Browsing articles tagged with "hacking - Admins Goodies"
Jan 10, 2013
tom

Server hacked: How do I fix, diagnosis and prevent? [closed]

Possible Duplicate: How do I deal with a compromised server? WP Site (up to date with version & plug ins) Cheap budget host Inserted on all of my pages inside the tags are the following code Fast Cash Advance Fast Cash Advanceif(document.getElementById(‘hideMe’) != null){document.getElementById(‘hideMe’).style.visibility = ‘hidden';document.getElementById(‘hideMe’).style.display = ‘none';} How do I remove this? What steps can I take to prevent this from occurring again? How can I identify the susceptible area? Thanks. Asked by Christopher […]

Continue Reading »
Dec 2, 2012
tom

Is my webserver being abused for banking fraud?

Since a few weeks i’m getting a lot of 403 errors from apache in my log files that seem to be related to a bank frauding scheme. The relevant log entries look like this (The ip 1.2.3.4 is one I made up, I did not modify the rest of each line) www.bradesco.com.br:80 / 1.2.3.4 – – [01/Dec/2012:07:20:32 +0100] “GET / HTTP/1.1″ 403 427 “-” “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11″ www.bb.com.br:80 […]

Continue Reading »
Jun 10, 2012
tom

My WordPress site being hack by modifying the .htaccess [closed]

Possible Duplicate: My server's been hacked EMERGENCY I’m going crazy right now and I don’t know what to do. I’ve did a Google search about those hackers where they using .htaccess to redirect my site to their site to gain traffic, and now I’m getting this problem since yesterday and I don’t know what I should do…. I’ve also did a search and found some people having the same problem and the suggestion was to […]

Continue Reading »
May 25, 2012
tom

PHP eval(gzinflate(base64_decode(..))) hack – how to prevent it from occurring again?

We recently had a website hacked, where some PHP code was injected into the index.php file that looked something like: eval (gzinflate(base64_decode(‘s127ezsS/…bA236UA1′))); The code was causing another php file (cnfg.php) to be included, which was causing some pharmaceutical-related spam to be displayed (but only visible to googlebot et al). This looks like the pharma hack for wordpress, except we’re not running said software. The code has since been removed, but I’d like to prevent such […]

Continue Reading »
May 10, 2012
tom

Logwatch httpd – hacks and probes

Sometimes in my daily logwatch report, I notice that there is a section under httpd for “attempts to use known hacks…” and another section about how many sites probed the server. I have a few questions about these sections: Is apache or logwatch the one picking up and reporting on the known hacks? Which program actually knows that it is a known hack? Is there a certain location or reference point that one of these […]

Continue Reading »
May 9, 2012
tom

Is there a way to log who upload or change a spesific file? (centos)

There is a file that keeps infected with this code. I can’t figure out why. So I want to log who upload or change the file. Is there a way to log who upload or change a spesific file? PS: There is no FTP login. We only use SSH and Plesk. Asked by nahha Yes, there is. The audit subsystem has some pretty neat accounting features. Running the following command will audit changes to the […]

Continue Reading »
Apr 21, 2012
tom

Apache server under attack

I have a CentOS 5.8 server with Apache 2.2.3 with 20 websites on it. The last weeks the server was several times inaccessible (too many database connections and lots of CPU usage). I had to restart the server again to get ssh/ftp/http access again. When I checked the httpd log files of the server I see 10.000 ‘access attempts’ every day coming via yourthumbnails.com. Here an example of the access log: 98.224.147.78 – – [19/Apr/2012:14:20:06 […]

Continue Reading »
Mar 12, 2012
tom

Auth log error : Is it a Hack?

I was just going through auth.log file, I found the following error. Can anybody tell is it a hack or just log of Bugzilla which I installed & throughing an error. Mar 12 06:50:10 bigbugz02 su[13762]: Successful su for www-data by root Mar 12 06:50:10 bigbugz02 su[13762]: + ??? root:www-data Mar 12 06:50:10 bigbugz02 su[13762]: pam_unix(su:session): session opened for user www-data by (uid=0) Mar 12 06:50:12 bigbugz02 su[13762]: pam_unix(su:session): session closed for user www-data Asked […]

Continue Reading »
Feb 22, 2012
tom

Backdoor and zmeu process on a Linux system [closed]

Possible Duplicate: My server's been hacked EMERGENCY First some background info. The server we’re talking about is running CentOS 5.6, SSH on port 22 which can be accessed over the Internet (bad, we know), Apache on port 8080 which can be accessed over the Internet and MySQL, which can’t be accessed over the Internet. A few days ago this testserver was hacked, due to a really simple password (yep, you’ll find it all over the […]

Continue Reading »
Jan 20, 2012
tom

ubuntu 10.10 sshd contains “YOU WANNA SMOKE A SPLIFF” and pot leaf ascii art. Does this mean I’ve been hacked?

My sshd binary on an ubuntu 10.10 machine contains the following ascii artwork: ng: %.100sToo many lines in environment file %sUser %.100s not allowed because %s exists YOU WANNA . SMOKE M A SPLIFF ? dM ROLL ME MMr %d TIMES 4MMML . MMMMM. xf . MMMMM .MM- Mh.. MMMMMM .MMMM .MMM. .MMMMML. MMMMMh )MMMh. MMMMMM MMMMMMM 3MMMMx. MMMMMMf xnMMMMMM ‘*MMMMM MMMMMM. nMMMMMMP *MMMMMx MMMMM .MMMMMMM= *MMMMMh MMMMM JMMMMMMP MMMMMM 3MMMM. dMMMMMM . MMMMMM MMMM […]

Continue Reading »