So I’m pretty sure I’ve been hacked in some manner but I’m too much of a noob to know how it happened or how to stop it. It came to my attention because the bandwidth on my VPS has been way over quota by 2x and from what I can tell it seems like it came from a hack located at this site, which itself seems to have been hacked to hold that file.
http://alisonmcleastudio.com/jpg/wpa.bwe
that may need to be hidden so others don’t use it or something
here is the results of the error log located at /var/log/httpd/errorlog, which is line after line after line of this type of stuff:
–2013-12-09 10:13:02-- http://alisonmcleastudio.com/jpg/wap.bwe
Resolving alisonmcleastudio.com… 50.63.101.1
Connecting to alisonmcleastudio.com|50.63.101.1|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 40802 (40K)
Saving to: `wap.bwe’
0K .......... .......... .......... ......... 100% 17.4M=0.002s
2013-12-09 10:13:02 (17.4 MB/s) - `wap.bwe’ saved [40802/40802]
[Mon Dec 09 10:13:39 2013] [warn] mod_fcgid: process 5739 graceful kill fail, sending SIGKILL
rm: cannot remove *alisonmcle*': No such file or directory --2013-12-09 10:15:42-- http://alisonmcleastudio.com/jpg/wpa.bwe Resolving alisonmcleastudio.com... 50.63.101.1 Connecting to alisonmcleastudio.com|50.63.101.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 40803 (40K) Saving to:
wpa.bwe’
0K .......... .......... .......... ......... 100% 5.87M=0.007s
2013-12-09 10:15:42 (5.87 MB/s) - `wpa.bwe’ saved [40803/40803]
–2013-12-09 10:15:42-- http://alisonmcleastudio.com/jpg/wap.bwe
Resolving alisonmcleastudio.com… 50.63.101.1
Connecting to alisonmcleastudio.com|50.63.101.1|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 40802 (40K)
Saving to: `wap.bwe’
0K .......... .......... .......... ......... 100% 12.1M=0.003s
2013-12-09 10:15:42 (12.1 MB/s) - `wap.bwe’ saved [40802/40802]
[Mon Dec 09 10:16:19 2013] [warn] mod_fcgid: process 5743 graceful kill fail, sending SIGKILL
rm: cannot remove *alisonmcle*': No such file or directory --2013-12-09 10:18:51-- http://alisonmcleastudio.com/jpg/wpa.bwe Resolving alisonmcleastudio.com... 50.63.101.1 Connecting to alisonmcleastudio.com|50.63.101.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 40803 (40K) Saving to:
wpa.bwe’
0K .......... .......... .......... ......... 100% 16.7M=0.002s
2013-12-09 10:18:51 (16.7 MB/s) - `wpa.bwe’ saved [40803/40803]
–2013-12-09 10:18:51-- http://alisonmcleastudio.com/jpg/wap.bwe
Resolving alisonmcleastudio.com… 50.63.101.1
Connecting to alisonmcleastudio.com|50.63.101.1|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 40802 (40K)
Saving to: `wap.bwe’
0K .......... .......... .......... ......... 100% 18.0M=0.002s
2013-12-09 10:18:51 (18.0 MB/s) - `wap.bwe’ saved [40802/40802]
Does anyone know exactly what this hack is doing, and how can I stop it?
Thanks