eddie21leeds Posted January 26, 2009 Share Posted January 26, 2009 hi there. i have a site running on cheapo shared hosting with host department.com and i have been having a few security issues. it started off with javascript viruses turning up in my source code which were easy enough to weed out. i can only presume that there is a weakness somwhere within the many accounts that must be on the same server. i make regular backups and its not a complicated site so i just accepted that "you get what you pay for". now however a directory full of html pages, each in thier own directory has turned up at the root of my website. there's no scripts in there its just a load of html. example of one page (viewed from browser) (out of about 200) madonna vs abba remix abba express no kingsville oh addis abba hotels blue abba abba startkabel nl abba singles the first ten years abba slipping through abba and mastey hair products easy guitar tab abba addis abba or addis ababa jeff smith abba abba waiting abba haw do you do lay all your love abba abba mother know abba mania torrent word study abba abba thank music abba pure natural hair care file abba mp3 hotel abba fonseca salamonica spain abba lichtenstein it goes on... at the bottom theres a big block of text... Baby. Post N74608: ana kreisler957, 22:23 Top Site: lifeexperiencedegrees.net; indiaabundance.com; onsmartpages.com; erbc-sc.org; psilinks.net. Post N35601: Morgan Fairchild968, 21:55 Places to visit: "El Arish", "Condado de Castilnovo", "Marlin", "Lake Luzerne-Hadley", "Kaiserslautern". Post N60573: bobbi baird437, 11:28 Best Film: Audiotrack, Deja Vu, From The Dark Past, Jerusalem, Something To Believe In. Post N21487: Tatiana Brown214, 20:16 My Projects: "bigcity.bz", "saltonseamovie.warnerbros.com", "hoelk.aminus3.com", "urbansalvage.com.au", "byourstuffnow.com". Post N50420: gretchen mol959, 7:41 My Friends: Masloveckas Mason, Goodheard Aandaleeb, Hasseth Mamduh, Kalousooski Tomlin, Demmouth Hyatt. Post N63608: wendy lyon105, 24:57 Favourite Song: Quadrille, Unterwegs, Pena, Mixed Up Mess Of A Heart, Fling of mine. Post N51608: Star E916, 8:47 Top Site: medarex.com; my problem is that i can't seem to shift any of it. ive tried root access on my server and dreamweaver from my p.c. , ive tried changing permissions and everything... a) what is it?! b) how do i get rid?? thanks. Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/ Share on other sites More sharing options...
neogranas Posted January 26, 2009 Share Posted January 26, 2009 What exactly do you have running on your website, is it a CMS that uses PHP and has an open upload script? Do you allow PHP uploads, or are you using something else? I've worked for a shared webhost before, and 99% of the time a site was "hacked" it was a script kiddy exploiting a PHP upload script on the server. Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/#findComment-746919 Share on other sites More sharing options...
eddie21leeds Posted January 26, 2009 Author Share Posted January 26, 2009 its a shared server with php and all the rest. the site itself is just html with a contact form hosted off site, there are a few other domains but theres so scripts at all in the whole account. Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/#findComment-746926 Share on other sites More sharing options...
eddie21leeds Posted January 26, 2009 Author Share Posted January 26, 2009 sorry for the double post. pc issues!! Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/#findComment-746928 Share on other sites More sharing options...
mpiekarski Posted January 29, 2009 Share Posted January 29, 2009 Hi, * I am assuming that this is a linux server? If so, you can try to `cd` into the directory where you see all those html files. Then run the following command: lsattr -R 2>/dev/null | egrep -v '\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-|^$' Please paste the output from the above command back to me. * Are all of these files .html files within their own directory? Is each named something like index.html? * When you say it is a shared account... Do you mean it is shared as in you are on a server with a single account and a bunch of other strangers? Or do you mean it is a Virtualized server on shared hardware If it is the former, try running the following after you `cd` to the directory as I requested above and run the following command: find . -type f -ls | egrep -vs "`id -un`" If you get any output from that command, then the files are owned by a user other than yours. As such, you probably will not be able to modify those files. Once I have more information from you, I can likely further assist you. Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/#findComment-749454 Share on other sites More sharing options...
eddie21leeds Posted January 29, 2009 Author Share Posted January 29, 2009 it is an account on a shared server with strangers. the only access i have to the files is through the file browser software. you'll have to excuse me im a beginner. when you 'cd' in do you mean with the terminal window? Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/#findComment-749467 Share on other sites More sharing options...
mpiekarski Posted January 29, 2009 Share Posted January 29, 2009 Yes, I was suggesting with a terminal / ssh connection. If it is plesk or cPanel, I believe both of those software titles include a browser-based terminal. Honestly, the downside to accounts like that is security. Since the world of security is ever-changing, there is always someone looking to find a new way to compromise someone else's site. If you are unable to connect using the terminal, or if this is overly complicated for you, it may be in your best interest to forward this thread to the support at your hosting company. I am assuming your user does not own those files or they are marked immutable, both of which would prevent you editing / deleting them. Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/#findComment-749655 Share on other sites More sharing options...
eddie21leeds Posted January 29, 2009 Author Share Posted January 29, 2009 it's cPanel - htprotect to be exact... ill look into it! in the cpanel window it says httpd:httpd next to the files and folders in question whereas next to all my files it just has my username... Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/#findComment-749706 Share on other sites More sharing options...
mpiekarski Posted January 29, 2009 Share Posted January 29, 2009 That would mean that likely, those files were created by apache, provided it is running as the httpd user and group. If it is running as that user and group, then it would create the files as that user and group as well. It may be necessary to have your hosting provider remove these Quote Link to comment https://forums.phpfreaks.com/topic/142532-hosting-problem-website-compromised/#findComment-749811 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.