hi folks
i encountered a real problem. one of my sites has been deactivated by my hoster since it’s been used to send phishing mails; so i controlled and really, there was a file in a subdirectory named "re.php". what is curious about this is that this file was in a sub-sub-directory named "..". now the questions:
how can a ".."-directory be created since there is always one existing already?
how did this file (re.php) get there?
what can i do to avoid this once and for all?
i’d be grateful for any clues asap.
phen
hi jim,
as you understood right, there was a "re.php"-file in a subdirectory; to be exact:
domain_name/php/func/../re.php
looking further i saw within a wiki i had installed another subdir, such as something like "www.paypal…………." with many subdirs and sub-subdirs (and this very paypal-stuff was the reason for deactivation of the site, as the support told me on the phone).
in panik, the first thing i did was to delete all this stuff (stupid me). i should had downloaded it first, but now it’s done.
your hint with the logfiles is quite good though. i’ll check this out and let you know.
the only question is: how did they manage to do so? i must admit, this scares the sh… out of me, since many internetplayers use the site daily.
meanwhile the site has been reactivated, but i’m bothering what to do to avoid such things to happen again. any clues?
I’m not sure how this happens, but guessing some type of SQL Injection. Are you using CMS package (site software you didn’t program)? Perhaps they have an update you might have missed?
The software you are using is key, but most important are the log files which will tell you how the hacker got in and you can then go from there.
Best regards,
Jim.
Hello Phen,
It’s always a bummer when your site gets hacked. Whenever this has happened to me, it was with a software package I didn’t create, such as a CMS system like WordPress, etc.
I’m guessing the report said that the file re.php was located in the .. directory and that the report was ran from the outside (outside of your network / server), correct?
However, if you search your server for re.php, I’ll bet your find it in your root directory or a close sub-directory. Have you searched for this file yet?
Without seeing the file (re.php) and understanding what CMS system you are running on the server, I can’t even begin to guess how it happened. The log files usually tell all!
Look at everyone that has hit re.php in your log files, look at the first occurrence of this, then search your log files for the IP address. That should help you track the creation of the file and more.
I hope that helps!
Best regards,
Jim.
hi jim,
thx again for your quick reply.
1. no! i’m not using anything i didn’t program myself (only exception is the template-engine, but this won’t do anything, that’s for sure, since i have the sources)
2. this template-engine does not check for updates at all!
after i deleted all suspicious files (domain and sub-domains are clean) the adress 156.1.13.254 kept on try to activate the re.php-file. any clues?
kindest regards
All I can suggest is to review your logs for that IP address and re.php to see who created the file and / or who has been accessing it.
BTY – What did RE.PHP contain?
Regards,
Jim.
hi jim,
as i told above i deleted the file right-away without downloading it first (stupid me).
i’m checking every day if it appears again, so i could rewrite it, by redirecting this very visitor to a site full of unknown viruses!
i’ll let you know if a have news.
hi jim,
after reading the appropriate logfile i found out that the attack took place the 12th of this month. who it finally was is not as important as the fact that it was possible.
my site is secure that’s for sure. but there is to know that the website is actually separated in 3 sub-domains (mainly). but there is one tiny little thing i totally forgot, such as having installed a shop via the freeware OsCommerce in a fourth sub-domain. not having enough time i didn’t configure it to the end and so it was standing there and waiting for over a year.
A Turkish guy belonging to a website calling themselves "the 5 best hackers in the world", found in this very software a back door and announced it within their website as a site being hacked and how. this way anyone was able to exploit whatever they felt like, such as sending spams and phishing-mails, which they did.
so who it was that sent these mails is not as important as the one who felt obliged to appear as the greatest, just by "hacking" something which was open to anyone anyway. sick a…hole!
since revenge is a meal tasting best when you eat it cold, you can be sure that these guys will not be present at all anymore in short terms. laughing best who laughs last.