-3

Possible Duplicate:
My server's been hacked EMERGENCY

In log i found that site was scanned by hacker for few hours but actual hack was few minutes i think.

He somehow found out about all the files i had even folders and files that not cached anywhere e.g. robots.txt, or not even seen trough google.com its just random file names i created i am sure he could not know them so how was he able to find them?

Another trick he pulled is, he found php file i used to upload images to home page slider and he uploaded his file lets call it "hack.jpg" trough it. Funy thing though is that "hack.jpg" was few lines of php script that uploads more files. And he was able to run hack.jpg file as php script without changing extension to .php. Must be some exploit to the server that he used to do so?

Server is CentOS v5, WHM/Cpanel v12

Community
  • 1
OkOBX
  • 1
  • I think you need to post more information. – hookenz Jul 24 '12 at 23:41
  • 2
    Are you running a CMS, like Drupal, Wordpress, or Joomla? They often have plugins that are insecure. Even parts of the CMS core itself could have been compromised, if you're not keeping up on the updates. Sounds like you need to patch whatever php plugin you use to upload files, or find something else. – tacotuesday Jul 24 '12 at 23:43
  • 2
    You list a variety of security vulnerabilities that you have. So there's no mystery. You got hacked because you had a lot of security vulnerabilities, and the hacker leveraged some of those vulnerabilities to find and exploit other vulnerabilities. – David Schwartz Jul 24 '12 at 23:44

1 Answers1

1

There is not enough information in your post to tell you how you got hacked.

I can tell you one of the most commom hack for websites though: [PHP] scripts allowing you to upload something without properly escaping user input.

In case you have not done this yet: the way to recover from this is:

  1. Take the hacked server offline.
  2. If you have spare HW, install a new host (and make sure it is up to date). Then restore from backup
  3. Anylyse the hacked host to discover how you got hacked.

If you do not have spare hardware keep an image of the hacked server for analyses.

Hennes
  • 4,772
  • 1
  • 18
  • 29