Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > General > General Hosting/Server Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Having issues with hackers Details »»
Having issues with hackers
Version: , by marinefiend marinefiend is offline
Developer Last Online: Nov 2009 Show Printable Version Email this Page

Version: Unknown Rating:
Released: 09-15-2006 Last Update: Never Installs: 0
 
No support by the author.

I am having an issue with a hacker dupming files in my forum root

I keep finding these
core.4967
core.21142
core.24723
core.16640
core.32086
core.24428
core.15133

and among another bunch every day

Running 3.6, and have .htaccess in all directories now.

It is driving me nuts as these guys are f ing up my server.

Got any ideas?

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #2  
Old 09-15-2006, 09:22 PM
Wired1's Avatar
Wired1 Wired1 is offline
 
Join Date: Nov 2003
Location: Orlando, FL, USA
Posts: 1,361
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

is it a shared server?

talk to hosting company / server admins, see if they're having issues on their end
Reply With Quote
  #3  
Old 09-15-2006, 09:24 PM
KW802's Avatar
KW802 KW802 is offline
 
Join Date: Jul 2003
Location: A galaxy far, far away...
Posts: 1,450
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What are in the files?
Reply With Quote
  #4  
Old 09-15-2006, 09:38 PM
Wired1's Avatar
Wired1 Wired1 is offline
 
Join Date: Nov 2003
Location: Orlando, FL, USA
Posts: 1,361
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

and what size are the files?
Reply With Quote
  #5  
Old 09-15-2006, 09:51 PM
VietPirates VietPirates is offline
 
Join Date: Aug 2006
Posts: 37
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What's your kernel version?
Reply With Quote
  #6  
Old 09-15-2006, 10:49 PM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

what makes you think its hackers? Are you on hostdime?
Reply With Quote
  #7  
Old 09-16-2006, 03:06 PM
Ziki's Avatar
Ziki Ziki is offline
 
Join Date: Nov 2005
Posts: 2,704
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If it were real hackes,your site would be dead right now.Even I can do that
Reply With Quote
  #8  
Old 09-17-2006, 02:13 AM
marinefiend's Avatar
marinefiend marinefiend is offline
 
Join Date: Dec 2004
Location: Toronto
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by KW802
What are in the files?
Ok so the files are so large I cannot copy the info.

38572 k in total each, and they are the same size each, all done by the same person from what I can imagine.

I just want to find out who and fix it so they cannot dp this anymore. What a waste of my time.



Here is a blurb from the file and as you can see it is all junk, I find when I scroll down lower it has a key logger script in the program. My question is how do I shut this crap down without loosing my board?

core.8711
File Type: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'php'

--------------------------------------------------------------------------------
ELF44 k? ?  @ P @?&?@?(PP+?P@,`?2?` 5pP<?p?< ??Mp?@P@@ЀPPP ``P  ?kPPpp? p????ŀ ?p?@@?0?P??배p0? ???@?????  ? ?0?00?4?? ?9?F?F?N@ B? ?N?B@@0OPB?0O B@O B?@O?BPO?gBPO?jB00?O?jB@ ?O xB   P@yB00?P [CP?Pp\C?P?\C?P?\CP?PoC?PoC00 Q@oC 0Q?oC 0Q oC PQ?oCPQ?qC pQ0rC?pQ sC?QPsC??Q0tC  QPtC ?Q ?C??Q??C ?Q??C R??C0R ?CR??CpR?C R0?C? R?C0R0?C`0R??C@R??C @R??CPP?R0?C``?R??C@?R??Cpp`S??C0 `S??CpS??C?pS??C ?S??Cp?S`?C S??C0 S??C?S@?CP?S??C ?S??Cpp@V@?C?@V ?C `Vp?CP`V??CPP?V0?C0?V`?C00?W0KD ?WPLD XpLD  X?yD  X?yD0X ?D0X ?D@XP?D0@X??D `X??D0`X??DpX`??pX`????Y`??   Zx?ZxxxP?tdH?ZH$$?CORE"?M{{04 MF"""?oC4???{{3?'[Cs ???{|CORER%~&~"?M{{php/usr/bin/php cron.php ?CORE??????tx????????ށ??~N; ??+???G&+??????#Y?Q????̐?̘?̘?̀\B??\B? 8?2?""????????????T??T??0??"????`????? ????"???`8??????{????????{????????+N+?@? ?@?? ???G??(i?? O?? +N+?n+?KG^?0??????@?8 %~%~%~%~&~&~&~&~?x???N??????????????????????????? = =?????????7?7@@??????????????????? ? phpec???h??߷?5f??`?&-?(??3 ? 93s?,??{??????8n?n??@@?????6???j??S?4??4? ? +N+?+N+?+N+ޘ???????????CORE????d4?  T? %~ %~ &~&~???lCORE ? 93s?,??{????8n?n??@+?FLINUX ? 93s?,??{??????8n?n??@?????E??ẺE??E???u??|$ ?U??}?D$??t$? ?D$?u??|$?L$ ?4$?P?????~ ?U?f?zt4?E??E??}?v??????8?M?9?E?;E?t?$???? ??Eă?l[^_]??zf?????u??r ‰U??T$?4$???????xt?M??|I?M????t?? ??????????????<$?U??T$?Y?????xB?4?4$?????M?9t< ??u+?V?$????Hu???4$??????M??|0?}??u??2????E ??????3????|$?M?U ?u??EȉL$?T$ ?t$?$?#?????x?E??E?u ?0???????????8Zu??E??????}?"????????????????U??V S?[??R???????p??@??????Ћ???u?[^??U??S?[??#P????Y[??gethostby*.getanswer: asked for "%s", got "%s"??0123456789abcdefgethostby*.getanswer: asked for "%s %s %s", got type "%s"%u.%u.%u.%u.in-addr.arpa%02hhx0.%u.%u.%u.in-addr.arpa0.0.%u.%u.in-addr.arpa0.0.0.%u.in-addr.arpa/lib/ld-linux.so.2????????6EO ? ?1T?T ? ?_???8???o ???o???o? ???o???o6???o@??C??C W_CO??m??[C?;cCPUcC?S?C`?C>?^C0S?CnxjC??? ?E?C?6jC??BcC0L?Cp5jC.>?WcC^n??C?? ?x`?^: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)libnss_dns-2.3.4.so.debugD+??.symtab.strtab.shstrtab.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_d.g nu.version_r.rel.dyn.rel.plt.init.text.fini.rodata .interp.eh_frame.ctors.dtors.jcr.dynamic.got.got.p lt.data.bss.comment.gnu_debuglink44 )
Reply With Quote
  #9  
Old 09-19-2006, 01:57 PM
jason|xoxide jason|xoxide is offline
 
Join Date: Jul 2006
Location: Exton, PA
Posts: 42
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I doubt that you are being hacked. Those are probably core dumps from an unstable process.

What is the result of running 'ulimit -c'?
Reply With Quote
  #10  
Old 09-19-2006, 06:58 PM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

They are core dumps. Are you on host dime or a vps?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:05 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04414 seconds
  • Memory Usage 2,290KB
  • Queries Executed 23 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete