1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site hacked..

Discussion in 'BlackHat Lounge' started by Porsche, Dec 14, 2012.

  1. Porsche

    Porsche Junior Member

    Joined:
    Oct 8, 2009
    Messages:
    160
    Likes Received:
    83
    Location:
    Reputation: 999999
    Today, my hosting company emailed me to informed me that they detected unfamiliar uploads into my server and got detected by SiteSentry.

    Anyone know what's that and what should i do next? the domain url was blurred out as this site belongs to my client and the file uploaded was created as /porn.php

    Hacked.jpg
     
  2. t0p3a

    t0p3a Newbie

    Joined:
    Dec 13, 2011
    Messages:
    30
    Likes Received:
    5
    That looks like a c99 shell it's a backdoor where the attacker can do whatever they wan't with the server like uploading files ,changing passwords, download files... like total control of the server etc.

    You probably should delete all those strange looking files or better re-install the server.

    But then again there must be a vulnerability in his script somewhere he could upload that file again.

    Upload forms and such are very vulnerable...

    I guess if he is chrooted to his directory everything should be fine for the rest of the server.
     
    Last edited: Dec 14, 2012
  3. NomenEst

    NomenEst Newbie

    Joined:
    Aug 20, 2012
    Messages:
    7
    Likes Received:
    0
    Location:
    EU
    This is why you should disable ALL uploads to your server and use CloudFront instead, the end user will never know.
     
  4. iboga

    iboga Junior Member Premium Member

    Joined:
    Apr 2, 2009
    Messages:
    106
    Likes Received:
    12
    Occupation:
    project manager / company owner
    Location:
    France
    first delete quickly everything, then you have to look where in the website you have a ulnerability and after all reupload it
     
  5. MixerDJ

    MixerDJ Regular Member

    Joined:
    Nov 20, 2012
    Messages:
    374
    Likes Received:
    147
    This is called shell.with this php file any time that hacker can connect to your site.simply this is like your cpanel.hacker can do most of everything with shell.

    1) Remove all files or just remove unfamiliar files
    2) Many hackers backdoored your index (then your index.php or any other php file can work like cmd)


    Go to cpanel and check all files.(make sure you tick hidden files on.because if they put file like this it will be hidden in cpanel .hack.php)

    I hope you understand this.if you need any help regarding this ask me I'll help you
     
  6. rugbyjack2005

    rugbyjack2005 Power Member

    Joined:
    Oct 2, 2011
    Messages:
    539
    Likes Received:
    50
    Location:
    United Kingdom
    Just delete the files and make sure you update your anti-virus. Most things like this come from Wordpress sites where the latest and most secure versions aren't installed. It happened to me ages ago and i deleted the files and made my WP site more secure and I haven't had a problem since. Most of the time they are just programs going around trying to find servers so they can run mail servers off them and spam loads of people.