I was hacked?

[alexandreweb123407]

Today when accessing users' files, I could see two files in odd minimum, and the code is something to capture data from my server. Does stole some information?

The ip of hack: 82.102.215.191
The files: am.php
http://pastebin.com/U0KUjGKP

SheLL1.PhP.txt
http://pastebin.com/NZeFpvA8

Look :

Adan, make sure that this code can't capture something. it is important to be cautious in

 

[alexandreweb123407]

http://malwarecode.blogspot.com.br/2013/02/filesman-backdoor-script.html

When attempting to access the putty, I'm not getting! I will have to format the server

 

[ollie]

Yeah they are shells they can access everything on the server through that, are you running any other sites on the server?

 

[alexandreweb123407]

My only. But he was sent by Filehosting script. And I do not know how they managed to run and change the root password

 

[ysmods]

Please do not accuse the FHS of being at fault unless you have 100% definitive proof to back up your accusations.

If the shell scripts would have been uploaded via the script, the file extensions would have been removed, the name changed to a md5 string (eg: 435ed7e9f07f740abf511a62c00eef6e) and placed in a folder within the /files/ directory.

Its more likely that you had a semi-insecure password either in root/ftp/account where they gained access and uploaded the script.
Also if you do not have a software firewall such as CSF they they could have easily bruteforced the passwords.

 

[alexandreweb123407]

When did someone accused Ysmods? Told that the script was sent by fhscript, try sending the same by CPANEL, and the file is excluded.

 

[pilot830]

What would be great is if he didnt reformat and allowed someone to investigate to verify that it wasnst yetishare software that was exploited. I don't believe that to be the case, but if he's going to erase everything then we'll never know.

Can you post the IP to your site? Could portscan it and see what else you're running. Bet you're running something that allowed you to be hacked

 

[pilot830]

Based on your previous posts, I believe you were hacked via cpanel, one of the many services you may have been running.

 

[alexandreweb123407]

Formatted by webpainel, I could not access ssh or ftp.
No problem, I'll be installing again, and doing some tests.

 

[dfdssfsfd3806]

never any hacking yet I have friends in the hack and that they have broken teeth on the site was scanned with backtrack

know that a lot of servers on the net its test different combination can also be your hosting provider that is done is stolen long ago to access another site I had her in a Russian host

 

[ysmods]

When did someone accused Ysmods? Told that the script was sent by fhscript, try sending the same by CPANEL, and the file is excluded.

But he was sent by Filehosting script.

Right there.

As you can not prove that the files were uploaded by the yetishare script, do not say they was. You are only scare mongering and making false claims.

Like I said before, if the files was uploaded by the yetishare script, the file extension would have been removed and filename changed. As this was not the case, you was obviously hacked a different way, that is nothing to do with the script.

 

[ollie]

You are best off blocking all access to sensitive data and restricting it to a certain IP