Welcome to WebmasterWorld Guest from 34.225.194.144
Forum Moderators: bakedjake
help - site was hacked :(
Full Member
joined:Feb 19, 2003
posts:227
votes: 0
Hi,
Today I found one of my sites hacked - someone managed to upload some file 'c99shell' to a directory - I have no idea how.
I managed to restored the hacked page - but I have many sites hosted on the server and I'm worried thay have planted more of these scripts.
I would be grateful if anyone can tell me how to do a search to find any files modified/created today - is there a command I can run (Im using Linux fedora)?
Would also be interested to find out how to prevent this from happening again.
Any help would be great.
Administrator
joined:July 24, 2001
posts:15756
votes: 0
from everything I am looking at it seems to be a shell written in php
you may have more serious problems but I am sure you know that
[isc.sans.org...]
I would guess an upload script somewhere of being the exploited culprit
I am sure someone can offer a grep that would work to find files created today
Junior Member
joined:Dec 20, 2002
posts:123
votes: 0
find / -mtime -1 should do the job. You could direct the results into a file with:
find / -mtime -l > files.txt
However, its unlikely that all of the changed files in an exploit will be found so easily. You face having find out how you were hacked (so it won't happen again), scrubbing your machine and re-installing. Hope you have clean backups of your data (if any).
Bob
Senior Member
joined:Apr 20, 2004
posts:1477
votes: 0
Ouch. Once the server has been hacked, every file on it becomes suspect. If they planted one file in your system, you can expect that there are many more and that your system files have been replaced with bad-guy files that contain stuff like hidden backdoors, keyloggers, detection scripts, etc.etc. Most likely your log files have been altered, as well.
The only sure way to recover from a hack as you describe is to wipe the machine and reinstall the OS, then reinstall your user files from a known-clean backup, from prior to the break-in.
Once you do the OS reinstall, be sure to (a) "harden" the system with a tool like Bastille or similar, (b) install a few IDS (Intrusion Detection System) programs to continually monitor your system for attack attempts and (c) instigate a full backup procedure that dumps the data to a secondary drive that is not normally accessible (i.e. mount it, do the backup, unmount it).
It's a pain, that's for sure.
Join The Conversation
- Register For Free! - Become a Pro Member!
- See forum categories - Enter the Forum
Moderators and Top Contributors
- Moderator List | Top Contributors:This Week, This Month, Nov, Oct, Archive, Top 100 All Time, Top Voted Members
Hot Threads This Week
- Google Updates and SERP Changes - December 2019
- December 2019 AdSense Earnings & Observations
- Google Updates and SERP Changes - November 2019
- UK Search Engine, Mojeek Invests in New Servers
- Sundar Pichai Appointed Alphabet CEO
- RIPE NCC Runs Out of IPv4 Addresses: Calls For Faster Progress on IPv6
- .Org Registry Acquired By Private Equity Company
- Google Spam & Hacked Machines
- Sir Tim Berners-Lee: "Contract for the Web" With Backing From Over 80 Organisations
- Changed Website platform HTML to WordPress then Website Ranking Drop
Featured Threads
- Google Updates and SERP Changes - December 2019
- UK Search Engine, Mojeek Invests in New Servers
- Sundar Pichai Appointed Alphabet CEO
- RIPE NCC Runs Out of IPv4 Addresses: Calls For Faster Progress on IPv6
- Sir Tim Berners-Lee: "Contract for the Web" With Backing From Over 80 Organisations
- Twitter Adds 2FA With No Need For A Phone Number
- .Org Registry Acquired By Private Equity Company
- Return of CPU Vulnerability: ZombieLoad Attack
- Google Updates and SERP Changes - November 2019
- Google Rolls Out Search Console Speed Report