Intrusion in my webhotel

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Intrusion in my webhotel

Postby Knitter » Tue Mar 23, 2010 9:51 am

I don't know where to ask this so I try here.
I am webmaster on ellebaek1.dk, and yesterday when I should update I found two folders that I didn't know of so I deleted them. I searched them, and tatsk gave nothing, but faczw did. Can somebody tell me what this is?
I have changed my password, but is that enough?
Knitter
Spam Observer
 
Posts: 75
Joined: Tue Oct 14, 2008 8:20 pm

Re: Intrusion in my webhotel

Postby meep » Tue Mar 23, 2010 10:00 am

I will PM you some more info, instead of posting it all here.

The one thing that comes to mind is your website is probably on a shared webserver with other domains (customers), so I would report the findings to your webhost, because the shared webserver itself could be compromised and not just your website. Definitely change all your FTP / administrator passwords now if you have not yet. I hope this helps you.

EDIT:
From the cursory search of the file names, I think this is SEO poisoning where a spammer provides links to his products to boost his search results. SEO (Search engine optimization). There is probably more to this.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Intrusion in my webhotel

Postby Knitter » Tue Mar 23, 2010 12:49 pm

Thanks, Meep.
I looked again today, and now there was som new files: .bash_logout, .bash_profile, .bashre, .wsre. They seems to be related to some linux-code.
On the other hand I could now delete the empty folder faczw, that I could not yesterday, when I could only delete the contents.
I have changed my password, but it has not yet taken effect, and I was not allowed to use anything but letters and numbers.
I have also notified my webhost and await an answer.
Knitter
Spam Observer
 
Posts: 75
Joined: Tue Oct 14, 2008 8:20 pm

Re: Intrusion in my webhotel

Postby AlphaCentauri » Tue Mar 23, 2010 3:41 pm

There are also some trojans that alter websites by infecting the PC belonging to the webmaster and using stored passwords to log in and update the site every night, no matter how many times the webmaster tries to fix it. How many people have passwords to log in, and from how many computers have you/they accessed the website control panel? Any computer that has been used is suspect.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Intrusion in my webhotel

Postby Knitter » Tue Mar 23, 2010 6:53 pm

I am the only one who has access to my machine and have the pw to this website. That is - there must be another one whom I have not invited. If I have a trojan, then it must be thoroughly buried as a rootkit. I use Mailwasher, just to be sure, that malware sent to me never come near my machine. And I do not use msn, facebook or twitter.
I have an answer from my webhost. He think I might be infected through the contact form. It is in a cgi-script and only plain text is allowed.
Knitter
Spam Observer
 
Posts: 75
Joined: Tue Oct 14, 2008 8:20 pm

Re: Intrusion in my webhotel

Postby meep » Tue Mar 23, 2010 9:56 pm

I have an answer from my webhost. He think I might be infected through the contact form. It is in a cgi-script and only plain text is allowed.


Thanks for the update on that issue. I am glad to hear your own PC does not appear to have been infected, good news, Knitter! At least your host gave you a detailed response, many times they stay rather vague if their servers get infected.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Intrusion in my webhotel

Postby trobbins » Wed Mar 24, 2010 11:39 am

Knitter wrote:Thanks, Meep.
I looked again today, and now there was som new files: .bash_logout, .bash_profile, .bashre, .wsre. They seems to be related to some linux-code.
On the other hand I could now delete the empty folder faczw, that I could not yesterday, when I could only delete the contents.
I have changed my password, but it has not yet taken effect, and I was not allowed to use anything but letters and numbers.
I have also notified my webhost and await an answer.

Those dot bash files were created when someone accessed the server using SSH. If they were not there before, that means SSH was never
used previously to access the server with a userid that has a starting directory at the location you found those files. This could have been
your hosting provider checking things out or it could have been the person who put those other folders in your sites directory. You just may
not have noticed these files before and they were there all along. Check the date and time for those files to see when they were created in
comparison to those other folders. You might want to ask your hosting provider if they SSH'ed into your website at that time too. If you or
your hosting provider has not used SSH, then the userid and password for ssh access needs to be changed immediately, otherwise you will
be continually removing unwanted files and folders. I say both the userid and password because by only changing the password, the hacker
still has half of the login and may regain access in a short period of time.
User avatar
trobbins
Spammers' Nightmare
 
Posts: 2558
Joined: Thu Apr 12, 2007 6:55 pm


Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron