Hacked.. again!

[nusuth]

wtf. i am getting pretty fucking annoyed. i logged into my site today and was denied cpanel access. i reset the password (its a brand new hoster and i thought i just forgot my PW) and everything looked ok. i posted to my site and when i checked out the preview i had a blank page with a field to upload a file. i logged in via FTP and found that i had some modified files and extra files such as:

cpanel_cracker.php
nep.php
postleech.sql
postleechorg.sql (about a 500Mb file)
sql.php
symlink_sa.php
xmlrpc.php

they fucked up trying to lock me out and i fixed it easily enough but i am pissed and concerned about it happening again. my cpanel pass is 8 characters with a mix of #'s and punctuation but still got hacked and from looking at the files left over, it looks like that cracker uses brute force. is there a way to do a timeout on my cpanel login or would that not help? any ideas on how to stop this from happening again?

 

[PlusOne]

Maybe your computer is infected with some virus like stealer or something... :/

 

[Froomple]

You are affected by a keylogger for sure.
Format your PC, make sure your HDD's are empty, install a fresh new OS, and dont download stuffs from blackhat related sites.

 

[tut2tut]

If hacker upload shells to your server, he can hack it again even you clean your pc/pw reset etc.

 

[dljawed]

me to had faced same issue! but in such connection i contacted with hoster concern freak issue! but he replied to my ticket! pls dont worry all be get fine!

1) Hack Linux server through SSH.
2) Hack cPanel that’s why it is not opening and showing error message.

 

[nusuth]

i dont think its a keylogger because all my other sites are ok and some of the code for the cpanel_cracker has this:

<?php
$cpanel_port="2082";
$connect_timeout=5;
set_time_limit(0);
$submit=$_REQUEST['submit'];
$users=$_REQUEST['users'];
$pass=$_REQUEST['passwords'];
$target=$_REQUEST['target'];
$cracktype=$_REQUEST['cracktype'];
if($target == ""){
$target = "localhost";
}
$charset=$_REQUEST['charset'];
if($charset=="")
$charset="lowercase";
$max_length=$_REQUEST['max_length'];
if($max_length=="")
$max_length=10;
$min_length=$_REQUEST['min_length'];
if($min_length=="")
$min_length=1;

$charsetall = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9");
$charsetlower = array("a", "b", "c", ....... continues on til
..... <br>
<font style="font-weight:700" size="2" face="Tahoma" color="#008000"><span lang="ar-sa">Timeout delay</span>
<input type="text" name="connect_timeout" style="border: 2px solid #1D1D1D;background: black;color:RED" size=48 value="<?php echo $connect_timeout;?>"></input>
<br>
<input type="checkbox" name="bruteforce" value="true"><font style="font-weight:700" size="2" face="Tahoma" color="#008000"><span lang="ar-sa">Bruteforce</span></input>
<select name="charset" style="border: 2px solid #1D1D1D;background: black;color:RED">
<option value="all">All Letters + Numbers</option>... continues on ever more

i also found the group responsible for this little code"

http://www.alm3refh.com/

and i found somewhere some mention about hacking from the server shell. so i think it might be server side.
so bottom line is that i need to talk to my hosting company?

 

[ThumperTM]

1.Make sure that your PC is 100% clean [install kaspersky virusremoved tool & malwarebytes free, scan your PC delete infected files if there is any]
2.Link me to your site.

 

[FootStep]

I guess your email is being hacked. Or you have shell uploaded in your server.

 

[ibby]

run a virus scan on your computer. change all your pass after that and DONT DOWNLOAD WAREZ CONTENT!

 

[DLow]

Does your host not have any type of security ?

 

[nusuth]

ok, for like the 10th time. my local machine is CLEAN. i do NOT DL warez nor visit 'blackhat' sites.

i do believe there is an issue with my hosts server. if you took the time to read some of the code i posted, its obvious the hackers accessed my site using a brute force program. my biggest question right now is can i have my cpanel login include a captcha code or a 'time out' after X failed logins kinda of thing?

 

[Qoo]

ok, for like the 10th time. my local machine is CLEAN. i do NOT DL warez nor visit 'blackhat' sites.

i do believe there is an issue with my hosts server. if you took the time to read some of the code i posted, its obvious the hackers accessed my site using a brute force program. my biggest question right now is can i have my cpanel login include a captcha code or a 'time out' after X failed logins kinda of thing?

Yes you can if it's your VPS or it's a dedicated server. If it's shared hosting then that would only be set by your host.

 

[7echie]

There are not any big things you can do before finding something.

Submit for a Penetration test.

http://7echie.com/