Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Found several shells in my website's FTP.
#11
/home/uzi/public_html/inc/3rdparty/diff/Diff/Engine/shell.php
<< That is part of the mybb package.
#12
(2012-05-09, 10:41 PM)danesxd Wrote:
(2012-05-09, 10:39 PM)Alternate Wrote:
(2012-05-09, 10:32 PM)danesxd Wrote:
(2012-05-09, 10:25 PM)Alternate Wrote:
(2012-05-09, 10:22 PM)danesxd Wrote: HI i member you

Pretty certain you defaced my old forum. How mature...?

to be honest it wad a very inmature thing to do i feal bad about it it was a good forum but i started to get into hack forums and for some reason i wanted to deface something and make myself look cool but i realize now it was a mistake you probably wont believe me or forgive me but its the truth.

Wait.. are you talking about my old forum or this one...?

Also, if you're talking about the old one, why would you randomly decide to log into your MyBB account to view this thread?
you old one and cause i was looking for some plugins to mess around with but i saw this and thought i should check it out and i rememberd who you was.

Sorry.. but at the moment I can't clarify you to be trustworthy, considering it's a coincidence that you manage to find this thread on the same day my forum is at risk of being exploited. I can barely trust anyone at the moment.
#13
(2012-05-09, 10:34 PM)pavemen Wrote:
(2012-05-09, 10:21 PM)Solidus Wrote: Let's be smart here.
"/home/uzi/public_html/uploads/awards/shell.php.jpg"
"/home/uzi/public_html/uploads/ficons/shell.php.jpg"


Almost certainly those plugins are to blame. Although it is possible that is was something else, and those directories were chosen because they can be written to.

the plugins are likely NOT to blame, but that is where the hacker or malicious script decided to install the shell code.

You're right, just noticed these are Labrocca's plugins, so it's not likely at all.
[Image: hdoE.png]
m1ne.net - coming soon
#14
once you get it all cleaned up and are comfortable with the current file set try installing my Advanced File Verification plugin to set a new baseline and then you can monitor from there
Lost interest, sold my sites, will browse here once in a while. It's been fun.
#15
These got installed there only because they were writable folders. This was likely an exploit from your host or other script....RFI imho.

Are you on shared host? And do you run other scripts?
#16
He is using Hostgator shared. OP have me cpanel access, all of /inc folder is gone and continues to be removed when re-uploaded. I've told him to contact Hostgator support who can access the folder via ssh, maybe there's something hidden in there.
[Image: hdoE.png]
m1ne.net - coming soon
#17
(2012-05-09, 11:18 PM)Solidus Wrote: He is using Hostgator shared. OP have me cpanel access, all of /inc folder is gone and continues to be removed when re-uploaded. I've told him to contact Hostgator support who can access the folder via ssh, maybe there's something hidden in there.

Hi there Labrocca. Solidus basically provided you with a thorough reply to your question.

Also, I would like to add, I was on HostGator Live Chat and the guy said that he checked and there wasn't any hidden files.

I'm just not too sure why I see these files being added through checking the access log, but they don't appear in "inc".

Nothing is uploading to "inc" either, which I find strange. Thanks for all the assistance guys, I'm going offline but I'll be back online tomorrow afternoon to sort this out.
#18
(2012-05-09, 10:45 PM)Alternate Wrote:
(2012-05-09, 10:41 PM)danesxd Wrote:
(2012-05-09, 10:39 PM)Alternate Wrote:
(2012-05-09, 10:32 PM)danesxd Wrote:
(2012-05-09, 10:25 PM)Alternate Wrote: Pretty certain you defaced my old forum. How mature...?

to be honest it wad a very inmature thing to do i feal bad about it it was a good forum but i started to get into hack forums and for some reason i wanted to deface something and make myself look cool but i realize now it was a mistake you probably wont believe me or forgive me but its the truth.

Wait.. are you talking about my old forum or this one...?

Also, if you're talking about the old one, why would you randomly decide to log into your MyBB account to view this thread?
you old one and cause i was looking for some plugins to mess around with but i saw this and thought i should check it out and i rememberd who you was.

Sorry.. but at the moment I can't clarify you to be trustworthy, considering it's a coincidence that you manage to find this thread on the same day my forum is at risk of being exploited. I can barely trust anyone at the moment.

understood i am not looking forgivenes just simply letting you know i don't mean harm to you.

and i dont have anything to do with this new issue just saying.
#19
Never mind. I have now had this issue resolved. Someone had edited my File Attributes on my FTP account so me (Owner) couldn't 'Read' files inside "/inc" but the 'Public' group could Read, Write and Execute commands. I had a brief discussion my hosting providers Live Support Chat and he regained my permissions for my account and I was able to view everything as normal.

I appreciate all the help that everyone's provided me with over the past 48 hours. Thank you!


Forum Jump:


Users browsing this thread: 1 Guest(s)