site abuse problem

macdocuk · May 23rd, 2006, 3:37 PM

Hi, I'm trying unsuccessfuly to resolve problem with one account that was suspended by surpass as "it contained malicius scripts"

Now, I logged in via File manager for the troubled account and found this (attachement) , but cannot delete anything and am asking surpass to delete it.

whoever hacked into this accout is still uploading files that cannot be deleted by me , only root I guess

Is anyone listening or reading the ticket regarding this problem???

Ticket ID: RIA-232112

Regards

**miakeru** · May 23rd, 2006, 3:46 PM

It sounds like one of your scripts was hacked, not the server. There's a HUGE difference between you running insecure scripts that get exploited and the entire server being hacked, and it's really not beneficial to anyone to post threads with titles like this one. It's just going to lead to mass-confusion and possibly panic for those that don't understand what's going on.

With the IRC bouncers that are in your directory, it sounds like a classic exploitation of an insecure script. You running phpBB by chance? That's famous for attacks like this.

How is the abuse department not listening? Just because they haven't responded yet? That hardly means they're ignoring you.

macdocuk · May 23rd, 2006, 3:59 PM

Quote:

Originally Posted by miakeru

It sounds like one of your scripts was hacked, not the server. There's a HUGE difference between you running insecure scripts that get exploited and the entire server being hacked, and it's really not beneficial to anyone to post threads with titles like this one. It's just going to lead to mass-confusion and possibly panic for those that don't understand what's going on.

With the IRC bouncers that are in your directory, it sounds like a classic exploitation of an insecure script. You running phpBB by chance? That's famous for attacks like this.

How is the abuse department not listening? Just because they haven't responded yet? That hardly means they're ignoring you.

except for "server hacked" , I panic a bit of course, the rest is true - no reponse to my replies... ticket priority is set to "low" which is a bit unfair, it is very "high" to me as I have clients paying for advertising on this website. How can "abuse" ticket be low priority?

back to the problem, seems simple to fix, why wait?

one of directories had 777 permissions by mistake, now someone is uploading bad stuff to it, I tired to fix it myself but it won't allow me to delete them via File manager in cPanel.

its not phpBB, it's phpBazar and directory with 777 perm. is for uploading images, I don't even allow uploading by users but permiss. are wrong.

sorry for the panic, but this definitely needs some attention

**Kayla** · May 23rd, 2006, 7:36 PM

All tickets are set to low default. It doesn't mean that they will be answered last, it's just the default setting. It's something that we do not look at when viewing tickets, it's just a setting the ticket system has.

We sometimes read tickets that have priority set to high first, but we do not place favor on any ticket really, we have a policy that tickets are answered according to the time of the last reply. So please do not worry about that.

I am checking this ticket now to see what has been done so far. I edited the title of this thread, so as miakeru mentioned, no one will panic who is on this server. These issues are related only to your site.

As stated in your ticket, your program was disabled due to this:
http://secunia.com/advisories/20198/
I know you said you have used it for years and had no problems, but this security advisory explains why your site was hacked.

When you install 3rd party programs on your site it is very important to sign up for updates to make sure that you are notified by the creator when there are exploits and security problems so you can upgrade/patch your program.

The last reply you received was at 05:09 PM. Please let me know if for some reason you did not receive it.

Nothing too major, so I feel the phpBazaar install is the primary vector by which this account was compromised. I would recommend disabling this script asap to prevent any further problems.

I have also scoured the directories for any files which were owned by the user 'nobody' and removed them if they appeared to be malicious. I did not need to delete the entire images directory, but there were some items which need to be removed.

In the meantime I have unsuspended the account.

Do you have any more questions on this issue?

May 23rd, 2006, 7:36 PM	#4 (permalink)
Kayla Marketing Maven Surpass Staff Joined in May 2003 Lives in Orlando 24,749 posts Gave thanks: 946 Thanked 806 times	All tickets are set to low default. It doesn't mean that they will be answered last, it's just the default setting. It's something that we do not look at when viewing tickets, it's just a setting the ticket system has. We sometimes read tickets that have priority set to high first, but we do not place favor on any ticket really, we have a policy that tickets are answered according to the time of the last reply. So please do not worry about that. I am checking this ticket now to see what has been done so far. I edited the title of this thread, so as miakeru mentioned, no one will panic who is on this server. These issues are related only to your site. As stated in your ticket, your program was disabled due to this: http://secunia.com/advisories/20198/ I know you said you have used it for years and had no problems, but this security advisory explains why your site was hacked. When you install 3rd party programs on your site it is very important to sign up for updates to make sure that you are notified by the creator when there are exploits and security problems so you can upgrade/patch your program. The last reply you received was at 05:09 PM. Please let me know if for some reason you did not receive it. Nothing too major, so I feel the phpBazaar install is the primary vector by which this account was compromised. I would recommend disabling this script asap to prevent any further problems. I have also scoured the directories for any files which were owned by the user 'nobody' and removed them if they appeared to be malicious. I did not need to delete the entire images directory, but there were some items which need to be removed. In the meantime I have unsuspended the account. Do you have any more questions on this issue? __________________ Follow Surpass on Twitter and Facebook Check out the Surpass Blog

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

May 23rd, 2006, 3:46 PM	#2 (permalink)
miakeru Web Hosting Super Ninj4 Super #1 Joined in Sep 2003 Lives in Fullerton, CA 1,581 posts Gave thanks: 0 Thanked 2 times	It sounds like one of your scripts was hacked, not the server. There's a HUGE difference between you running insecure scripts that get exploited and the entire server being hacked, and it's really not beneficial to anyone to post threads with titles like this one. It's just going to lead to mass-confusion and possibly panic for those that don't understand what's going on. With the IRC bouncers that are in your directory, it sounds like a classic exploitation of an insecure script. You running phpBB by chance? That's famous for attacks like this. How is the abuse department not listening? Just because they haven't responded yet? That hardly means they're ignoring you.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)