomain.com/0.php
[Wed Apr 30 22:48:31 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: action in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 34, referer: http://mydomain.com/0.php
[Wed Apr 30 22:48:31 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: action in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 34, referer: http://mydomain.com/0.php
[Wed Apr 30 22:48:31 2008] [error] [client 80.76.176.239] PHP Notice:  Undefined variable: pass in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 1185, referer: http://mydomain.com/0.php
[Wed Apr 30 22:48:31 2008] [error] [client 80.76.176.239] PHP Warning:  set_time_limit() [<a href='function.set-time-limit'>function.set-time-limit</a>]: Cannot set time limit in safe mode in /var/www/vhosts/mydomain.com/httpdocs/0.php on line 5198, referer: http://mydomain.com/0.php

May 8th, 2008, 06:13 PM

AstroTux

Contributing User

Join Date: Feb 2008

Posts: 115

Time spent in forums: 19 h 52 m 22 sec
Reputation Power: 10

Hi,

You could type netstat at a command prompt to see what connections exist, but it could have been modified not to show connection to remote servers used by the hackers.

You can't take the risk that you haven't been r00ted, either. It could have simply been a test file. The damage could already be severe.

If they figured your FTP password(s), could they have figured your root password?

As of now, you can't trust that install. Period.

Have you ran through the script to see if anything pops out, like an attempt to copy more files to your server? You might be able to figure out a bit more about what they were trying to do from that file, and figure if you're likely to be hit again.

Best regards,
AstroTux.

Last edited by AstroTux : May 8th, 2008 at 06:17 PM.

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: