Jump to content

hosting problem / website compromised


Recommended Posts

hi there. i have a site running on cheapo shared hosting with host department.com and i have been having a few security issues. it started off with javascript viruses turning up in my source code which were easy enough to weed out. i can only presume that there is a weakness somwhere within the many accounts that must be on the same server. i make regular backups and its not a complicated site so i just accepted that "you get what you pay for". now however a directory full of html pages, each in thier own directory has turned up at the root of my website. there's no scripts in there its just a load of html.

 

example of one page (viewed from browser) (out of about 200)

madonna vs abba remix

abba express no kingsville oh

addis abba hotels

blue abba

abba startkabel nl

abba singles the first ten years

abba slipping through

abba and mastey hair products

easy guitar tab abba

addis abba or addis ababa

jeff smith abba

abba waiting

abba haw do you do

lay all your love abba

abba mother know

abba mania torrent

word study abba

abba thank music

abba pure natural hair care

file abba mp3

hotel abba fonseca salamonica spain

abba lichtenstein

 

it goes on...

at the bottom theres a big block of text...

 

Baby. Post N74608: ana kreisler957, 22:23 Top Site: lifeexperiencedegrees.net; indiaabundance.com; onsmartpages.com; erbc-sc.org; psilinks.net. Post N35601: Morgan Fairchild968, 21:55 Places to visit: "El Arish", "Condado de Castilnovo", "Marlin", "Lake Luzerne-Hadley", "Kaiserslautern". Post N60573: bobbi baird437, 11:28 Best Film: Audiotrack, Deja Vu, From The Dark Past, Jerusalem, Something To Believe In. Post N21487: Tatiana Brown214, 20:16 My Projects: "bigcity.bz", "saltonseamovie.warnerbros.com", "hoelk.aminus3.com", "urbansalvage.com.au", "byourstuffnow.com". Post N50420: gretchen mol959, 7:41 My Friends: Masloveckas Mason, Goodheard Aandaleeb, Hasseth Mamduh, Kalousooski Tomlin, Demmouth Hyatt. Post N63608: wendy lyon105, 24:57 Favourite Song: Quadrille, Unterwegs, Pena, Mixed Up Mess Of A Heart, Fling of mine. Post N51608: Star E916, 8:47 Top Site: medarex.com;

 

my problem is that i can't seem to shift any of it. ive tried root access on my server and dreamweaver from my p.c. , ive tried changing permissions and everything...

 

a) what is it?!

b) how do i get rid??

 

thanks.

Link to comment
Share on other sites

What exactly do you have running on your website, is it a CMS that uses PHP and has an open upload script? Do you allow PHP uploads, or are you using something else? I've worked for a shared webhost before, and 99% of the time a site was "hacked" it was a script kiddy exploiting a PHP upload script on the server.

Link to comment
Share on other sites

Hi,

 

* I am assuming that this is a linux server? If so, you can try to `cd` into the directory where you see all those html files.  Then run the following command:

 

lsattr -R 2>/dev/null | egrep -v '\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-|^$'

 

Please paste the output from the above command back to me.

 

* Are all of these files .html files within their own directory?  Is each named something like index.html?

 

* When you say it is a shared account... Do you mean it is shared as in you are on a server with a single account and a bunch of other strangers?  Or do you mean it is a Virtualized server on shared hardware

 

If it is the former, try running the following after you `cd` to the directory as I requested above and run the following command:

 

find . -type f -ls | egrep -vs "`id -un`"

 

If you get any output from that command, then the files are owned by a user other than yours.  As such, you probably will not be able to modify those files.

 

Once I have more information from you, I can likely further assist you.

Link to comment
Share on other sites

Yes,

 

  I was suggesting with a terminal / ssh connection.  If it is plesk or cPanel, I believe both of those software titles include a browser-based terminal.  Honestly, the downside to accounts like that is security.  Since the world of security is ever-changing, there is always someone looking to find a new way to compromise someone else's site. 

 

  If you are unable to connect using the terminal, or if this is overly complicated for you, it may be in your best interest to forward this thread to the support at your hosting company.  I am assuming your user does not own those files or they are marked immutable, both of which would prevent you editing / deleting them.

Link to comment
Share on other sites

That would mean that likely, those files were created by apache, provided it is running as the httpd user and group.  If it is running as that user and group, then it would create the files as that user and group as well.  It may be necessary to have your hosting provider remove these

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.