Help find hole

**JohnM** · 08-31-2009, 09:18 AM

Had a look at that script. If this was in my server I would have cleaned up everything, with new db, db user etc. It writes to db does it not ?

**JohnM** · 08-31-2009, 09:23 AM

Sems to be a r57shell hack, if that makes sense to anyone.

**Rarst** · 08-31-2009, 10:02 AM

Originally Posted by JohnM

Had a look at that script. If this was in my server I would have cleaned up everything, with new db, db user etc. It writes to db does it not ?

I've searched through db, no inserts or whatever in sight. I guess there are functions in backdoor for that but they weren't used. Changed passwords and such anyway.

Will also compare two daily db dumps before and after hack to be sure.

Sems to be a r57shell hack, if that makes sense to anyone.

Not to me. :)

**Otto** · 08-31-2009, 10:55 AM

The r57shell is just the payload, not the hack itself. There's a lot of different scripts like these, which basically give full access to the system. The hack just drops one of them there.

**Rarst** · 09-01-2009, 12:02 PM

Ok, just got an alert on repeat attempt.

Goes exactly same:
- enters through same service looking for sites on same server;
- loads home page;
- goes to login, somehow gets redirected to admin;
- hits IP block and is sent to 404 (eat that bastard).

So hole is still there somewhere. :((( If I hadn't hardened access I would be now screwed twice.

Any idea how can I log details of login attempt to see how the hell he does that?

**Rarst** · 09-01-2009, 12:35 PM

Update - my blog's database is gone. Shit. Now I am really mad.

**JohnM** · 09-01-2009, 01:10 PM

If your host has 10% hacked sites, its time to move. Its a hackers party in there.

http://www.google.com/safebrowsing/d...?site=AS:30475

http://wehostwebsites.com/ doesnt impress me either.

**Rarst** · 09-01-2009, 01:31 PM

Originally Posted by JohnM

If your host has 10% hacked sites, its time to move. Its a hackers party in there.

http://www.google.com/safebrowsing/d...?site=AS:30475

http://wehostwebsites.com/ doesnt impress me either.

Previous host started clean but now up to some infected sites as well in Google safebrowsing... Can move back there, still have paid time. At elast I didn't get hacked twice in a row there.

What is second URL? Not either of my hosts.

**Jeffro** · 09-01-2009, 01:43 PM

I imagine WPWebhost was notified of the second hack attempt with the database deletion? What are they saying on their end? Or are they acting like there is no problem?

**Rarst** · 09-01-2009, 01:52 PM

Originally Posted by Jeffro

I imagine WPWebhost was notified of the second hack attempt with the database deletion? What are they saying on their end? Or are they acting like there is no problem?

I sent details to guy-possibly-from-security-department, no reply at moment.

By now I could settle for information that I personally did something retarded and left it wide open. I just want freaking hole found and fixed.

Thread: Help find hole

LinkBack

Thread Tools

Display

LinkBacks (?)

Blog (briefly) hacked | Rarst.net

Posting Permissions