HELP My site is being used for this -- What is it?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Cantaloupe
Forum Newbie
Posts: 3
Joined: Thu Aug 14, 2008 4:34 pm

HELP My site is being used for this -- What is it?

Post by Cantaloupe »

Hello,

For the second time in 2 months someone is accessing my bandwidth. The first time I moved to a better host, added a robot.txt, blocked the problematic IP range, and disabled links to the db. It is basically a shell site now. However my bandwidth was gobbled up again a few days ago. This time I found a file

/*******************************************/
/* FaTaLisTiCz_Fx Fx29Sh v1 06.2008 */
/* Re-coded and modified By FaTaLisTiCz_Fx */
/* #CyBeRz@irc.allnetwork.org */
/*******************************************/

that was visited 445 times (this is a dull site with an average of 2.43 visitors/day).

What is it? What does it do? What can I do?

I'd appreciate any help. It is too big to post it here but I will email it to anyone who wants to see it.
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: HELP My site is being used for this -- What is it?

Post by ghurtado »

Looks like you got hacked. Here's a copy of the exploit:

http://64.233.167.104/search?q=cache:d0 ... =firefox-a

Someone figured out how to upload this file to your site, and then used it to execute shell commands. I would recommend starting afresh. Do you use a version of PHP that could have well known vulnerabilities?
Geteburg
Forum Commoner
Posts: 25
Joined: Tue Aug 12, 2008 1:57 pm

Re: HELP My site is being used for this -- What is it?

Post by Geteburg »

Did you check your logs also? You could probably see how he got in by looking at logs. Firewall is active? No PHP scripts running?

ghurtado, that link made my anti-virus go ALERT, ALERT... while having headset on, full volume.. Almost crap my pants cause of it.. :lol:
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: HELP My site is being used for this -- What is it?

Post by ghurtado »

Well, it is an exploit, so I guess your antivirus kinda works :)

To be clear, there is no danger from viewing the link, since your browser can't really execute PHP code itself.

On a sidenote, I would hate any antivirus software that literally yells at me when it needs attention. Wouldn't simply blocking the page be enough?
Geteburg
Forum Commoner
Posts: 25
Joined: Tue Aug 12, 2008 1:57 pm

Re: HELP My site is being used for this -- What is it?

Post by Geteburg »

It does, it block the connection to it :) But when it does that and shows Alert window, it also screams ALERT, ALERT,... Of course you can disable that, but hey :D
Cantaloupe
Forum Newbie
Posts: 3
Joined: Thu Aug 14, 2008 4:34 pm

Re: HELP My site is being used for this -- What is it?

Post by Cantaloupe »

The PHP version is 5.25

While searching the stats for the accessed files I found files that had NOTHING to do with me. There was a file which seemed to be a chat log. The language was Southeast Asian and some other things led me to conclude that the attack was from Indonesia. However, I found a file which seems to be a video of highly illegal activity (Yes, that. OMG). It seems as if my site was hacked to distribute it.

I've told my host that I believe that they need to contact the authorities.

Thank you for your help.
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: HELP My site is being used for this -- What is it?

Post by ghurtado »

Proceed with a lot of caution. If the video is "illegal" enough, you may want to seek the advice of a lawyer before going to the police.
Cantaloupe
Forum Newbie
Posts: 3
Joined: Thu Aug 14, 2008 4:34 pm

Re: HELP My site is being used for this -- What is it?

Post by Cantaloupe »

Thank you. The host is telling me to delete it as they don't allow that type of content. -- Get rid of it and forget about it. However, I feel that someone needs to report it as I'm scared of any problems that might arise later.
User avatar
ghurtado
Forum Contributor
Posts: 334
Joined: Wed Jul 23, 2008 12:19 pm

Re: HELP My site is being used for this -- What is it?

Post by ghurtado »

I would definitely delete it ASAP since illegal content in a host you are responsible for can be a huge liability.
Post Reply