Site has been hacked: Perl Processes being executed **Will pay for help** - Joomla! Forum - community, help and support
guys,
our site being hosted on rochen has been exploited , down until can find script or process causing problems. rochen wants me locate , address issue problem dont know for.
they have told me make sure scripts date , components date well.
im running joomla 1.0.13 & component have installed virtuemart running 1.0.13a.
heres deal. i'm willing pay me through unexperienced in area , need knowledge me through this. must have our site online , , must secure hackers or @ least secure possible. need find out causing right now. here latest rochen:
there under account has been exploited. malicious perl processes being executed under tailgate user. files uploaded servers /tmp folder.
the following files uploaded /tmp folder.
root@westminster [/tmp/.log]# ls -al
total 1892
drwxr-xr-x 12 tailgate tailgate 4096 nov 7 10:52 ./
drwxrwxrwt 6 root root 352256 jan 25 13:33 ../
-rwxr-xr-x 1 tailgate tailgate 4712 jan 15 2006 bind.conf*
-rwxr-xr-x 1 tailgate tailgate 50 feb 12 2006 bnc*
-rwxr-xr-x 1 tailgate tailgate 5943 jun 5 2006 bounc*
-rwxr-xr-x 1 tailgate tailgate 83 jun 5 2006 cok*
-rwxr-xr-x 1 tailgate tailgate 247 jan 8 2006 config*
-rwxr-xr-x 1 tailgate tailgate 929 jan 8 2006 config.h*
drwxr-xr-x 5 tailgate tailgate 4096 feb 11 2006 doc/
-rwxr-xr-x 1 tailgate tailgate 76 feb 11 2006 dssl*
drwxr-xr-x 3 tailgate tailgate 4096 feb 11 2006 filesys/
-rwxr-xr-x 1 tailgate tailgate 344 jan 8 2006 [censored]*
-rwxr-xr-x 1 tailgate tailgate 17262 oct 29 2005 guard*
drwxr-xr-x 5 tailgate tailgate 4096 feb 11 2006 help/
-rwxr-xr-x 1 tailgate tailgate 21534 apr 10 2004 hideme*
-rwxr-xr-x 1 tailgate tailgate 0 feb 11 2006 index.htm*
-rwxr-xr-x 1 tailgate tailgate 1163288 jan 5 2006 jancok*
-rwxr-xr-x 1 tailgate tailgate 3091 nov 6 13:03 jancok.conf*
-rwxr-xr-x 1 tailgate tailgate 886 jun 5 2006 jancok.pl*
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 lang/
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 language/
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 log/
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 logs/
-rwxr-xr-x 1 tailgate tailgate 202544 nov 8 2002 mail*
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 motd/
-rwxr-xr-x 1 tailgate tailgate 1088 jan 6 2006 nadya*
-rwxr-xr-x 1 tailgate tailgate 92 jun 5 2006 ps*
-rwxr-xr-x 1 tailgate tailgate 9551 jun 5 2006 pscan*
-rwxr-xr-x 1 tailgate tailgate 404 jan 5 2006 run*
drwxr-xr-x 2 tailgate tailgate 4096 nov 6 12:59 scripts/
-rwxr-xr-x 1 tailgate tailgate 3947 jun 5 2006 shell.php*
-rwxr-xr-x 1 tailgate tailgate 20013 apr 10 2004 t3394*
-rwxr-xr-x 1 tailgate tailgate 1034 jan 7 2006 tcl*
-rwxr-xr-x 1 tailgate tailgate 1063 feb 11 2006 telnt*
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 text/
can please audit account again , ensure there no out of date scripts? may script has been exploited no update available yet. advise check support forums of components use incase others have reported problem.
you can contact me @ info@kpeg.com , can arrange payment & discuss how go this, can trust , has knowledge of because given access account.
thanks again,
nathan schwenke
info@kpeg.com
our site being hosted on rochen has been exploited , down until can find script or process causing problems. rochen wants me locate , address issue problem dont know for.
they have told me make sure scripts date , components date well.
im running joomla 1.0.13 & component have installed virtuemart running 1.0.13a.
heres deal. i'm willing pay me through unexperienced in area , need knowledge me through this. must have our site online , , must secure hackers or @ least secure possible. need find out causing right now. here latest rochen:
there under account has been exploited. malicious perl processes being executed under tailgate user. files uploaded servers /tmp folder.
the following files uploaded /tmp folder.
