Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: Agent86 on July 02, 2008, 04:41:37 PM

Title: secure log anon
Post by: Agent86 on July 02, 2008, 04:41:37 PM

Hi

I'm concerned about something.
One of my users has a site on his ibay, and for some reason the index file keeps getting changed or corrupted.

I'm thinking it got hacked or something.
The index file he is using is a flash and java template, so no php stuff should be in there, however an index file gets written and I see stuff in the index file like php and smarty 2.14 php etc.
I did a google search and smarty is some sort of template engine thing. I know he is not using that to build his website.

Here are some things in the logs I'm concerned about;

Jul  1 09:56:16 auction proftpd[14560]: auction.foolishlys.com (66.249.72.49[66.249.72.49]) - ANON cyber86erxspaces: Login successful.

Google is telling me some stuff here that I don't understand:
http://www.robtex.com/ip/66.249.72.49.html

Another entry here:
Jun  9 05:51:24 auction proftpd[5593]: auction.foolishlys.com (66.249.65.130[66.249.65.130]) - ANON cyber86erspaces: Login successful.

I used the ibay name as an example, cyber86erspaces is not the real ibay name, just fyi,

Anyhow what other logs should I check to see if it's been hacked. And how to tell when the index.html file was changed uploaded then changed etc.
Is there a log for checking the individual file status ? or something ?

Please advise thanks

Next question is how to stop this if it's been hacked ?

Title: Re: secure log anon
Post by: william_syd on July 02, 2008, 05:05:37 PM

Anonymous login is possible to foolishlys.com .

It's googles spider/crawler checking you out.

Title: Re: secure log anon
Post by: byte on July 03, 2008, 10:30:32 AM

Quote from: Agent86 on July 02, 2008, 04:41:37 PM

Please advise thanks

Don't report potential security issues here - Contact security [at] contribs [dot] org

Title: Re: secure log anon
Post by: Stefano on July 03, 2008, 10:50:15 AM

Quote from: Agent86 on July 02, 2008, 04:41:37 PM

Next question is how to stop this if it's been hacked ?

if you think your server has been hacked:
- disconnect it from wan
- backup your data
- (optional) create an image of your installation with dd or other tools
- reinstall sme
- restore your data and don't give wan access to i-bays
- pay attention to what you install (contribs, web applications, your or thirdy party php/web pages)
- if everything is ok, restore wan access

my 2c

Ciao
Stefano

Title: Re: secure log anon
Post by: Agent86 on July 03, 2008, 12:49:36 PM

Quote from: william_syd on July 02, 2008, 05:05:37 PM

Anonymous login is possible to foolishlys.com .

It's googles spider/crawler checking you out.

What does anonymous login actually mean ? does the anonymous user have write access or just read access ?

Thank to all for the replies and advise