raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

someone puted a file on my server !!

Thu Sep 28, 2017 1:53 pm

hi, i have recently got a random php file: "testproxy.php" on my server..how can someone hack into my folder and put it there,please help !!

User avatar
RaTTuS
Posts: 10484
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:00 pm

1) remove port forwarding on your router
2) shut down the RPI
3) download a new version of raspbian and put it on a new SDcard
4) add a new user and disable the user pi
5) create a new version on your RPi server machine
6) recover any files off your old sdcard not exectuables
.

did you leave the rpi open to the internet with user pi / default password?
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:05 pm

RaTTuS wrote:
Thu Sep 28, 2017 2:00 pm
1) remove port forwarding on your router
2) shut down the RPI
3) download a new version of raspbian and put it on a new SDcard
4) add a new user and disable the user pi
5) create a new version on your RPi server machine
6) recover any files off your old sdcard not exectuables
.

did you leave the rpi open to the internet with user pi / default password?
no i have changed the default username and password, but i dont know how the hacker was able to get there with firewall and fail2ban open ??
by the way, i deleted that file that conatined some info about my usename and something else that didn't show up correctly

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:09 pm

Isn't it more likely that there is no problem here at all?

Modern software tends to create all kinds of temporary files, with sometimes somewhat suspicious names, all the time. We've come to accept it. They can't possibly document all the various files and temporary files that they create. You just have to live with it.
If this post appears in the wrong forums category, my apologies.

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:11 pm

Martin Frezman wrote:
Thu Sep 28, 2017 2:09 pm
Isn't it more likely that there is no problem here at all?

Modern software tends to create all kinds of temporary files, with sometimes somewhat suspicious names, all the time. We've come to accept it. They can't possibly document all the various files and temporary files that they create. You just have to live with it.
in the log of fail2ban it show the ip of the hacker that puted the file,so i dont think that it's from the software.

User avatar
DougieLawson
Posts: 36308
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:13 pm

Have you somehow disabled

Code: Select all

[apache-noscript]

port     = http,https
logpath  = %(apache_error_log)s

in fail2ban, because that jail should catch tests for non-existent php scripts and block the remote user?

Are you running fail2ban 0.9.6-2 or an earlier version?

testproxy.php has been a hack attempt for about four years or more.
https://www.google.co.uk/search?q=testproxy.php
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:15 pm

in the log of fail2ban it show the ip of the hacker
I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?
If this post appears in the wrong forums category, my apologies.

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:19 pm

DougieLawson wrote:
Thu Sep 28, 2017 2:13 pm
Have you somehow disabled

Code: Select all

[apache-noscript]

port     = http,https
logpath  = %(apache_error_log)s

in fail2ban, because that jail should catch tests for non-existent php scripts and block the remote user?

Are you running fail2ban 0.9.6-2 or an earlier version?

testproxy.php has been a hack attempt for about four years or more.
https://www.google.co.uk/search?q=testproxy.php
i have fail2ban 0.9.2 and i have only changed the section about ssh.

User avatar
DougieLawson
Posts: 36308
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:20 pm

if you're running a public webserver on port 80 you need to activate the fail2ban jails for Apache2/Lighty/Nginx depending which on runs your webserver.

Activating just ssh is not good enough.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:23 pm

Martin Frezman wrote:
Thu Sep 28, 2017 2:15 pm
in the log of fail2ban it show the ip of the hacker
I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?
didn't understand what you mean (sorry) can you explain ??

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:29 pm

do you recommand me to restart everything from zero because i checked for apache no script and it seem working ??

User avatar
RaTTuS
Posts: 10484
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: someone puted a file on my server !!

Thu Sep 28, 2017 2:52 pm

did you leave the rpi open to the internet with user pi / default password?
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 3:05 pm

RaTTuS wrote:
Thu Sep 28, 2017 2:52 pm
did you leave the rpi open to the internet with user pi / default password?
no,not at all.. i created a new username with a new password and deleted the pi user plus i have found that this guy have had the same problem as me : https://www.digitalocean.com/community/ ... le-to-stat

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6027
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: someone puted a file on my server !!

Thu Sep 28, 2017 3:22 pm

Was it a strong password? I think it's important to figure out what happened here.

Edit: Also, what was installed on the SD card? Were you running wordpress with some plugins, for example?

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 3:23 pm

ShiftPlusOne wrote:
Thu Sep 28, 2017 3:22 pm
Was it a strong password? I think it's important to figure out what happened here.
yep it was and i have wordpress (in another folder) with some plugins
Last edited by raspi-owner on Thu Sep 28, 2017 3:27 pm, edited 1 time in total.

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 3:25 pm

is it because fail2ban start ssh and apache no script jails only ??

drgeoff
Posts: 9885
Joined: Wed Jan 25, 2012 6:39 pm

Re: someone puted a file on my server !!

Thu Sep 28, 2017 4:10 pm

Martin Frezman wrote:
Thu Sep 28, 2017 2:15 pm
in the log of fail2ban it show the ip of the hacker
I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?
@Martin Frezman

Go back to sleep. The person who wrote "in the log of fail2ban .." is the OP!

raspi-owner
Posts: 60
Joined: Sun Aug 20, 2017 11:35 pm

Re: someone puted a file on my server !!

Fri Sep 29, 2017 6:33 pm

after some research i found that it's not a big deal and that hacker is runnig some kind of proxy server that search for other servers to put in that kind of file,so i guess i must make mine more secure to prevent similar hacks.

Return to “Beginners”