Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
  #1  
Old 15 Sep 2006, 22:13
marinefiend's Avatar
marinefiend marinefiend is offline
 
Join Date: Dec 2004
Having issues with hackers

I am having an issue with a hacker dupming files in my forum root

I keep finding these
core.4967
core.21142
core.24723
core.16640
core.32086
core.24428
core.15133

and among another bunch every day

Running 3.6, and have .htaccess in all directories now.

It is driving me nuts as these guys are f ing up my server.

Got any ideas?
Reply With Quote
Comments
  #2  
Old 15 Sep 2006, 23:22
Wired1's Avatar
Wired1 Wired1 is offline
 
Join Date: Nov 2003
is it a shared server?

talk to hosting company / server admins, see if they're having issues on their end
__________________
Admin of the Corsair Memory Forum (AKA the House of Help from back in the day)
Admin of Petri's IT Forum / Moderator at webdesignforums.net
Reply With Quote
  #3  
Old 15 Sep 2006, 23:24
KW802's Avatar
KW802 KW802 is offline
 
Join Date: Jul 2003
Real name: Kevin
What are in the files?
__________________
Sci-Fi Forum / The Walking Dead & Horror Forum / CinVin

(Sorry, but I am no longer developing for vB; please do not PM. So long, and thanks for all the fish.)
Reply With Quote
  #4  
Old 15 Sep 2006, 23:38
Wired1's Avatar
Wired1 Wired1 is offline
 
Join Date: Nov 2003
and what size are the files?
__________________
Admin of the Corsair Memory Forum (AKA the House of Help from back in the day)
Admin of Petri's IT Forum / Moderator at webdesignforums.net
Reply With Quote
  #5  
Old 15 Sep 2006, 23:51
VietPirates VietPirates is offline
 
Join Date: Aug 2006
What's your kernel version?
Reply With Quote
  #6  
Old 16 Sep 2006, 00:49
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
what makes you think its hackers? Are you on hostdime?
Reply With Quote
  #7  
Old 16 Sep 2006, 17:06
Ziki's Avatar
Ziki Ziki is offline
 
Join Date: Nov 2005
If it were real hackes,your site would be dead right now.Even I can do that
__________________
My free mods~click here
Reply With Quote
  #8  
Old 17 Sep 2006, 04:13
marinefiend's Avatar
marinefiend marinefiend is offline
 
Join Date: Dec 2004
Originally Posted by KW802
What are in the files?
Ok so the files are so large I cannot copy the info.

38572 k in total each, and they are the same size each, all done by the same person from what I can imagine.

I just want to find out who and fix it so they cannot dp this anymore. What a waste of my time.



Here is a blurb from the file and as you can see it is all junk, I find when I scroll down lower it has a key logger script in the program. My question is how do I shut this crap down without loosing my board?

core.8711
File Type: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'php'

--------------------------------------------------------------------------------
ELF44 k  @ P @&@(PP+[email protected],`2` 5pP<p< Mp@[email protected]@ЀPPP ``P  kPPpp pŀ p@@0P배p0 @   0004 9FF[email protected] B N[email protected]@0OPB0O B@O B@OBPOgBPOjB00O[email protected] O xB   [email protected]P [CPPp\CP\CP\CPPoCPoC00[email protected] 0QoC 0Q oC PQoCPQqC pQ0rCpQ sCQPsCQ0tC  QPtC Q CQC QC RC0R CRCpRC R0C RC0R0C`0RC@RC @RCPPR0C``R[email protected]RCpp`SC0`SCpSCpSC SCpS`C SC0 SC[email protected]CPSC SCpp@[email protected]C@V C `VpCP`VCPPV0C0V`C00W0KD WPLD XpLD  XyD  XyD0X D0X D@XPD0@XD `XD0`XDpX`pX`Y`   ZxZxxxPtdHZH$$CORE"M{{04MF"""oC4{{3'[Cs {|CORER%~&~"M{{php/usr/bin/php cron.php COREtxށ~N; +G&+#YQ̘̘̐̀\B\B82""T T0"`"`8{{+N+@@ G(i O +N+n+KG^0?@8 %~%~%~%~&~&~&~&~xN = =7[email protected]@ phpech߷5f`&-(3  93s,{?8nn@@6jS44 +N++N++N+ޘCOREd4  T %~ %~ &~&~lCORE  93s,{?8nn@+FLINUX  93s,{?8nn@EẺEEu|$U}D$t$ D$u|$L$ 4$P~ Ufzt4EE}v8M9E;Et$Eăl[^_]zfur ‰UT$4$xtM|IMt <$UT$YxB44$M9t<u+V$Hu4$ M|0}u2E3|$MU uEȉL$T$ t$$#xEEu 08ZuE}"UVS[Rp@Ћu[^US[#PY[gethostby*.getanswer: asked for "%s", got "%s"0123456789abcdefgethostby*.getanswer: asked for "%s %s %s", got type "%s"%u.%u.%u.%u.in-addr.arpa%02hhx0.%u.%u.%u.in-addr.arpa0.0.%u.%u.in-addr.arpa0.0.0.%u.in-addr.arpa/lib/ld-linux.so.26EO 1TT  _8o oo oo6o@CC W_COm[C;cCPUcCSC`C>^C0SCnxjCEC6jCBcC0LCp5jC.> WcC^nCx`^: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)GCC: (GNU) 3.4.6 20060404 (Red Hat 3.4.6-2)libnss_dns-2.3.4.so.debugD+.symtab.strtab.shstrtab.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_d.gnu.version_r.rel.dyn.rel.plt.i nit.text.fini.rodata.interp.eh_frame.ctors.dtors.jcr.dynamic.got.got.plt.data.bs s.comment.gnu_debuglink44 )
Reply With Quote
  #9  
Old 19 Sep 2006, 15:57
jason|xoxide jason|xoxide is offline
 
Join Date: Aug 2006
Real name: Jason Litka
I doubt that you are being hacked. Those are probably core dumps from an unstable process.

What is the result of running 'ulimit -c'?
Reply With Quote
  #10  
Old 19 Sep 2006, 20:58
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
They are core dumps. Are you on host dime or a vps?
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 18:35.

Layout Options | Width: Wide Color: