View previous topic :: View next topic |
Author |
Message |
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Mon Jan 03, 2005 7:20 pm Post subject: *Security Warning* |
|
|
I believe my computer has has been hacked! I dont know how but i am warning everyone!! i found a php script called "php1.php" in my htdocs folder along with an executable file called "Open.exe"! i opened this file and found it very disturbung, people could view and change all of my files! (so far i have only found my tutorials page deleted, but it would be possible for them to delete my whole site)! the name of the program/script is "PhpSpy Ver 2005" and is mainly in Chineese. i have password protected this file for the moment because i want to under go more of an investigation into this script. if Aprelium would like to take a closer look at this file, please contact me and i will provide you with the password.
if ANYONE can provide more information on this matter, could you please post it here or email me!!
Please Please help me with this one....i need it!! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
Posted: Mon Jan 03, 2005 8:07 pm Post subject: |
|
|
Hello richardyork--
What version of phpBB are you using? Anything before 2.0.11 is *very* vulnerable to a new exploit.
Could that be it?
Regards,
Axis |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Mon Jan 03, 2005 8:12 pm Post subject: |
|
|
no, this dosn't have anything to do with phpBB but i know where you are coming from. than you for your reply!
this seems to give the hacker the ability to delete and even modify any file on your hard disk!! for example, i was checking it out just and as it is mainly chineese i accidently deleted my tutorials page! this is a very serious issue and i urge all members to check their htdocs for the files mentioned in my first post!
Please, any more help of anyone would be much appreciated!
Thank You! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Mon Jan 03, 2005 8:37 pm Post subject: |
|
|
How do you know it has nothing to do with your phpbb forum? The fact that you actually ran a random file you found in your htdocs folder boggles the mind - what if it had been set up to simply wipe everything on your hd when loaded?
I tried to check what version you're running but although your site is up your forum is down... Is that intentional? |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Mon Jan 03, 2005 8:43 pm Post subject: |
|
|
yes it is intentional! i have viewed the source of the php document then viewed it in internet explorer. that is how i know what it does. as for the "Open.exe", i havn't and wouldn't touch that! anonymoose, if you would like to check it out i will give you the password, just PM me!
Thank You! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Mon Jan 03, 2005 9:10 pm Post subject: |
|
|
I'll certainly take a look at it. Can you confirm exactly what PHP and phpBB versions you were running prior to the file appearing ? |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Mon Jan 03, 2005 9:30 pm Post subject: |
|
|
php 4.3.10 and phpbb 2.0.8 but i am currently updating!
anonymoose, are you on MSN?
Thank You _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Mon Jan 03, 2005 9:40 pm Post subject: |
|
|
Nope, but you can PM me any details you wish - just zip the files up and stick them on your server somewhere. I am 99% certain that you'll find the problem has come from your phpBB board - although the initial Santy worm * was fairly harmless, there are a huge number of variants now circulating attempting to drop various files for remote access to the server.
* http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
|
Back to top |
|
|
admin Site Admin
Joined: 03 Mar 2002 Posts: 1295
|
Posted: Mon Jan 03, 2005 10:41 pm Post subject: Re: *Security Warning* |
|
|
This can be also caused by the security issues that were dicovered in PHP <= 4.3.9 which allow a variety of remote control hacks and code injection.
We have found a reference of PhpSpy 2005 on http://www.4ngel.net/project/phpspy.htm . This is in chinese but it seems that it corresponds to what you describe in your post.
Is there native chinese speaker here to translate the description of PhpSpy? |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Mon Jan 03, 2005 10:42 pm Post subject: |
|
|
After unpacking and analysing the file that Richard had, it doesn't seem to be that open.exe... |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Mon Jan 03, 2005 11:04 pm Post subject: |
|
|
I don't know what is going on but has certainly got me worried!! How can I find out what has been infected etc and what can I do to stop this from happening again? :-(
Thank You All! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Mon Jan 03, 2005 11:31 pm Post subject: |
|
|
Going to bed now and running a virus scan over night. I'll be online all day tomorrow. See Ya!
Thank's For Everyone's Help!
p.s.
Keep me informed if you find something useful! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Tue Jan 04, 2005 3:58 pm Post subject: |
|
|
Has anyone else got any ideas on this matter as I am getting very worried about my online security! Is there a program that I can use to scan my computer's ports etc?
Thank You! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Tue Jan 04, 2005 5:45 pm Post subject: |
|
|
Get a decent firewall that shows in a concise way which ports are open and what programs are listening, or use ActivePorts.
The only virus scanner detected a problem with Open.exe (of the 10 it was tested against) was Kaspersky, so I'd recommend getting hold of a trial version of that for a start and scanning your system again.
However, once you have allowed yourself to be compromised like this, there is no real way you can trust your system without a reinstall. There are plenty of pieces of backdoor software that have a legitimate use and so are not detected by virus scanners, and plenty of ways to hide files on your system if you have full control as this hacker had.
It's up to you, you can either do a full rescan with Kaspersky and check your ports manually with Activeports with no guarantees that all malware has been found, or reinstall a clean copy of Windows and be completely sure your system is no longer a threat.
As I said to you in PM, now would also be a very good time to change *all* your passwords, not just for Abyss but for any online services, email accounts etc etc. You have no easy way of detecting exactly what has been compromised.
