Having issues with hackers
 

I am having an issue with a hacker dupming files in my forum root

I keep finding these
core.4967
core.21142
core.24723
core.16640
core.32086
core.24428
core.15133

and among another bunch every day

Running 3.6, and have .htaccess in all directories now.

It is driving me nuts as these guys are f ing up my server.

Got any ideas?

is it a shared server?

talk to hosting company / server admins, see if they're having issues on their end

What are in the files?

and what size are the files?

What's your kernel version?

what makes you think its hackers? Are you on hostdime?

If it were real hackes,your site would be dead right now.Even I can do that

Ok so the files are so large I cannot copy the info.

38572 k in total each, and they are the same size each, all done by the same person from what I can imagine.

I just want to find out who and fix it so they cannot dp this anymore. What a waste of my time.



Here is a blurb from the file and as you can see it is all junk, I find when I scroll down lower it has a key logger script in the program. My question is how do I shut this crap down without loosing my board?

core.8711
File Type: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'php'

--------------------------------------------------------------------------------
ELF



44 k? ?
@
P 
@?&?

@?(
PP+?
P@,
`?2?
` 5
pP<?
p?< 
??Mp
?@P@@
ЀPPP

``P 

?kPP
p
p? 
p
??
?
?ŀ 
?
p?@@
?
0?P
?
?배
p0? 
???@
?????
 ?
?
0?0
0?4??
?9?F?F
?N@ B? 
?N?B@@
0OPB?
0O B
@O B?
@O?B
PO?gB
PO?jB00
?O?jB@ 
?O xB


P@yB00
?P [CP

?Pp\C
?P?\C
?P?\CP
?PoC
?PoC00 
Q@oC 
0Q?oC 
0Q oC 
PQ?oC
PQ?qC 
pQ0rC?
pQ sC
?QPsC?
?Q0tC 
QPtC 
?Q ?C?
?Q??C 
?Q??C 
R??C0
R ?C
R??Cp
R?C
R0?C?

R?C
0R0?C`
0R??C
@R??C 
@R??CPP
?R0?C``
?R??C@
?R??Cpp
`S??C0 
`S??C
pS??C?

pS??C 
?S??Cp
?S`?C
S??C0
S??C
?S@?CP
?S??C 
?S??Cpp
@V@?C?
@V ?C 
`Vp?CP
`V??CPP
?V0?C0
?V`?C0
0

?W0KD

?WPLD 
XpLD 
X?yD 
X?yD
0X ?D
0X ?D
@XP?D0
@X??D 
`X??D0

`X??D
pX`??
pX`????
Y`??


Zx?ZxxxP?tdH?ZH$$?
CORE"?M{{04 MF"""?oC4???{{3
?'[Cs ???{
|CORER%~&~"?M{{php/usr/bin/php cron.php ?CORE??????tx????????ށ??~N; ??+???G&+??????#Y?Q????̐?̘?̘?̀\B??\B? 8?2?
""????????????T??T??0??"????`????? ????"???`8??????{????????{????????
+N+?@? ?@?? ???G??(i??
 O??
+N+?n+?KG^?0??????@?8 %~%~%~%~&~&~&~&~?x???N??????????????????????????? = =?????????7?7@@??????????????????? ?
phpec???h??߷?5f??`?&-?(??3 ?
93s?,??{??????8n?n??@@?????6???j??S?4??4? ?
+N+?
+N+?
+N+ޘ???????????CORE????d4?  T? %~ %~ &~&~???lCORE ?
93s?,??{????8n?n??@+?FLINUX ?
93s?,??{??????8n?n??@?????E??ẺE??E???u??|$ ?U??}?D$?
?t$? ?D$?u??|$?L$ ?4$?P?????~ ?U?f?z
t4?E??E??}?
v??????8?M?9?E?;E?t?$???? ??Eă?l[^_]??zf?????u??r
‰U??T$?4$???????xt?M??|I?M????t?? ??????????????<$?U??T$?Y?????xB?4?4$?????M?9
t< ??u+?V?$????Hu???4$??????M??|0?}??u??2????E ??????3????|$?M?U ?u??EȉL$?T$ ?t$?$?#?????x?E?
?E?u ?0???????????8Zu??E??????}?"????????????????U??V S?[??R???????p??@??????Ћ???u?[^??U??S?[??#P????Y[??gethostby*.getanswer: asked for "%s", got "%s"??
0123456789abcdefgethostby*.getanswer: asked for "%s %s %s", got type "%s"%u.%u.%u.%u.in-addr.arpa%02hhx0.%u.%u.%u.in-addr.arpa0.0.%u.%u.in-addr.arpa0.0.0.%u.in-addr.arpa/lib/ld-linux.so.2????????
6
EO ? ?1T?T ? ?_???8???o ???o???o? ???o???o6???o@??C??C W_CO??m??[C?;cCPUcC?S?C`?C>?^C0S?CnxjC??? ?E?C?6jC??BcC0L?Cp5jC.>?WcC^n??C?? ?x`?^: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)libnss_dns-2.3.4.so.debugD+??.symtab.strtab.shstrtab.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_d.g nu.version_r.rel.dyn.rel.plt.init.text.fini.rodata .interp.eh_frame.ctors.dtors.jcr.dynamic.got.got.p lt.data.bss.comment.gnu_debuglink4
4
)

I doubt that you are being hacked. Those are probably core dumps from an unstable process.

What is the result of running 'ulimit -c'?

They are core dumps. Are you on host dime or a vps?