Fuckin' hackers shit on my tracking server again

[ImagesAndWords]

I'm pretty pissed.. Two weeks ago, some asshat hackers thought it would be cool to inject all the "index.php" files of my Prosper202 server with cialis and viagra spam html code. I realized this after a full night's worth of running, and lost a chunk of revenue when all my traffic went nowhere...
I use pretty strong passwords and change it every so often. How these fucks were still able to mess with my files, I dunno. But I got it fixed. Now they're at it again.

Any suggestions as to how I can better protect my servers from file injections? I guess I could play around with renaming all index.php files to something obscure but that might mess up how T202 works.

If I can't (or shouldn't) mess with filenames - how can I better protect my server from shit like this happening?

I'm not a coder, nor am I a server security expert - so I figure I'd ask you guys.

 

[Refrozen]

Use the hosted version of T202 if you can. There's a dozen serious security holes in the locally installed version.




HOWEVER. I suspect that's not what happened here, there's probably another script on your server with a security problem. You'll have to explore to find that though.

Edit: also, disable_functions in php.ini. Install mod_security as an Apache plugin. Change the port ssh runs on. Install a firewall.

 

[silentbob]

^^^ what he said

Check all the scripts running on your server. I had something like that happen once and tracked it down to an old version of phpbb that I had on the server.

 

[guerilla]

They likely have root access to the server.

This happened to me around this time last year.

I switched hosting companies and never looked back.

 

[munky]

Don't use cheap hosting. The end.

 

[dooogen]

Do you use affiliate prophet with your p202?

There's a big hole in AP.

 

[droolingmnky]

Remove write permissions from the infected files.

Double check file and directory permissions. Unless they compromised the server or have actual access to the server then there should be no way they should have write access.

If your on shared hosting get them pouring over the server logs and see if there's any thing in there that's questionable. If your running your own server start with the web server logs and then from there check the system logs.

If you have been running SSH on a standard port (22) then god knows that they will be filled with script kiddie attempts at getting into your system. So the system logs might be pretty useless (not useless, but hard to get any use out of them). I would next check for any new user accounts or accounts that should be disabled that aren't.

Your going to be screwed if you can't find out how they are getting in. If you pour over your logs and still can't find any thing that looks like like a possible exploit then I go for the drastic. Reinstall every thing.

 

[blingo]

There's a dozen serious security holes in the locally installed version.

Any idea how to patch these holes?

 

[ImagesAndWords]

Thanks for all the replies and tips so far.

The security guy at the hosting company I talked to last night said this:

Cross-referencing the FTP log (/var/log/messages) I found that files were altered by someone knowing the username and password for the account.

This type of injection activity is commonly associated with the Gumblar malware attacks. I recommend that any computer that was used to access this account be scanned thoroughly for spyware/trojans as this is how FTP passwords are stolen by these attackers.

So it looks like they got in that way. I find that a bit disturbing too, because I've gotten comfortable thinking AVG keeps all that shit blocked and away from my machine. I'll run another full scan again today though.

In addition to that I will try some of the things you guys mentioned as well. And it's time to set up a monitor that checks the files for inconsistencies with a cron.

 

[bobsoap]

I and many I know use Avira AntiVir for anti-virus. It's free and I haven't ever had a problem, meaning it caught everything in my case. Maybe you could try that - I think you might have to deinstall (or at leat deactivate) AVG for it to work though, as with any anti virus app.

Also, scan your system with HouseCall - Trend Micro USA. This is an (also free) online scanner and it is highly recommended by many people on specific security forums. You can google it too if you're suspicious. It seems to be pretty good for finding trojans on your system. I'd let it run overnight and see what it finds.

 

[Webferret]

Thanks for all the replies and tips so far.

The security guy at the hosting company I talked to last night said this:



So it looks like they got in that way. I find that a bit disturbing too, because I've gotten comfortable thinking AVG keeps all that shit blocked and away from my machine. I'll run another full scan again today though.

In addition to that I will try some of the things you guys mentioned as well. And it's time to set up a monitor that checks the files for inconsistencies with a cron.

get a Mac

 

[customs]

Thanks for all the replies and tips so far.

So it looks like they got in that way. I find that a bit disturbing too, because I've gotten comfortable thinking AVG keeps all that shit blocked and away from my machine. I'll run another full scan again today though.

In addition to that I will try some of the things you guys mentioned as well. And it's time to set up a monitor that checks the files for inconsistencies with a cron.

Oh-uh. I recommend you to reinstall your OS and change passwords from other computer.

AVG is a nice software, but almost any antivirus won't help against custom-crypted trojan.

Looks like Avira has a better chance to catch this shit right in RAM after decrypting.

P.S. You can easily buy FTP access login/password pairs on Russian hacker forums for $0.2 - $50 (depends on Goog PR). Or buy full log files for $200-$600 per GB with full keyboard logs, security certificates and etc.

 

[larrybn]

Don't use FTP, it's not secure. Use SFTP.

 

[Rage9]

You can take the paranoia route:

Never log in ever from a installed OS. Use a live Linux CD. Use secure FTP.

 

[kblessinggr]

get a Mac

Yea thats constructive... The false sense of security has left a lot of mac users open to commonly avoided issues such as phishing and doing something as sharing your password. But least don't have to deal with viruses, malware, etc... yet.

Also being on a mac won't prevent an attack against your server, especially if they did so by an exploit in the script's code itself.

But I will say this, just like others have said, don't use FTP, it's insecure, malware/spyware can snoop on the FTP port for your login credentials, providing it to bots globally to get in and do injection attacks. Stick with SSH/SCP.

Once you get hit with an injection attack especially of the above nature, you might as well consider all the passwords you use on that machine to be compromised.

 

[TheMoMan]

A lot of good suggestions. When my main laptop anti-virus found a trojan, I ended up buying a new netbook as it was the cheapest way to be virus free. I did not want to have to re-install anything.

The netbook has nothing installed on it and I use it only for personal/internet banking.

It's expensive - but not as expensive as having bank account numbers, passwords and a shit load of personal information stolen and traded to the highest bidder.

I do the same thing for passwords - change them regularly and make them as long as the site will allow using combinations of numbers, letters (upper & lower case), and symbols. I keep them stored on my PDA which has no WIFI on it so that I don't need to memorize them.

 

[Rage9]

A lot of good suggestions. When my main laptop anti-virus found a trojan, I ended up buying a new netbook as it was the cheapest way to be virus free. I did not want to have to re-install anything.

That literally has the be the most fucked up, laziest, and retarded thing I have have heard.

 

[TheMoMan]

Yah - might be "the most fucked up, laziest and retarded thing" but $299 was better than trying to rebuild a 250gb hard drive. Tell me, is that better or having your ID, bank accounts, medical history, banking information etc., etc., stolen and circulated?

It might be fucked up, but it works.

That PC still reports some type of virus or trojan everytime I run a scan on it using the latest and greatest scanners on it.

 

[aeisn]

That literally has the be the most fucked up, laziest, and retarded thing I have have heard.

Agreed, reformat the hardrive etc. and reinstall all your old shit. Takes maybe a day tops.

 

[larrybn]

Buying a netbook is fucked up and retarded. Period.