To avoid it in future? Keep up to date versions of all the software you are running installed and keep an eye on their websites for any critical security alerts. There is no way in the current climate that you could run the versions of PHP and phpBB you were running and expect to remain secure. |
|
Back to top |
|
|
senshi -
Joined: 05 Nov 2003 Posts: 385 Location: UK
|
Posted: Thu Jan 06, 2005 5:07 pm Post subject: |
|
|
Anonymoose wrote: | ...of the 10 it was tested against... |
Which 10 was that? |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Thu Jan 06, 2005 7:53 pm Post subject: |
|
|
The multiple engine scan service provided by Virustotal.com
* ClamAV (ClamWin)
* Computer Associates (Iris, Vet)
* Doctor Web, Ltd. (DrWeb)
* Eset Software (NOD32)
* FRISK Software (F-Prot)
* H+BEDV (AntiVir)
* Kaspersky Lab (AVP)
* Norman (Norman Antivirus)
* Panda Software (Panda Platinum)
* Softwin (BitDefender)
* Sybari (Antigen)
* Symantec (Norton Antivirus)
I would have expected NOD32 and F-Prot to pick something up myself, but with the file being a telnet server, it is most likely classed as non-malware by those engines... |
|
Back to top |
|
|
ScrappyDog -
Joined: 30 Dec 2004 Posts: 13 Location: Canada
|
Posted: Sat Jan 15, 2005 7:10 pm Post subject: Hacker Attack |
|
|
I also think I had an attack on my server. It was about 430am, and my computer started to play error mp3's that go with the windows error messages that pop up with the Red Xs. There were about a dozen of them by the time I got out of bed to figure it out. I turned off my modem and went back to bed, but unfortunately, I wasn't thinking a closed the error windows without reading them carefully. I did a ad-ware and virus scan, but nothing showed up, and there were no weird or unexplained files that I could find in htdocs.
I don't think it's happened since, but I don't really know for sure. Any ideas?
Thanks! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Sat Jan 15, 2005 7:16 pm Post subject: |
|
|
Do you run any other server software on your PC? eg. mailserver/ftp/dc hub
Have you checked the Abyss access log for any odd looking requests on or around 4:30am ?
Are you using a router and / or software firewall? |
|
Back to top |
|
|
k1ll3rdr4g0n -
Joined: 04 Jul 2004 Posts: 609
|
Posted: Sat Jan 15, 2005 7:17 pm Post subject: |
|
|
Hmm...well either I must be the luckiest person here or no one wants to hack my server, cause I have it on 24/7 every port forwareded through router. I even enabled WAN requests. O.o? I think im going to cry I feel so unworthy to hack :(. _________________
|
|
Back to top |
|
|
ScrappyDog -
Joined: 30 Dec 2004 Posts: 13 Location: Canada
|
Posted: Sat Jan 15, 2005 8:03 pm Post subject: |
|
|
Anonymoose wrote: | Do you run any other server software on your PC? eg. mailserver/ftp/dc hub
Have you checked the Abyss access log for any odd looking requests on or around 4:30am ?
Are you using a router and / or software firewall? |
I'm also running ArgoSoft Email Server. I use a D-Link router, and Win XP pack 2 firewall.
No, I hadn't thought of checking the log, but I will keep that in mind in case it happens again. I don't really know how to read the log. It's obvious that some are requests to see my webpages, and some are stuff I've done, and some are also my email server serving up it's pages. I don't think I'd know what a hack or attempted hack would look like in the log. |
|
Back to top |
|
|
senshi -
Joined: 05 Nov 2003 Posts: 385 Location: UK
|
Posted: Sat Jan 15, 2005 9:50 pm Post subject: |
|
|
Yes, DC HUB is a securit issue.
I had no end of issues with people intentionally trying to gain access, the number of times I found my system was bombarded and the firewall was recording hits at the HUB port aand also multiple hits were recorded in the router as software firewall ran at the router.
Also mail servers are always being abused, plenty of spammers want to spam mail people from open proxys, always run your smtp & pop server with authentication and preferably through a recognised ISP, I have used Argosoft mail server and its prety good and uncomplicated unlike some I have tried.
You are relying on windows XP firewall, no wonder your being or have been hacked, that wont stop owt for toffee. Kill it off completely and install a 3rd party firewall like zonealarm, which actually represents the least trouble setting up, if you take a little time to poke about ans understand what your doing.
If your router has the machine in the DMZ then take it out of the DMZ and start forwarding ports and generally sitting down and configuring your router, if that has some firewall capabilities then invoke them.
You can do allot security wise and you really should try AVG6 or AVG7 from www.grisoft.com as it is a very good Anti-virus scanner and removal tool with a good track record. It has saved me a few times from web sites trying to take advantage of exploits in browsers. You could have picked this up by simply browsing...
Run some scanning software like...
Ad-aware from www.lavasoft.de and grab the Adaware SE
Spywareblaster from www.javacoolsoftware.com
Spybot Search & Destroy from www.safer-networking.org
and they will clear your system, thay all have proven track records and do not put any spyware on your system as some spyware removal tool competitors claim, they do however clearout allot of nasty stuff, especially after being run for the first time, be in for a shocker. my first time cleared out opened my eyes. |
|
Back to top |
|
|
TRUSTAbyss -
Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA
|
Posted: Sun Jan 16, 2005 2:45 am Post subject: |
|
|
Can this exploit only happen when someone uploads the file to you , if that
is the case , you can always get a upload program that restricts file types :/ |
|
Back to top |
|
|
|