root@westminster [/tmp/.log]# ls -al
total 1892
drwxr-xr-x 12 tailgate tailgate 4096 nov 7 10:52 ./
drwxrwxrwt 6 root root 352256 jan 25 13:33 ../
-rwxr-xr-x 1 tailgate tailgate 4712 jan 15 2006 bind.conf*
-rwxr-xr-x 1 tailgate tailgate 50 feb 12 2006 bnc*
-rwxr-xr-x 1 tailgate tailgate 5943 jun 5 2006 bounc*
-rwxr-xr-x 1 tailgate tailgate 83 jun 5 2006 cok*
-rwxr-xr-x 1 tailgate tailgate 247 jan 8 2006 config*
-rwxr-xr-x 1 tailgate tailgate 929 jan 8 2006 config.h*
drwxr-xr-x 5 tailgate tailgate 4096 feb 11 2006 doc/
-rwxr-xr-x 1 tailgate tailgate 76 feb 11 2006 dssl*
drwxr-xr-x 3 tailgate tailgate 4096 feb 11 2006 filesys/
-rwxr-xr-x 1 tailgate tailgate 344 jan 8 2006 [censored]*
-rwxr-xr-x 1 tailgate tailgate 17262 oct 29 2005 guard*
drwxr-xr-x 5 tailgate tailgate 4096 feb 11 2006 help/
-rwxr-xr-x 1 tailgate tailgate 21534 apr 10 2004 hideme*
-rwxr-xr-x 1 tailgate tailgate 0 feb 11 2006 index.htm*
-rwxr-xr-x 1 tailgate tailgate 1163288 jan 5 2006 jancok*
-rwxr-xr-x 1 tailgate tailgate 3091 nov 6 13:03 jancok.conf*
-rwxr-xr-x 1 tailgate tailgate 886 jun 5 2006 jancok.pl*
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 lang/
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 language/
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 log/
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 logs/
-rwxr-xr-x 1 tailgate tailgate 202544 nov 8 2002 mail*
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 motd/
-rwxr-xr-x 1 tailgate tailgate 1088 jan 6 2006 nadya*
-rwxr-xr-x 1 tailgate tailgate 92 jun 5 2006 ps*
-rwxr-xr-x 1 tailgate tailgate 9551 jun 5 2006 pscan*
-rwxr-xr-x 1 tailgate tailgate 404 jan 5 2006 run*
drwxr-xr-x 2 tailgate tailgate 4096 nov 6 12:59 scripts/
-rwxr-xr-x 1 tailgate tailgate 3947 jun 5 2006 shell.php*
-rwxr-xr-x 1 tailgate tailgate 20013 apr 10 2004 t3394*
-rwxr-xr-x 1 tailgate tailgate 1034 jan 7 2006 tcl*
-rwxr-xr-x 1 tailgate tailgate 1063 feb 11 2006 telnt*
drwxr-xr-x 2 tailgate tailgate 4096 feb 11 2006 text/
can please audit account again , ensure there no out of date scripts? may script has been exploited no update available yet. advise check support forums of components use incase others have reported problem.
you can contact me @ info@kpeg.com , can arrange payment & discuss how go this, can trust , has knowledge of because given access account.
thanks again,
nathan schwenke
info@kpeg.com
please review following faq's asap, find wealth of information related issues.
security & performance faq
it not recommended leave sites publicly available , exploited, serve promote offenders ego , kudos , potentially expose rest of server attack.
the above mentioned faq provide more enough information assist in further securing sites.
particular entries of note , pay attention to, are;
joomla! administrator's security checklist
help! site's been compromised. what?
vulnerable extension list
other useful posts , tools;
joomla! tools suite
how can check joomla! installation's overall security , health?
what joomla! have file permissions?
how find exploits using *nix shell?
potential exploit checking script
auto-change, admin password script
alternatively, pretty confident if asked host assistance nelp, rochen in particulalr tend extremely user-friendly in these sort of situations.
security & performance faq
it not recommended leave sites publicly available , exploited, serve promote offenders ego , kudos , potentially expose rest of server attack.
the above mentioned faq provide more enough information assist in further securing sites.
particular entries of note , pay attention to, are;
joomla! administrator's security checklist
help! site's been compromised. what?
vulnerable extension list
other useful posts , tools;
joomla! tools suite
how can check joomla! installation's overall security , health?
what joomla! have file permissions?
how find exploits using *nix shell?
potential exploit checking script
auto-change, admin password script
alternatively, pretty confident if asked host assistance nelp, rochen in particulalr tend extremely user-friendly in these sort of situations.
Comments
Post a Comment