PDA

View Full Version : Having issues with hackers


marinefiend
09-15-2006, 08:13 PM
I am having an issue with a hacker dupming files in my forum root

I keep finding these
core.4967
core.21142
core.24723
core.16640
core.32086
core.24428
core.15133

and among another bunch every day

Running 3.6, and have .htaccess in all directories now.

It is driving me nuts as these guys are f ing up my server.

Got any ideas?

Wired1
09-15-2006, 09:22 PM
is it a shared server?

talk to hosting company / server admins, see if they're having issues on their end

KW802
09-15-2006, 09:24 PM
What are in the files?

Wired1
09-15-2006, 09:38 PM
and what size are the files?

VietPirates
09-15-2006, 09:51 PM
What's your kernel version?

DementedMindz
09-15-2006, 10:49 PM
what makes you think its hackers? Are you on hostdime?

Ziki
09-16-2006, 03:06 PM
If it were real hackes,your site would be dead right now.Even I can do that

marinefiend
09-17-2006, 02:13 AM
What are in the files?Ok so the files are so large I cannot copy the info.

38572 k in total each, and they are the same size each, all done by the same person from what I can imagine.

I just want to find out who and fix it so they cannot dp this anymore. What a waste of my time.



Here is a blurb from the file and as you can see it is all junk, I find when I scroll down lower it has a key logger script in the program. My question is how do I shut this crap down without loosing my board?

core.8711
File Type: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'php'

--------------------------------------------------------------------------------
ELF44 k? ?  @ P @?&?@?(PP+?P@,`?2?` 5pP<?p?< ??Mp?@P@@ЀPPP ``P  ?kPPpp? p????ŀ ?p?@@?0?P??배p0? ???@?????  ? ?0?00?4?? ?9?F?F?N@ B? ?N?B@@0OPB?0O B@O B?@O?BPO?gBPO?jB00?O?jB@ ?O xB   P@yB00?P [CP?Pp\C?P?\C?P?\CP?PoC?PoC00 Q@oC 0Q?oC 0Q oC PQ?oCPQ?qC pQ0rC?pQ sC?QPsC??Q0tC  QPtC ?Q ?C??Q??C ?Q??C R??C0R ?CR??CpR?C R0?C? R?C0R0?C`0R??C@R??C @R??CPP?R0?C``?R??C@?R??Cpp`S??C0 `S??CpS??C?pS??C ?S??Cp?S`?C S??C0 S??C?S@?CP?S??C ?S??Cpp@V@?C?@V ?C `Vp?CP`V??CPP?V0?C0?V`?C00?W0KD ?WPLD XpLD  X?yD  X?yD0X ?D0X ?D@XP?D0@X??D `X??D0`X??DpX`??pX`????Y`??   Zx?ZxxxP?tdH?ZH$$?CORE"?M{{04MF"""?oC4???{{3?'[Cs ???{|CORER%~&~"?M{{php/usr/bin/php cron.php ?CORE??????tx????????ށ??~N; ??+???G&+??????#Y?Q????̐?̘?̘?̀\B??\B?8?2?""????????????T??T??0??"????`?????????"???`8??????{????????{????????+N+?@??@?? ???G??(i?? O?? +N+?n+?KG^?0??????@?8 %~%~%~%~&~&~&~&~?x???N??????????????????????????? = =?????????7?7@@??????????????????? ? phpec???h??߷?5f??`?&-?(??3 ? 93s?,??{??????8n?n??@@?????6???j??S?4??4? ? +N+?+N+?+N+ޘ???????????CORE????d4?  T? %~ %~ &~&~???lCORE ? 93s?,??{????8n?n??@+?FLINUX ? 93s?,??{??????8n?n??@?????E??ẺE??E???u??|$ ?U??}?D$??t$? ?D$?u??|$?L$ ?4$?P?????~ ?U?f?zt4?E??E??}?v??????8?M?9?E?;E?t?$???? ??Eă?l[^_]??zf?????u??r ‰U??T$?4$???????xt?M??|I?M????t?? ??????????????<$?U??T$?Y?????xB?4?4$?????M?9t<??u+?V?$????Hu???4$??????M??|0?}??u??2????E ??????3????|$?M?U ?u??EȉL$?T$ ?t$?$?#?????x?E??E?u ?0???????????8Zu??E??????}?"????????????????U??VS?[??R???????p??@??????Ћ???u?[^??U??S?[??#P????Y[??gethostby*.getanswer: asked for "%s", got "%s"??0123456789abcdefgethostby*.getanswer: asked for "%s %s %s", got type "%s"%u.%u.%u.%u.in-addr.arpa%02hhx0.%u.%u.%u.in-addr.arpa0.0.%u.%u.in-addr.arpa0.0.0.%u.in-addr.arpa/lib/ld-linux.so.2????????6EO ? ?1T?T ? ?_???8???o ???o???o? ???o???o6???o@??C??C W_CO??m??[C?;cCPUcC?S?C`?C>?^C0S?CnxjC????E?C?6jC??BcC0L?Cp5 jC.>?WcC^n??C???x`?^: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)libnss_dns-2.3.4.so.debugD+??.symtab.strtab.shstrtab.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_d.g nu.version_r.rel.dyn.rel.plt.init.text.fini.rodata .interp.eh_frame.ctors.dtors.jcr.dynamic.got.got.p lt.data.bss.comment.gnu_debuglink44 )

jason|xoxide
09-19-2006, 01:57 PM
I doubt that you are being hacked. Those are probably core dumps from an unstable process.

What is the result of running 'ulimit -c'?

DementedMindz
09-19-2006, 06:58 PM
They are core dumps. Are you on host dime or a vps?