problem for master

New Member Joined: Jan 06, 2010 Posts: 7

hi all.sorry for bad english.i have a 7.6 3.1b patched 3.1b with sentinel 2.5.17, fortress, redirect of config, antispam, etc.it works fine with no security problem for 4 year, but tomorning ive found a direct access in the config folder that have changed one parameter of config.the site go offline for mysql message etc..... i've searched in the iptracking history module, in sentinel tracker, in storyhost module, but this ip never has present in all the tabel..... the question is:how is possible that he know the direct folder where is collocated the config with a direct access?a person that don't know your configuration file or ftp folder, see around before to found the exat folder/file..... thanks for reply.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

To be sure I'm understanding correctly, you're saying your nuke config.php file was changed. Is that correct?

Posted: Mon Feb 22, 2010 11:33 am

Raven wrote:

To be sure I'm understanding correctly, you're saying your nuke config.php file was changed. Is that correct?

yes.was changend one parameter(1970 to 1979) in the config. a friendly attack.... see the ftp log file:

Mon Feb 22 02:48:28 2010 0 81.72.118.167 4475 /home/mysite/public_html/folder/config.php
Mon Feb 22 02:48:52 2010 0 81.72.118.167 4379 /home/mysite/public_html/folder/config.php

thanks

Posted: Mon Feb 22, 2010 11:48 am

A friendly attack? Have you also examined your server error log to see how he got in? Or are those the only log entries for that IP?

Posted: Mon Feb 22, 2010 11:57 am

Raven wrote:

A friendly attack? Have you also examined your server error log to see how he got in? Or are those the only log entries for that IP?

hi raven.friendly because i think that he could make many damages if he want...... the problem is that the log file has tracked only this two trace:

Mon Feb 22 02:48:28 2010 0 81.72.118.167 4475 /home/mysite/public_html/folder/config.php
Mon Feb 22 02:48:52 2010 0 81.72.118.167 4379 /home/mysite/public_html/folder/config.php

how is possible to see without ftp password the exact folder where the config is located??

Posted: Mon Feb 22, 2010 12:34 pm

Do you have anonymous ftp ? If so check the settings for this maybe they have changed. I have been hacked through this and with the uploaded shell script its possible to read everything.

Posted: Mon Feb 22, 2010 4:58 pm

Susann wrote:

Do you have anonymous ftp ? If so check the settings for this maybe they have changed. I have been hacked through this and with the uploaded shell script its possible to read everything.

no susan.i haven't anonymous ftp.there are 3 user x 3 folder and one for all the space.the acces on the config folder is come from the user that have the access on all the ftp(only i have the username and pwd for access).you think that one of the 3 user has upload on ftp space some malicious file?now i have changed the password for all the ftp space and deleted the other 3, changed the name folder of config..... how can see if the shell script are working on my site??thanks for reply

Posted: Mon Feb 22, 2010 6:01 pm

You need to check your folders for new unknown files e.g. mshell.php.
However its good practice to change all passwords and have you site under control I mean check it daily also the logs if possible.
I don´t know if the problem was caused through one of your user because I believe there are different ways. My issue was a changed anonymous ftp access.

Worker Joined: Aug 26, 2007 Posts: 236

Earlier when I used SPChat hackers used it's smileyupload.php to upload new index.php and config.php to my site, so the front page was changed.

Posted: Tue Feb 23, 2010 8:32 am

thanks for support.in this hours i make a control on the folders for see last modified file.i have changed all password after deleted the other ftp accounts.... update from me in this days.... thanks

Posted: Wed Feb 24, 2010 4:53 am

hi.in this hour i've monitored the ftp logs and there aren't strange access.i think that the shell attack from one of the user that have the ftp access is the right reason, but there aren't file in the folder with strange name.is possible that the code is inside some common phpnuke file?thanks for reply

registered · Posted: Wed Feb 24, 2010 11:01 am

Could it be another site on a shared server being attacked by the shell script causing the problem?

Posted: Wed Feb 24, 2010 11:03 am

I´ve found this very helpful:

http://www.malwaredomainlist.com/forums/index.php?topic=3502.0

However, its good you didn´t find this file on your server. Check the logs in the next time too. Maybe you can find some other interesting things and make sure everything is up-to-date. Also with a Nuke site you should always be prepared to restore your site.

Posted: Fri Feb 26, 2010 3:03 pm

hi there's a problem.i've downloaded all the file in the folder of one of the ftp account.i've used depeche view for search in the file some words usually present in the shell attack.... results=0...... the problem is that the ip that have changed my config haven't make other action(deleted file etc....).....