Author Topic: My site is on your list, i need some help with the mess i found.  (Read 12603 times)

0 Members and 1 Guest are viewing this topic.

June 11, 2008, 10:52:07 pm
Read 12603 times


  • Newbie

  • Offline
  • *

  • 1

My server got hacked towards the end of May, they left a file behind, along with some programs that they were piggying on my server.

My host originally switched off and suspended, as the server tried spamming, they had setup a spoof email account, and IRC channel, sourceguardian and ioncube.

I have alot of .txt files that i cannot make sense from, could i post here for comments? I think they are relaying or something, as my site is linked to a named txt file in a lot of peoples logs.

Apart from being confused in how they hacked my site, (Across multiple domains) and spending the best part of a week cleaning the server, I would like to learn from this.

Any help appreciated?

June 12, 2008, 03:55:18 am
Reply #1


  • Guest
I have alot of .txt files that i cannot make sense from,could i post here for comments?

Sure you can,an important note though...since the forums here are in public view,
most probably you don't want to disclose that many details/info,
as you never know who might be reading the forums around...

Not a php guru myself - what I see though in the list,
is that a remote file inclusion took place (arab.txt is a widely used/spread malware script).
Meaning that,except obviously from patching the webserver software to the latest version etc.,
you should also audit the php code for order for such an incident to not happen again.
There are a few guys around way more experienced in that area,
that can give you way more detailed explanations/instructions...
hopefully they're willing to give more help than I can do.  :)

June 12, 2008, 06:44:50 am
Reply #2


  • Guest
Apart from being confused in how they hacked my site, (Across multiple domains)...
...If by that you mean what an RFI is/how it works,
googling for "php remote file inclusion tutorial",will give you all the answers you need...

One more thing - forgot mentioning it previously...
that since the site has been 'cleaned' up now,it will obviously be removed from the list.
If possible though,do consider submitting any malware executables/scripts that you found,
at services like,VirusTotal etc...

June 12, 2008, 12:29:03 pm
Reply #3


  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
Hi GHands

Just seen your post.

Iam admin on a server support forum, if your intrested your welcome to join the forum and we will help you clean your server.

The forum is closed to the public, and we would open a room for you that can only be accessed by yourself, and our server support staff.

If you wish to proceed please send me a PM here, together with the username that you intend to use (we keep the forum locked down from prying eyes, so i will need to know the name you would be registering with).
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment