Webserver hacked and sites spammed

I’ve had some fun with admin today trying to stop the evil bastard hackers from putting files on my server and spamming other sites in my name 🙁

Carlo Posted On: 26 Feb 2007 12:31 PM
I am unable to delete folder and files via ftp and Cpanel. This is the folder:

/nostatus.com/wp-content/uploads/2007/02/delete-me/

It was actually created by another (unauthorised) user because I (being a dumbass) had CHMOD’d the folder to 777. Doh.

Can you delete it for me, apparently whoever wrote the files there didn’t use my username/group and I tried to CHOWN it back to me.

Thanks!

Adam Posted On: 26 Feb 2007 12:59 PM
Hello,

We are unable to find /nostatus.com/wp-content/uploads/2007/02/delete-me/ from your account.

Please see the directory listing:

[email protected] [/home/domain-removed/public_html/nostatus.com/wp-content/uploads]# ls -al
total 8
drwxrwxrwx 2 xxx xxx 4096 Oct 16 02:37 ./
drwxr-xr-x 5 xxx xxx 4096 Oct 16 02:37 ../

————
Regards,
Adam

Carlo Posted On: 26 Feb 2007 01:08 PM
* I can see the following in my FTP browser (see attachment): /nostatus.com/wp-content/uploads/2007/02/delete-me/

* And also: /nostatus.com/wp-content/uploads/2007/02/free/

* I get the following when trying to delete a whole directory and contents:

[11:02:09] RMD delete-me
[11:02:10] 550 Can’t remove directory: Directory not empty
[11:02:10] CWD /nostatus.com/wp-content/uploads/2007/02/delete-me
[11:02:10] 250 OK. Current directory is /nostatus.com/wp-content/uploads/2007/02/delete-me
[11:02:10] PWD
[11:02:10] 257 “/nostatus.com/wp-content/uploads/2007/02/delete-me” is your current location
[11:02:10] PASV
[11:02:10] MLSD
[11:02:10] 150 Accepted data connection
[11:02:10] 226-Options: -a -l
[11:02:10] 226 26 matches total
[11:02:10] 2966 bytes transferred. (46.7 KB/s) (62 ms)
[11:02:10] DELE poker-1.html
[11:02:10] 550 Could not delete poker-1.html: Permission denied
[11:02:10] CWD /nostatus.com/wp-content/uploads/2007/02
[11:02:10] 250 OK. Current directory is /nostatus.com/wp-content/uploads/2007/02
[11:02:10] PWD
[11:02:10] 257 “/nostatus.com/wp-content/uploads/2007/02” is your current location
[11:02:10] PASV
[11:02:10] MLSD
[11:02:10] 150 Accepted data connection
[11:02:10] 226-Options: -a -l
[11:02:10] 226 37 matches total
[11:02:10] 4723 bytes transferred. (36.8 KB/s) (125 ms)

Attachments ftp-screenshot.gif (42.82 KB)

Thomas Posted On: 26 Feb 2007 01:19 PM
Carlo,

Please can you specify the domain/user you are refering to ? We are looking at the user “techpop”.

-Thomas

Carlo Posted On: 26 Feb 2007 01:22 PM
Doh! My bad.

The domain is nostatus.com 🙂

Thomas Posted On: 26 Feb 2007 01:36 PM
Carlo,

The permissions on all the folders are changed to your user and you will now be able to delete the files at your wish.

-Thomas

Carlo Posted On: 26 Feb 2007 01:40 PM
Thanks Thomas, I appreciate it. I hate these btards putting files my server. My bad for leaving directories open for writing. I’m sweeping through the directories and changing directories that are set to 777 to 755.

Having directory browsing switched off will help somewhat too I imagine, now they can’t trawl through so easily and find vulnerable directories so easily.

I hope this is over now!

Leave a Reply

Your email address will not be published. Required fields are marked *