|how to find where hack started|
First of all my apologies if posted in wrong section, I didn't see a security/recovery section.
Premise: I am not a coder, or network guy, nevertheless I "manage" about 15 sites (friends, non-profit, and a couple of mine)
For convenience instead of single accounts, I got a reseller account from a host (which is not very helpful in this case).
As per the subject the sites have been hacked.
From googling and reading I gathered I have to see access logs to understand where they got in from.
As you can guess I am not able to do this, I mean I think I get what each field is about, but how to use it is all another story.
I read thru this site, but the more I read the more I get confused ...
Apparently the hack affected only the home index page, the first round only the php ones, and after 3 days***, also one that had an html one.
I downloaded the sites, and compared with original files on local, and they are fine (save the home index ones).
So I reloaded the original index files on three of them, and deleted, and replaced with a place holder index.html on the others, I monitored the three sites, for a couple days, and they seemd fine, save that ***the immune html homepage showed the hack page.
At this point I deleted as many accounts, as I could, and left only 6 up, and renamed public_html, and created new ones for the remaining; recreated a couple, and am reloading the scripts, but I saw the favicon.ico appear again (not on the two newly recreated accounts though), host says they are created with the new public_html, but it doesn't happen within a few seconds from my view; I used on online file scanner, and says the file is clean.
On one of the sites (one of deleted/recreated accounts) there were a couple more files, and a couple of folders that obviously were not part of the site; one of the files is a php (120KB), which does seem to be one of the components, here is an excerpt (start, mid, end):
<?php /* Cod3d by Mr.Alsa3ek and Al-Swisre */$OOO000000=urldecode('%66%67%36%73%62% [... cut by me ...] E8wKTs='));return;?>~Dkr9NHe [... cut by me ...] 4YtI0hNt9Pfo1SNI0hkzS=alVnRPIq
Also on the main account there was a 1.3GB file with permissions set 000, I changed it, and deleted it.
Now by apologizing for the long post I ask for your advise, suggestions, and help.
This is a symlink shell hack from muslimshackers..search for "Cod3d by Mr.Alsa3ek and Al-Swisre" ( without the quotes will get you to the same information ) that will tell you more about it..
A little more research shows it is a rewrite / adaptation used by them of something from 2005..
Remove it, and anything associated with it ( same time stamps* etc, look in all domains )..it is designed to give the script owner access to all domains on the same account / or server..
Make sure that if you have "back ups" that it, and any associated files ( see * ) is / are not also present in them..
The first time that a "probe" was done in order to place this, will show up in your log files as a request for information about "domain/scripts"..suggest your host looks for that..and then they / you work from there..If they search for what i have suggested..they will find out how it was done, when, and what they and you can do to remove it and avoid it happening again..
Going into detail here, would give too many ideas as to how other might find it and how to use it..
[edited by: Leosghost at 2:57 pm (utc) on Sep 23, 2012]
Wow, that was quick ;)
Thank you. I'll be looking into it more, from a first quick search I just see the code posted, but not solutions, I know I have to search more ... but if you have a quicker link, I'd greatly appreciate.
Solutions..are best done by your host..for a link to the latest version of how it was adapted and implemented, and thus your host will be able to work out how to deal with it..please read your sticky mail..link to sticky mail is at the top of the page .."marked you have mail"..next to the WebmasterWorld logo and the "welcome your nick"..
Thank you, I hope they'll be willing to help, they haven't been much of assistance so far; makes me wonder if it was only my sites, or more involved in the attack.
Please say that the very first thing you did was change your ftp-or-equivalent password. I don't find it mentioned in your post.
The hack doesn't involve FTP..it is an injection based attack..
Changing passwords won't stop it happening again while the control files are still in place and the server is vulnerable..servers do have a terrible tendency to "spill the beans" to a carefully worded question or two..Hosts really should set them up better hardened..
But as a general rule changing passwords is a very good idea..after "clean up"...
I had changed al passwords; and right now I have deleted all accounts, but 3, and maybe I'll delete those too, and start over ... like I didn't have anything better to do ;)
I read the thread you sent me, and please help me understand this:
According to host I am responsible for the security of my site/s, and that's fair enough; but from reading that post my understanding is they might have accessed one of my sites, but got the scripts list from the server.
What am I missing?
I was out ..just saw your post..will get back to you later..more things to do..
But ..they could have got into any site/ account ( because of a hole in the server config ), a request for "/********/scripts" should not reply, other than "cannot read"..the fact that the probe worked ( the hacker got a reply telling them what "scripts" were running, which then allows them to identify which of those are vulnerable, is your hosts responsibility, not yours ) ..the actual injection is then done via MySQL..and securing your database from injection ( sanitising input is your responsibility )..But if your host had done their job, and not allowed anyone to be able to interrogate the server to find out what scripts run on domains, neither you nor anyone else would have a problem with this particular hack..
The interrogate server to find out what scripts domains are running is a security vulnerability which is at least 7 years old..
In other words your host has a security hole which you cannot fix ( only they can ) which has been known about since 2005..a correctly set up non vulnerable server should result in "the probe" receiving "can't read /etc/named.conf" which as the originator of the adapted hack method says ..means that particular server is not vulnerable ..but there are many other servers which are..the part of the hack which depends on the server replying..is the part which has been around for a long time..server config is not your responsibility..unless you are renting an unmanaged server and you did the "install"..
If they don't accept that the problem is of their making..IIWY ..I'd change hosts..
Thank you very much, I appreciate your help, and kindness.
Now I have something authorative to debate with them.