This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Hacked
#11
RE: Hacked
(03-29-2017, 09:34 PM)TGates Wrote: If you have a backup I suggest comparing the online version with the backup and see if any files are different, If files are showing up on your hosting space you did not put there, they may have even hacked the FTP account (Worth checking).
What code is inside these new files?

I changed all passwords in Sentora.
Changed FTP accounts (I had only 2).

The file that keeps coming back is guy.php.

I don't think I should post it on the net. I could send you a private link via im. It's too bad there isn't a place where you can upload code and company keeps track of all these php code. Then it can be parsed in sentora or something like that.

Not much from google on the file guy.php or 404.guy.php

I checked permissions. 755 on the folder.
I am using it for a non-profit so this is a hard hit.

tia.

btw

I paid for Wordfence but the issue is it can't run the scan without this error.

Warning: tempnam(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/var/sentora/hostdata/account/public_html/doman_org:/var/sentora/temp/) in /var/sentora/hostdata/account/public_html/domain_org/wp-
I have no idea on this.

The free version of wordfense also does the scan and I got the same error.
Reply
Thanks given by:
#12
RE: Hacked
the open_basedir can be disabled as mentioned in a previous post. That will allow you to run the script. Just remember to enable it again after running it Wink
Yes, please zip up the guy.php and 404.guy.php files and link me to them in a PM. I am curious to see what they do.

As I mentioned, your best bet is to backup your current site and DB and maybe do a fresh install because they obviously have found or added a vulnerability to your WP install.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#13
RE: Hacked
(03-31-2017, 06:55 AM)TGates Wrote: the open_basedir can be disabled as mentioned in a previous post. That will allow you to run the script. Just remember to enable it again after running it Wink

Okay I am more confused. Disable or Enable the option. Anyway I tried both. didn't work.
Reply
Thanks given by:
#14
RE: Hacked
You have to wait at least 5 minutes for the changes to take affect. You can verify the changes by checking the httpd-vhosts.conf for the domain and see if the open_basedir directive is removed from the vhost.

If it is removed but still not working, restart apache and try again.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by: Qtech
#15
RE: Hacked
(04-01-2017, 02:12 AM)TGates Wrote: You have to wait at least 5 minutes for the changes to take affect. You can verify the changes by checking the httpd-vhosts.conf for the domain and see if the open_basedir directive is removed from the vhost.

If it is removed but still not working, restart apache and try again.

Okay that worked. Any issue in keeping that off for an extended period of time.
Reply
Thanks given by:
#16
RE: Hacked
open_basedir is what locks the users down to their hosting folders. If disabled, it becomes possible for a user (or hacker) to crass over to other folders on the server. If you trust the code and it is 100% safe, it should not matter how long.
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:
#17
RE: Hacked
I found this security article implemented security in .htaccess maybe helpful to someone
https://secure.rivalhost.com/knowledgeba...hacks.html
Don't know if these security filters are already included in sentora

Reply
Thanks given by:
#18
RE: Hacked
Looks like some useful directives in there. Will have to check it out Wink
-TGates - Project Council

SEARCH the Forums or read the DOCUMENTATION before posting!
Support Sentora and Donate: HERE

Find my support or modules useful? Donate to TGates HERE
Developers and code testers needed!
Contact TGates for more information
Reply
Thanks given by:


Possibly Related Threads…
Thread Author Replies Views Last Post
Hacked - Uploading File Automatically joydeep9932 1 4 ,753 06-16-2018, 01:42 PM
Last Post: Ron-e

Forum Jump:


Users browsing this thread: 2 Guest(s)