New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@n1kko The phishing page will be removed within 48 hours. I've contacted the host, and they will take care of this.
Guy who hacked before most likely back doored your site as well. Better to start fresh from db backup.
Ok found this in my public_html directory http://pastebin.com/fNtDdYgD was all eval code but decoded it please take a look. I have no clue what this has been doing.
From my brief read it makes a shell for the attacker to exploit your system as they see fit. This may be wrong. I just took a quick look at the code.
Nm it's a whole tool kit
1500 lines to make trouble to someone. This is so lame.
Ha! And a Kloxo link in your sig...
BTW, cPanel is opensource, though not free in either sense.
CPanel is open-source?.
I've never seen an encoded script in it. Not open in the traditional sense but you can read the code all you want
Do you happen to have any Warez themes/scripts/plugins in your system? I've seen them causing such results...
Opened the Pastebin and Avast didn't likey...
Maybe not all to encoded but 'crucial' code possible encoded.
I have the same problem last December
Kloxo-MR not the same?
No encoded for all KLoxo-MR code.
If I remember correctly, Kloxo-MR is a modified version of Kloxo with quite a huge chunk of code from it. Kloxo has certain sections encoded.
No encoded (encode with ioncube) in Kloxo since version 6.1.0 where Kloxo-MR based on 6.1.12.
Haven't checked the latest
Well i think I'm all sorted now. I got in touch with licence pal where i purchased my cPanel licence. They have been a great help and installed rfxn and clamav then scanned all sites for me. The only things thay showed up were some files to do with nginx but guessing that's normal. All passwords changed so eill see hoe things go.
Licencepal also checked my cPanel for any issues big thanks to them
I haven't looked file-by-file but I don't think any of cPanel is encoded.
More importantly, it has a much better security record than swiss cheese Kloxo. Some well-known VPS providers even specifically forbid Kloxo in their AUP.
@raindog308,
Yes for Kloxo but mostly no for Kloxo-MR.
Why licensepal and not your host?
I wanted to check my WHM/cPanel had not been compromised. If you purchase a cPanel licence from Lincencepal you have to go to them and not cPanel. They offered to scan and check everything for me which was very good of them.
I see, anyway good to know you got things sorted out
these hackers are real pests
I have just scanned with maldet and this is a bit of the report
There should be nothing in tmp. Make a backup of your data and delete and rebuild your server. It is compromised.
my /tmp directory has a few sess_ files and a few folders like this cpanel.TMP.work.HSctjfVKZb7F_7Um
I have found this http://forums.cpanel.net/f185/hackcheck-possible-root-compromise-detected-222681.html will give this a try and rebuild tmp
not quite sure but does cpanel have such a file format?
I have never seen these sort of files on cPanel