Seems someone hacked my vps

**The Dude** · 19th Dec 2010, 07:59 PM

today i have received an abuse letter from DC and they forward to me.

On 2010-12-18, someone uploaded multiple ZeuS trojan files to your network:

http://update.shuwhyyu.com/update/hh...ffepfkpkzz.exe
http://ns1.syegyege.com/8d6srxzq5kef37b9b49b9fh64jqj

IP: 91.215.159.108

We're kindly requesting that you remove these malware files, or that you
null route 91.215.159.108.

Googling for either "update.shuwhyyu.com" or "ns1.syegyege.com" shows
only references to malware.

Additional evidence can be found here:
https://zeustracker.abuse.ch/monitor...e.shuwhyyu.com
https://zeustracker.abuse.ch/monitor...1.syegyege.com

Thank you for your help,

-Konrads
PhishLabs Security Operations

now how can i know where is the trojan file located.

The Dude Reviewed by The Dude on 19th Dec 2010. Seems someone hacked my vps today i have received an abuse letter from DC and they forward to me. now how can i know where is the trojan file located. Rating: 5

loki · 19th Dec 2010, 08:46 PM

What panel you use? You don't have a virus scanner?

**The Dude** · 19th Dec 2010, 08:57 PM

i guess i don't have any virus scanner.

ps: atm downloading all files on my computer then will scan using my antivirus
one question, is it possible someone uploaded the trojan on root folder e.g. /var/ and abuse.ch track it?

loki · 19th Dec 2010, 09:01 PM

it could be any where, check for shells, AND, change password ASAP

you can install ClamAv, just have to manual config

**DLow** · 19th Dec 2010, 09:01 PM

i sent you a pm

**The Dude** · 19th Dec 2010, 09:40 PM

found it. a folder called upldate was uploaded. i have removed it. but i don't understanding how he uploaded that folder. is there anyway i can check ftp log ip?

ps: there was a bigdump script uploaded. is it possible he can upload it through bigdump script?

one file name: 9ZEBnkSVbNZPBKGtB.ip contain this code

PHP Code:


<?php
$ip=$_SERVER['REMOTE_ADDR'];
echo $ip;
?>

another .htaccess contain this:

Code:

Addtype application/x-httpd-php4 .ip
Addtype application/x-httpd-php5 .ip

<IfModule mod_php4.c>
AddHandler server-parsed .ip
AddHandler application/x-httpd-php4 .ip
</IfModule>

<IfModule mod_php5.c>
AddHandler server-parsed .ip
AddHandler application/x-httpd-php .ip
</IfModule>

there is another 2 file name: hh3g44bg6d39stffepfkpkzz.exe and a .bin file

on that site only wp and phpbb3 script running. i just wondering how did he uploaded that folder

**The Dude** · 19th Dec 2010, 09:44 PM

@Djlatino my all site running fine, still i do not realize any damage of my sites. i have checked my cpanel ip log everything is fine.

Seems someone hacked my vps

Thread Tools

Display

Seems someone hacked my vps

Sponsored Links

Thread Information

Users Browsing this Thread

Similar Threads

Hacked

The PS3 Hacked?

PS3 Hacked

I got hacked i think

I got hacked

Tags for this Thread

Posting Permissions

themaManager - edit and manage...

themaLeecher - leech and manage...

themaCreator - create posts from...

themaCreator - create posts from...

themaPoster - post to forums and...