Possible Duplicate:
My server’s been hacked EMERGENCYThe hosting company supplied an email to its client and the client wanted some help from me. the message states:
Any items listed here which are folders named with 5 to 7 random letters are are likely FTP account hacks Checking for known bad files /home2/1/public_html/images/sm6ay7.php /home2/1/public_html/images/sm5ak0.php Checking for known spam scripts /home2/1/public_html/images/sm6ay7.php /home2/1/public_html/images/sm5ak0.php /home2/1/public_html/images/rssok4.php These files are suspicious and should be looked at before deleting The redirects in these files may not be legitimate. Often the actual file name will give you an idea if it is legit or not. If any .htaccess files are listed here, they need to be cleaned. TimThumb fixes Thumbs DB fixes Completed ------------------------ Trackback ------------------------ These results are likely valid files that have had code added to them so they should be cleaned rather than removed: ------------------------ .htaccess ------------------------ ------------------------ General ------------------------ Started at: Sun Jul 15 15:55:04 MDT 2012 /home2/1/public_html/images/sm6ay7.php /home2/1/public_html/images/sm5ak0.php /home2/1/public_html/images/rssok4.php Completed at: Sun Jul 15 15:55:05 MDT 2012 ------------------------ Phish ------------------------ Started at: Sun Jul 15 15:55:05 MDT 2012 Completed at: Sun Jul 15 15:55:05 MDT 2012 ------------------------ Base64 ------------------------
the code looks like this in the files mentioned above. What these lines of codes do I cannot say. Not a programmer as well. Since the files are located in the image folder seems to be suspicious. have looked into, but I am not sure if I have WP as CMS.
I do have the access to the control panel of the website, I tried to SSH was not able to may be some configurations in control panel that I need to deal with, the main problem is the spam in it, for SSH I will manage some way looking at the config. files..htaccess configuration settings.
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Limit GET POST> order deny,allow deny from all allow from all </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> AuthUserFile /home/1/public_html/_vti_pvt/service.pwd AuthGroupFile /home/1/public_html/_vti_pvt/service.grp
I am new to this, some some help would be appreciated. about identification and rules of thumbs if any to debug.
Answer
The file you provided is definitely a remote triggered mail-bot. I quickly formatted it and it assembles an email and sends it using mail()
. I didn’t look into details how it works, but the general idea is pretty obvious. Interestingly it showed a syntax error for me, so it might not have worked ever.
You need to clean the server. I would recommend you do a backup and then delete all the files and install whatever cms they use from scratch. You can probably safely keep the database, it may have become corrupted, but there should at least be no code executed from there. You also need to restore the image-folder. If there are only a few files, restore those, that are actually an image (just try opening them). Obviously don’t restore any scripts (ending in .php, .pl, .py, .sh, …) or executables (no ending, .exe, .cmd, bat, …). Be sure to change any passwords and make sure those are good.
You also need to read up on security with the particular software they use. The hole is probably still there and it needs to be fixed before any attend at getting rid of viruses has a chance of success.
Attribution
Source : Link , Question Author : tough , Answer Author : Delphinator