Forum Moderators: phranque
Below is the security information for the script I had running on my site.
[securitytracker.com...]
I removed the entire isearch directory from my site (even though a newer version took care of the problem). The folder went to trash, however the one exploitable script won't dump from .trash. Even though folder permissions are set for my user name, the file says I don't have permission to delete it.
I've informed my host of all my findings. I haven't gotten a response from them and I'm concerned over security and exposing client sites to these hackers. Their lack of response is telling me that either they're busy monitoring the server and checking things out OR they're hoping I go away, OR they don't know how to fix it.
The hackers already defaced one of my pages on my site. This particular page they defaced was NOT visible to the outside world - it was a test area for a blog. The only way anyone would know about this particular directory is if they had access to my control panel or were able to telnet a directory listing.
The more pieces of the puzzle I put together through monitoring and research, it appears that the hackers had/have access to the root - usernames, etc. Is there anything else I can do on my end to monitor things or feel comfortable that the server is "locked down?"
[edited by: jdMorgan at 12:53 am (utc) on Sep. 27, 2004]
[edit reason] Fixed spelling [/edit]
Make sure your site's "stats" and server logs are password protected, and that there are no off-site links from your "secret" pages. If your stats/logs are visible, or if your page has links to external sites, then it's likely that its URL *is* visible on the web in your log files (as a requested URL) or in other sites' log files (as a referrer).
Jim
The directory in question was a Pmachine installation that I started to play with. I installed it on my server, tested it for what I wanted to do, and decided I'd use it down the road when I got that far. It was isolated....no content...just a blank installation. The page that got defaced was the index page of the pmachine directory. I realize that sometimes if you view a page with the Google Toolbar installed, the page may get crawled. But with no links to it, I don't think it would have stayed in the index. I installed this last December.
I removed the offending directory then recreated a file folder by the same name and uploaded a blank page with third party tracking code in it (live stats). I know it's not much, but I can at least compare the 3rd party code with my raw logs and AWStats.
I've been clicking around in cpanel, looking for raw logs and stats. The only files that I see that are accessible are past months in zipped format. They're not treated as regular files and don't appear through the file manager. I can download current raw logs through the 'raw access logs' icon in cpanel. It only allows download - no upload or editing. So I think I'm safe there. Unless, of course, the hackers have access to the server root.
I've sent you a PM showing you the log file entries of how they were exploiting the script to change permissions on something - the other server? my server? Feel free to post it if you think it would help other people - the good guys - NOT the bad guys...
I noticed in my user root a file called .bash_history. Permissions are 600 and appear to be modifiable through cpanel. I found these entries that I don't remember making. Would you know if they're doing anything funny? I know I would have NEVER have installed "Pine." I did see a pine file in my root and deleted it.
/bin/pico
cd/
dir
shell chsh
quit
exit
lynx
pine
tin
ls
ls -1
cd public_html
dir
ls
ls -1
cd /usr/bin/perl
cd usr/bin/perl
cd
ls
pwd
pwd
I wrote my hosting provider and requested a response to my findings - any kind of response - including an "I don't know" or "we're working on it" answer would be better than no response at all. I'll give it another day or two.
