Announcement

Collapse
No announcement yet.

hacked this morning: is there a procedure to follow?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • hacked this morning: is there a procedure to follow?

    It's been a long time coming! I built a site for our school using e107 about three years ago, and haven't kept the scripts updated. I don't intend to now, because I'm going to be replacing it with a new drupal site in the next few weeks anyway.

    Basically what happened this morning at 10am, is that our office got a bounced email reading: 'domain ourdomain.com has exceeded the max emails per hour (100) allowed'. They only told me about it at 5pm though, because the email functioned ok after that one bounce.

    So, what I found out when I got home and looked at it, is that an r57 shell (index2.php) was placed in the website's folder at 9am. There were also two 'kissmeunix' scripts 'mail.php' and 'cp.php' uploaded. Then the mail script used sendmail to try to send out 4000 'Halifax' phishing spams using the [cpanel name]@[serverHostName].com account email address. Only a hundred were successfully sent though; the rest were prevented by WHM firewall settings.

    So, I've:
    deleted the r57 shell (index2.php) cp.php and mail.php.
    looked around to see if I could identify any other scripts and found nothing.
    uninstalled the e107 scripts that contained form fields (contact form and newsletter subscribe). Login still works though.
    set up an email-forward so that I'll be alerted if that email addressed is used again
    changed my passwords for the site admin and sql database, just in case a human was emailed details.

    I've got a gut feeling that all this was done by a bot, and that I've managed to get to it before a human was able to login to the shell script and do some real damage.

    What do you guys think? Am I probably right? Have I done enough cleaning up?
    Do I need to do anything else to protect the server? Am I being too complacent?

    Thanks for any thoughts or advice.
    Last edited by -Anti-; 13-10-2010, 20:44.

  • #2
    Originally posted by -Anti- View Post
    It's been a long time coming! I built a site for our school using e107 about three years ago, and haven't kept the scripts updated. I don't intend to now, because I'm going to be replacing it with a new drupal site in the next few weeks anyway.

    Basically what happened this morning at 10am, is that our office got a bounced email reading: 'domain ourdomain.com has exceeded the max emails per hour (100) allowed'. They only told me about it at 5pm though, because the email functioned ok after that one bounce.

    So, what I found out when I got home and looked at it, is that an r57 shell (index2.php) was placed in the website's folder at 9am. There were also two 'kissmeunix' scripts 'mail' and 'cp' uploaded. Then the mail script used sendmail to send out 4000 'Halifax' phishing spams using the [cpanel name]@[serverHostName].com email address. Only a hundred were successfully sent though; the rest were prevented by WHM settings.

    So, I've:
    deleted the r57 shell (index2.php) cp.php and mail.php.
    looked around to see if I could identify any other shell scripts and found nothing.
    Uninstalled the e107 scripts that contained form fields (contact form and newsletter subscribe). Login still works though.
    set up an email-forward so that I'll be alerted if that email addressed is used again
    changed my passwords for the site admin and sql database, just in case a human was emailed some details.

    I've got a gut feeling that all this was done by a bot, and that I've managed to get to it before a human was able to login to the shell and do some real damage.

    What do you guys think? Am I probably right? Have I done enough?
    Do I need to do anything else to protect the server?

    Thanks for any thoughts or advice.
    Hi Philip,

    The steps you've followed are good, but not secure enough for the site. I'd recommend you to contact our VPS Support Dept immediately to get the username/pw of the account changed & also to check the exact reason for such a file (r57 shell) to be uploaded, whether it being the old scripts which went bananas or whether the FTP account was compromised. There are numerous reasons for this hack & to get to the root is the best option to encounter them in the future + get the server secured is another good deal..
    Rock _a.k.a._ Jack Daniel

    Follow eUKhost on Twitter || Join eUKhost Community on Facebook

    Comment


    • #3
      Thanks for the reply.

      Comment


      • #4
        Originally posted by -Anti- View Post
        Thanks for the reply.
        You're welcome, Philip
        Rock _a.k.a._ Jack Daniel

        Follow eUKhost on Twitter || Join eUKhost Community on Facebook

        Comment

        Working...
        X