Page 1 of 1

someone puted a file on my server !!

Posted: Thu Sep 28, 2017 1:53 pm
by raspi-owner
hi, i have recently got a random php file: "testproxy.php" on my server..how can someone hack into my folder and put it there,please help !!

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:00 pm
by RaTTuS
1) remove port forwarding on your router
2) shut down the RPI
3) download a new version of raspbian and put it on a new SDcard
4) add a new user and disable the user pi
5) create a new version on your RPi server machine
6) recover any files off your old sdcard not exectuables
.

did you leave the rpi open to the internet with user pi / default password?

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:05 pm
by raspi-owner
RaTTuS wrote:
Thu Sep 28, 2017 2:00 pm
1) remove port forwarding on your router
2) shut down the RPI
3) download a new version of raspbian and put it on a new SDcard
4) add a new user and disable the user pi
5) create a new version on your RPi server machine
6) recover any files off your old sdcard not exectuables
.

did you leave the rpi open to the internet with user pi / default password?
no i have changed the default username and password, but i dont know how the hacker was able to get there with firewall and fail2ban open ??
by the way, i deleted that file that conatined some info about my usename and something else that didn't show up correctly

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:09 pm
by Martin Frezman
Isn't it more likely that there is no problem here at all?

Modern software tends to create all kinds of temporary files, with sometimes somewhat suspicious names, all the time. We've come to accept it. They can't possibly document all the various files and temporary files that they create. You just have to live with it.

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:11 pm
by raspi-owner
Martin Frezman wrote:
Thu Sep 28, 2017 2:09 pm
Isn't it more likely that there is no problem here at all?

Modern software tends to create all kinds of temporary files, with sometimes somewhat suspicious names, all the time. We've come to accept it. They can't possibly document all the various files and temporary files that they create. You just have to live with it.
in the log of fail2ban it show the ip of the hacker that puted the file,so i dont think that it's from the software.

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:13 pm
by DougieLawson
Have you somehow disabled

Code: Select all

[apache-noscript]

port     = http,https
logpath  = %(apache_error_log)s

in fail2ban, because that jail should catch tests for non-existent php scripts and block the remote user?

Are you running fail2ban 0.9.6-2 or an earlier version?

testproxy.php has been a hack attempt for about four years or more.
https://www.google.co.uk/search?q=testproxy.php

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:15 pm
by Martin Frezman
in the log of fail2ban it show the ip of the hacker
I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:19 pm
by raspi-owner
DougieLawson wrote:
Thu Sep 28, 2017 2:13 pm
Have you somehow disabled

Code: Select all

[apache-noscript]

port     = http,https
logpath  = %(apache_error_log)s

in fail2ban, because that jail should catch tests for non-existent php scripts and block the remote user?

Are you running fail2ban 0.9.6-2 or an earlier version?

testproxy.php has been a hack attempt for about four years or more.
https://www.google.co.uk/search?q=testproxy.php
i have fail2ban 0.9.2 and i have only changed the section about ssh.

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:20 pm
by DougieLawson
if you're running a public webserver on port 80 you need to activate the fail2ban jails for Apache2/Lighty/Nginx depending which on runs your webserver.

Activating just ssh is not good enough.

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:23 pm
by raspi-owner
Martin Frezman wrote:
Thu Sep 28, 2017 2:15 pm
in the log of fail2ban it show the ip of the hacker
I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?
didn't understand what you mean (sorry) can you explain ??

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:29 pm
by raspi-owner
do you recommand me to restart everything from zero because i checked for apache no script and it seem working ??

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 2:52 pm
by RaTTuS
did you leave the rpi open to the internet with user pi / default password?

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 3:05 pm
by raspi-owner
RaTTuS wrote:
Thu Sep 28, 2017 2:52 pm
did you leave the rpi open to the internet with user pi / default password?
no,not at all.. i created a new username with a new password and deleted the pi user plus i have found that this guy have had the same problem as me : https://www.digitalocean.com/community/ ... le-to-stat

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 3:22 pm
by ShiftPlusOne
Was it a strong password? I think it's important to figure out what happened here.

Edit: Also, what was installed on the SD card? Were you running wordpress with some plugins, for example?

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 3:23 pm
by raspi-owner
ShiftPlusOne wrote:
Thu Sep 28, 2017 3:22 pm
Was it a strong password? I think it's important to figure out what happened here.
yep it was and i have wordpress (in another folder) with some plugins

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 3:25 pm
by raspi-owner
is it because fail2ban start ssh and apache no script jails only ??

Re: someone puted a file on my server !!

Posted: Thu Sep 28, 2017 4:10 pm
by drgeoff
Martin Frezman wrote:
Thu Sep 28, 2017 2:15 pm
in the log of fail2ban it show the ip of the hacker
I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?
@Martin Frezman

Go back to sleep. The person who wrote "in the log of fail2ban .." is the OP!

Re: someone puted a file on my server !!

Posted: Fri Sep 29, 2017 6:33 pm
by raspi-owner
after some research i found that it's not a big deal and that hacker is runnig some kind of proxy server that search for other servers to put in that kind of file,so i guess i must make mine more secure to prevent similar hacks.