Comments on: Help needed – War to hackers

By: Emanuele Feronato - italian geek and PROgrammer

Emanuele Feronato - italian geek and PROgrammer — Wed, 05 May 2010 16:59:37 +0000

[...] you should know if you are an old time reader, this blog has been hacked several times with malicious script [...]

By: Jafar

Jafar — Mon, 11 Jan 2010 06:34:24 +0000

Try using N-Stalker to search for threats. It’ s really a good program :)

By: Badim

Badim — Wed, 16 Dec 2009 21:01:28 +0000

oh man, i get same attack few weeks ago.
what you HAVE to ad – as Vadersapien said:
purge your http directory, upload latest installation of WP and connect them to your MySQL tables. Or restore backup BEFORE(you have to be 100% sure) your http was modified.

how this attacks works:
you lost your password to TrojanX, TrojanX sent all ftp info to special serverY, and leaved php file for case if you will change pass. Server Y each day each time trying to Do same Script for each access that it has, if access is not working, it will try PhP file, if not – attacks will probably stops.

this all process is auto-matic. so it have to be not personal stuff, just some hazkers doing what they can to get extra $ =(

By: Mike Duguid

Mike Duguid — Tue, 15 Dec 2009 13:36:00 +0000

If you’re sure it’s not via ftp scan your http access logs and correlation of those with file modification times is the next step.

By: Vadersapien

Vadersapien — Mon, 14 Dec 2009 21:32:45 +0000

If you never get to find it, I think the best thing to do would be delete everything on the server(maybe keep MySQL tables), and restore from a backup…although that PHP file might have existed when you hosted the site on the other server, explaining why the attacks carried over between servers…

By: Emanuele Feronato

Emanuele Feronato — Mon, 14 Dec 2009 14:41:22 +0000

I changed the FTP password and never used the FTP since then, but attacks continue.

I think there is a unsanitized PHP executing scripts… but I can’t find it…

By: sandro

sandro — Sun, 13 Dec 2009 22:55:16 +0000

try this

http://www.evilsocket.net/764/wp-sentinel-pubblicato.html

By: Mike Duguid

Mike Duguid — Sat, 12 Dec 2009 21:24:30 +0000

Andrea, he’s running on a hostgator host – he cannot make changes to the overall server config that would make any difference, and it’d be unlikely that a shared server with 1000′s of people on it has been rooted. I’d take the hostgator advice with a pinch of salt, it’s a standard canned reply, the tier of support staff you will deal with at large companies like this haven’t the knowledge or time to really get to the bottom of the cause.

By: Mike Duguid

Mike Duguid — Sat, 12 Dec 2009 21:19:50 +0000

I’ve seen a similar issue where a PC was infected with a gumblar variant (up to date AV didn’t recognise!) which sniffed ftp details. The outgoing data also bypassed a firewall by attaching to an svchost instance. So don’t be too sure a quick scan will give you an ‘all clear’ for this route of vulnerability. The way to -know- and not -guess- how the attack is happening is to check server logs against modification time of infected files and correlate users/ips/access at that time. Once you -know- how the attack happened you can sort it rather than stumbling from one ineffective solution to another. I’ll reiterate again – don’t use shared hosting (shared hosting is a complete waste of time for professional use – can’t modify firewall rules e.g lock ftp to your own, often can’t get access to ftp logs, change apache/ftp users permission, no sftp or ssh etc etc).

By: Andrea

Andrea — Sat, 12 Dec 2009 10:26:31 +0000

I check your server, there are too many open ports, including a port running a service unknown