| Author |
Message |
izone
Involved
Joined: Sep 07, 2004
Posts: 354
Location: Sweden
|
 Posted:
Fri Jul 07, 2006 8:06 am |
|
Hello.
My friend's site got hacked today by a (for me) unknown group.
They have left an script on the server and have changed permissons for many catalog and files on the server.
I have this script now and I just wanted some help to know if they came in by hacking Nuke or Server.
Of security reason I will just send this file to Raven or some of Admins here. It is a .php file on the server and I copy and paste it to a new doc. in DreamWeaver, but when I save this file on my computer, the AntiVirus remove it and show me info about this file is a trojan by name phpbackdoor!
I can send you a text ver. of it by email if you give me you email please.
Best Regards |
| |
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Fri Jul 07, 2006 8:43 am |
|
|
|
|
|
izone
|
| Posted:
Fri Jul 07, 2006 9:08 am |
|
| Susann wrote: | http://www.ravenphpscripts.com/postx10264-0-0.html
Many hacker groups work this way I believe it isn´t new. Did you already deleted all files ? |
Susann, thank you. No there is no way to delete it.
They have deleted the .trash dir. and some how the account is over quota so I have no chance to make another one.
Disk usage 214.17 Megabytes
SQL Disk usage 13.70 Megabytes
Disk space available -14.17 Megabytes
Bandwidth usage (current month) 85.05 Megabytes
When I look under Disk usage in Cpanel there is no large file or directory and everything seems to be right. the biggest directory he have is about 16.40 mb and the total is about 100 mb. so I cann't delete or made another file or dir. |
| |
|
|
|
|
Susann
|
| Posted:
Fri Jul 07, 2006 9:32 am |
|
Wait what Raven or his moderators suggest. |
| |
|
|
|
|
izone
|
| Posted:
Fri Jul 07, 2006 10:55 am |
|
I wait for them to send the script to one of them.
I solved the problem by changing the name of one catalog to .trash. then I could delete the unwanted files and upload my backups file. Now the site is back. Thank you for you help. |
| |
|
|
|
|
izone
|
| Posted:
Fri Jul 07, 2006 10:56 am |
|
By the way, does the name "RootShell Security Group" known for you or anyone. The script is writed by them. |
| |
|
|
|
|
Susann
|
| Posted:
Fri Jul 07, 2006 11:21 am |
|
I ve never heard about this group.
But there are many entries at secunia.com
From wikipedia:
| Quote: |
"
Root@Shell~# Security Group ,RS is an acronym for Root@Shell~# Security Group.A Grey Hat Hacking group,popular in discovering exploits in software and websites.Founded by Preddy and SilentNuke.Listed as one of the top 10 Security groups in the world." |
|
| |
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Fri Jul 07, 2006 11:45 am |
|
Funny... Listed by whom as one of the top 10 security groups in the world? |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
Susann
|
| Posted:
Fri Jul 07, 2006 11:53 am |
|
Kguske there are possible two different groups with a similar name. |
| |
|
|
|
|
kguske
|
| Posted:
Fri Jul 07, 2006 12:20 pm |
|
OK. I was just commenting on the top 10 claim. Who maintains this list? On what criteria is it based? It seems Wikipedia needs to do better with editing... |
| |
|
|
|
|
izone
|
| Posted:
Fri Jul 07, 2006 2:25 pm |
|
kguske, Do want me to send the script to you? if yes please pm me your email. thanks. |
| |
|
|
|
|
kguske
|
| Posted:
Fri Jul 07, 2006 2:29 pm |
|
No need to send the script, thanks.
My guess is that they used a common exploit to load it on the server. Check in the website logs for attempts to access /modules/Forums/admin. Tell your friend to upgrade to the latest version of NukeSentinel and put HTTP admin auth on both admin.php and on the /modules/Forums/admin directory. Also, check for scripts that allow uploads (e.g. a gallery). These can allow bad files to be uploaded. |
| |
|
|
|
|
izone
|
| Posted:
Fri Jul 07, 2006 3:03 pm |
|
kguske, thank you for your advise. But a question here, I know how to put HTTP admin auth on Admin.php but not how to do this in Sentinel for /modules/Forums/admin directory? or you mean doing the second one in the Cpanel? |
| |
|
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Fri Jul 07, 2006 3:20 pm |
|
hi,
kguske means :
In your forum/admin / folder put a .htaccess with this in it:
Easy sample......
<Files .staccess>
deny from all
</Files>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /your-whatever-site-root/modules/Forums/admin/.staccess
then create a .staccess file and put your name with pass encrypted in it and also put that in the forum admin folder.. |
| |
|
|
|
|
kguske
|
| Posted:
Fri Jul 07, 2006 3:28 pm |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Fri Jul 07, 2006 10:33 pm |
|
This option from hitwalker/Raven is probably best, by I have also seen success with using cpanel's protection of the directory. It might be HTTPAuth. You could try it and see if you can access that directory directly. |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
izone
|
| Posted:
Sat Jul 08, 2006 9:17 am |
|
Thank you all.
Hello montego, long time no see! (acctually we haven't seen yet  )
We are all waiting for your new ver. of HTML Newsletter. Good luck. |
| |
|
|
|
|
montego
|
| Posted:
Sun Jul 09, 2006 7:38 am |
|
| Quote: |
We are all waiting for your new ver. of HTML Newsletter
|
Me too! Been a bit busy since the last release. But, been thinking about it a ton... just need to figure out how to set aside the time. Regards! |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
