HELP My site is being used for this -- What is it?
Moderator: General Moderators
-
Cantaloupe
- Forum Newbie
- Posts: 3
- Joined: Thu Aug 14, 2008 4:34 pm
HELP My site is being used for this -- What is it?
Hello,
For the second time in 2 months someone is accessing my bandwidth. The first time I moved to a better host, added a robot.txt, blocked the problematic IP range, and disabled links to the db. It is basically a shell site now. However my bandwidth was gobbled up again a few days ago. This time I found a file
/*******************************************/
/* FaTaLisTiCz_Fx Fx29Sh v1 06.2008 */
/* Re-coded and modified By FaTaLisTiCz_Fx */
/* #CyBeRz@irc.allnetwork.org */
/*******************************************/
that was visited 445 times (this is a dull site with an average of 2.43 visitors/day).
What is it? What does it do? What can I do?
I'd appreciate any help. It is too big to post it here but I will email it to anyone who wants to see it.
For the second time in 2 months someone is accessing my bandwidth. The first time I moved to a better host, added a robot.txt, blocked the problematic IP range, and disabled links to the db. It is basically a shell site now. However my bandwidth was gobbled up again a few days ago. This time I found a file
/*******************************************/
/* FaTaLisTiCz_Fx Fx29Sh v1 06.2008 */
/* Re-coded and modified By FaTaLisTiCz_Fx */
/* #CyBeRz@irc.allnetwork.org */
/*******************************************/
that was visited 445 times (this is a dull site with an average of 2.43 visitors/day).
What is it? What does it do? What can I do?
I'd appreciate any help. It is too big to post it here but I will email it to anyone who wants to see it.
Re: HELP My site is being used for this -- What is it?
Looks like you got hacked. Here's a copy of the exploit:
http://64.233.167.104/search?q=cache:d0 ... =firefox-a
Someone figured out how to upload this file to your site, and then used it to execute shell commands. I would recommend starting afresh. Do you use a version of PHP that could have well known vulnerabilities?
http://64.233.167.104/search?q=cache:d0 ... =firefox-a
Someone figured out how to upload this file to your site, and then used it to execute shell commands. I would recommend starting afresh. Do you use a version of PHP that could have well known vulnerabilities?
Re: HELP My site is being used for this -- What is it?
Did you check your logs also? You could probably see how he got in by looking at logs. Firewall is active? No PHP scripts running?
ghurtado, that link made my anti-virus go ALERT, ALERT... while having headset on, full volume.. Almost crap my pants cause of it..
ghurtado, that link made my anti-virus go ALERT, ALERT... while having headset on, full volume.. Almost crap my pants cause of it..
Re: HELP My site is being used for this -- What is it?
Well, it is an exploit, so I guess your antivirus kinda works 
To be clear, there is no danger from viewing the link, since your browser can't really execute PHP code itself.
On a sidenote, I would hate any antivirus software that literally yells at me when it needs attention. Wouldn't simply blocking the page be enough?
To be clear, there is no danger from viewing the link, since your browser can't really execute PHP code itself.
On a sidenote, I would hate any antivirus software that literally yells at me when it needs attention. Wouldn't simply blocking the page be enough?
Re: HELP My site is being used for this -- What is it?
It does, it block the connection to it
But when it does that and shows Alert window, it also screams ALERT, ALERT,... Of course you can disable that, but hey 
-
Cantaloupe
- Forum Newbie
- Posts: 3
- Joined: Thu Aug 14, 2008 4:34 pm
Re: HELP My site is being used for this -- What is it?
The PHP version is 5.25
While searching the stats for the accessed files I found files that had NOTHING to do with me. There was a file which seemed to be a chat log. The language was Southeast Asian and some other things led me to conclude that the attack was from Indonesia. However, I found a file which seems to be a video of highly illegal activity (Yes, that. OMG). It seems as if my site was hacked to distribute it.
I've told my host that I believe that they need to contact the authorities.
Thank you for your help.
While searching the stats for the accessed files I found files that had NOTHING to do with me. There was a file which seemed to be a chat log. The language was Southeast Asian and some other things led me to conclude that the attack was from Indonesia. However, I found a file which seems to be a video of highly illegal activity (Yes, that. OMG). It seems as if my site was hacked to distribute it.
I've told my host that I believe that they need to contact the authorities.
Thank you for your help.
Re: HELP My site is being used for this -- What is it?
Proceed with a lot of caution. If the video is "illegal" enough, you may want to seek the advice of a lawyer before going to the police.
-
Cantaloupe
- Forum Newbie
- Posts: 3
- Joined: Thu Aug 14, 2008 4:34 pm
Re: HELP My site is being used for this -- What is it?
Thank you. The host is telling me to delete it as they don't allow that type of content. -- Get rid of it and forget about it. However, I feel that someone needs to report it as I'm scared of any problems that might arise later.
Re: HELP My site is being used for this -- What is it?
I would definitely delete it ASAP since illegal content in a host you are responsible for can be a huge liability.