hosting problem / website compromised

[eddie21leeds]

hi there. i have a site running on cheapo shared hosting with host department.com and i have been having a few security issues. it started off with javascript viruses turning up in my source code which were easy enough to weed out. i can only presume that there is a weakness somwhere within the many accounts that must be on the same server. i make regular backups and its not a complicated site so i just accepted that "you get what you pay for". now however a directory full of html pages, each in thier own directory has turned up at the root of my website. there's no scripts in there its just a load of html.

 

example of one page (viewed from browser) (out of about 200)

madonna vs abba remix

abba express no kingsville oh

addis abba hotels

blue abba

abba startkabel nl

abba singles the first ten years

abba slipping through

abba and mastey hair products

easy guitar tab abba

addis abba or addis ababa

jeff smith abba

abba waiting

abba haw do you do

lay all your love abba

abba mother know

abba mania torrent

word study abba

abba thank music

abba pure natural hair care

file abba mp3

hotel abba fonseca salamonica spain

abba lichtenstein

 

it goes on...

at the bottom theres a big block of text...

 

Baby. Post N74608: ana kreisler957, 22:23 Top Site: lifeexperiencedegrees.net; indiaabundance.com; onsmartpages.com; erbc-sc.org; psilinks.net. Post N35601: Morgan Fairchild968, 21:55 Places to visit: "El Arish", "Condado de Castilnovo", "Marlin", "Lake Luzerne-Hadley", "Kaiserslautern". Post N60573: bobbi baird437, 11:28 Best Film: Audiotrack, Deja Vu, From The Dark Past, Jerusalem, Something To Believe In. Post N21487: Tatiana Brown214, 20:16 My Projects: "bigcity.bz", "saltonseamovie.warnerbros.com", "hoelk.aminus3.com", "urbansalvage.com.au", "byourstuffnow.com". Post N50420: gretchen mol959, 7:41 My Friends: Masloveckas Mason, Goodheard Aandaleeb, Hasseth Mamduh, Kalousooski Tomlin, Demmouth Hyatt. Post N63608: wendy lyon105, 24:57 Favourite Song: Quadrille, Unterwegs, Pena, Mixed Up Mess Of A Heart, Fling of mine. Post N51608: Star E916, 8:47 Top Site: medarex.com;

 

my problem is that i can't seem to shift any of it. ive tried root access on my server and dreamweaver from my p.c. , ive tried changing permissions and everything...

 

a) what is it?!

b) how do i get rid??

 

thanks.

[neogranas]

What exactly do you have running on your website, is it a CMS that uses PHP and has an open upload script? Do you allow PHP uploads, or are you using something else? I've worked for a shared webhost before, and 99% of the time a site was "hacked" it was a script kiddy exploiting a PHP upload script on the server.

[eddie21leeds]

its a shared server with php and all the rest. the site itself is just html with a contact form hosted off site, there are a few other domains but theres so scripts at all in the whole account.

[eddie21leeds]

sorry for the double post. pc issues!!   

[mpiekarski]

Hi,

 

* I am assuming that this is a linux server? If so, you can try to `cd` into the directory where you see all those html files.  Then run the following command:

 

lsattr -R 2>/dev/null | egrep -v '\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-|^$'

 

Please paste the output from the above command back to me.

 

* Are all of these files .html files within their own directory?  Is each named something like index.html?

 

* When you say it is a shared account... Do you mean it is shared as in you are on a server with a single account and a bunch of other strangers?  Or do you mean it is a Virtualized server on shared hardware

 

If it is the former, try running the following after you `cd` to the directory as I requested above and run the following command:

 

find . -type f -ls | egrep -vs "`id -un`"

 

If you get any output from that command, then the files are owned by a user other than yours.  As such, you probably will not be able to modify those files.

 

Once I have more information from you, I can likely further assist you.

[eddie21leeds]

it is an account on a shared server with strangers. the only access i have to the files is through the file browser software.

 

you'll have to excuse me im a beginner. when you 'cd' in do you mean with the terminal window?

[mpiekarski]

Yes,

 

  I was suggesting with a terminal / ssh connection.  If it is plesk or cPanel, I believe both of those software titles include a browser-based terminal.  Honestly, the downside to accounts like that is security.  Since the world of security is ever-changing, there is always someone looking to find a new way to compromise someone else's site. 

 

  If you are unable to connect using the terminal, or if this is overly complicated for you, it may be in your best interest to forward this thread to the support at your hosting company.  I am assuming your user does not own those files or they are marked immutable, both of which would prevent you editing / deleting them.

[eddie21leeds]

it's cPanel - htprotect to be exact... ill look into it!

in the cpanel window it says  httpd:httpd next to the files and folders in question whereas next to all my files it just has my username...

[mpiekarski]

That would mean that likely, those files were created by apache, provided it is running as the httpd user and group.  If it is running as that user and group, then it would create the files as that user and group as well.  It may be necessary to have your hosting provider remove these