Victim of hackers

Dave Hawley · #1 (**permalink**) 05-17-2004, 05:40 AM

According to my host, at about the same time each day, someone is somehow hacking my site and able to use it to send out bulk emails (Spam). This is causing the server to crash and because of this my host has taken my site down.

I have been told that it maybe due to some script I have on one of my many Web pages. However, they have no idead what.

Is there anyone that could suggest a likely cause (e.g script type etc) of this? Or better still, what I, or my host, could do to stop this?

I'm getting desperate!

cyanide · #2 (**permalink**) 05-17-2004, 10:07 AM

What kind of scripts do you have running?
A mailing list, perhaps?

hmmm Keep getting in??? -that worries me, and I might even suggest that it's not just your problem, but quite possibly your host.
If they haven't tightened up the ship and secured the box, then you're wide open.

During this time, did you change your password at all?
Who's your host?

If you wanna keep some of this private, you can pm me

HardCoded · #3 (**permalink**) 05-17-2004, 10:52 AM

The usual culprit is Formmail, but I've never seen it crash a server. Question: are you the only website on your host? If not, why are they picking on you, if they "have no idea what"?

paulhiles · #4 (**permalink**) 05-17-2004, 11:32 AM

I've seen sites go down from attacks on the mail script. As Hardcoded mentioned, the usual culprit is a formmail script, whether it's the CGI/Perl version or its ASP counterpart.

The would-be attackers see the formmail script as a vehicle for spamming multiple email addresses (via your site). If the script is supplied by your web host then they should be using the latest version of the mailer script. I know there are well-documented vulnerabilities in older versions.

I would ask your host for more details.. how can you be expected to solve a problem, if you're not given full details? i.e. script name, description of error, etc.

Dave Hawley · #5 (**permalink**) 05-18-2004, 12:25 AM

Hi Guys

I really appreciate the replies, thanks.

My host is http://www.albasupport.com and I buy my hosting via 'middle man' based in the same state as us, Western Australia.

Here is the 'guts' of it so far;

Description from tech at albasupport.com

Quote:

As I have said the issue with ozgrid was caused by multiple issues.

XMB was causing high loads on the server, and Spam was coming from the account in huge volumes, as you can see from the processes listed above.

As i have said right from the start its hard to identify the particular file that is the culprit (as we dont run phpsuexec on the server).

The spam is being sent thru as user ozgrid via sendmail.
Now sendmail can be accessed by either php or cgi, or a formmail script.
We have ruled out the formmail script and no i am reviewing all files in the account.

The XMB forum has beeb taken offline some 3 days ago and the sendmail issue still persists at the same time each day.

As you can guess, I really know nothing about this stuff and would like to get some independent thoughts.

Thanks for any input.

HardCoded · #6 (**permalink**) 05-18-2004, 10:22 AM

Dave, show us these 'processes'. I still find it hard to believe that a host like that would give you a server all to yourself, or if not, that they would pick on you before actually knowing what was happening.

Also, XMB is your business (I don't know, I'm assuming), and it's down and the problem persists? Tell them to get it the f^% back up. Their process of elimination method of diagnostics hasn't eliminated anything.

Dave Hawley · #7 (**permalink**) 05-18-2004, 10:29 PM

Hi Hardcoded

RE: Dave, show us these 'processes'.

I wish I could, they were never in the email.

They say (not sure how) that it is definately my site, no idea how they claim that. I will be insisting on answers today though.

Yesterday I did some digging and posted a Q to PHP Freaks. Here is the post

Hi All

Apologies if I have the wrong forum for my post.

I have a site at Ozgrid.com which is hosted with albasupport.com On friday of last week my site was hacked and my sendmail domain was used to send out spam....BIG time! To prevent this from happening, my site is being made "Temporarily unavailable" on a frequent basis. My host, blames me and states that I must have some script somewhere on my site that is opening a 'backdoor'.

Here is a copy what I was sent;

Quote:

As i have said right from the start its hard to identify the particular file that is the culprit (as we dont run phpsuexec on the server).

The spam is being sent thru as user ozgrid via sendmail.
Now sendmail can be accessed by either php or cgi, or a formmail script.
We have ruled out the formmail script and no i am reviewing all files in the account.

BTW, they still have no idea what the problems is and trying to get info from them is like pulling teeth.

When I spoke with them last, via phone, I asked why they did not have phpsuexec on the server, to which he replied "that was a stuff-up on our part when we set up the new server", which I'm on. He quickly corrected himself and said "Well, not a stuff-up but an over-sight".

Now, I know very little about these sorts of security issues so I looked into this "phpsuexec" (On this site) and it seems to indicate that having this installed on my server would have probably prevented this issue. Would I be correct in saying this?

I appreciate any thoughts and comments on this.

steve0 · #8 (**permalink**) 05-19-2004, 01:08 AM

This may be an oversimplified view.. but,
Check and see if you are serving as an open relay.
Since it's the same time everyday.. is there a cron job running?

If you are on *nix.. take a look at /var/logs/maillog, secure, cron, messages
as well as your sendmail.* files

If you are running a web log analyzer, look for a page with heavy access..

(just a few ideas)

Dave Hawley · #9 (**permalink**) 05-19-2004, 03:55 AM

Thanks Stevo, and others.

Looks like the problem has been found. Here is the last email I sent to tech support at albasupport.com

Quote:

He has informed me that 2 folders are likely to blame. One being "chat" and the other being "excelhelp". I thank you very much for discovering this.

Both of these folders can be deleted. In fact, after speaking with Angus on the phone yesterday I went into my FTP to delete all superfluous folders and files. The 2 mentioned above however I'm not able to open to delete the files within. When I try, I get the message "550 can't change directory to excelhelp: Permission denied". Hopefully, you will be able to do so?

The "excelhelp" was set up by Cpanel on the 18/03/2004 by using phpbb. I was going to use this in place of XMB at the time, but then realised I could not easily use the same database. Anyway, if the "excelhelp" is the culprit it might be worth looking into so this cannot happen to someone else.

At the end of the day I will be putting all this down to experience, but would like an answers to 1 question. phpsuexec was/is not running on the server (TheBruce). I have been told, had this been running on the server it is *possible* the suspect folders could have been identified before the attacks began. For this reason I would like to know if phpsuexec is going to be installed on TheBruce?

Sent about 4 hrs ago and to date, no reply.

Adamwlad · #10 (**permalink**) 06-18-2004, 04:26 PM

Hi, I know it's too late to tell you to read this article but to others, read this article:

http://www.sitepoint.com/article/sab...coping-joe-job

-Adam

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode