Will pay for help solving issue ASAP

[Sponge Bob]

Hmmm

Where are your RS details saved? On mysql? or its on a single file?

 

[kiladila]

On mysql

 

[kiladila]

Some more info:

/var/log/dpkg.log:2010-05-26 20:05:35 install libssh2-1 <none> 0.18-1
r.daskevicius: /var/log/dpkg.log:2010-05-26 20:05:35 status half-installed libssh2-1 0.18-1
r.daskevicius: /var/log/dpkg.log:2010-05-26 20:05:35 status unpacked libssh2-1 0.18-1
/var/log/dpkg.log:2010-05-26 20:05:35 status unpacked libssh2-1 0.18-1
/var/log/dpkg.log:2010-05-26 20:05:39 configure libssh2-1 0.18-1 0.18-1

r.daskevicius: this is normal?

 

[Maniac_]

Off topic: Do you also own megaleech.eu?

On TOpic: Looks like your script might have some kind of backdoor and a hacker got access to your SQL.. Contact the script maker?

 

[kiladila]

No i'm not won megaleech.eu anymore. about backdoor hard to say...

 

[Whoo]

Check your access logs (usualy in /var/log/apache2 or /var/log/httpd)

do a

cat access.log |grep HIS_IP_HERE

and see what files he access on your server. Work from here and let us know

 

[kiladila]

well i'm using nginx and have disabled access logging to save some IO :/ will enable today.

 

[Whoo]

Ok, my suggestions is you enable it (see that it's usefull :D) and then get back with us as soon as you see some results.

 

[kiladila]

ok i will thanks!

 

[kd1987]

Simple 2 possibilities:

1. Your system is compromised, system from where you access your server!
2. Your server is compromised, backdoored or just shelled.

Solution for 1: Take back up (of individual file and folder), format re-install your OS and then access your server. Don't break your head in solving it.

Solution for 2: nmap -PN on your server and check for any binded shells! Disable functions like fsockopen, system (leeching should work with them disabled) in php.ini. Look out for files like "shbd" or anything that sounds weird in your 777 folders, including /tmp/ .

Simple?

 

[kiladila]

Thanks kd1987 for advices i will look in to it, but i think this is sql injection some where in script...

 

[kd1987]

If it is sqli that u suspect then, add this line in your .htaccess

php_flag magic_quotes_gpc on

relying on this feature is discouraged however, if the claimed "hacker" is one of those scripties who knows only about sqli, x=x auth bypass, lfi, rfi, etc.. then, it will keep him at his bay

 

[kiladila]

We didn't managed how stealing was done, but after changing rapidleech script from rapidleech plus from zecel.com to original upgraded, problem are gone. So it's seams that rapidleech+ from zecel.com have serious backdoors ir something like this.

 

[kd1987]

Cheers!

 

[albertoberto]

It's prolly the script's fault, some vulnerability.

Which script are you using, btw?

Either way, premium links generators are always exposed to those kind of things. Most of the times, a simple http debugger and some base64 decoder is more than enough to leech the acc's data.

 

[albertoberto]

Nice site, by the way.

Sorry for the double post.

 

[kiladila]

albertoberto you right. Problem is solved yesterday and reason:
insert_location() function (download
system) which reveals premium cookies and base_64 encoded auth-strings to end
user(s). with simple http debuger.