someone puted a file on my server !!

[raspi-owner]

hi, i have recently got a random php file: "testproxy.php" on my server..how can someone hack into my folder and put it there,please help !!

[RaTTuS]

1) remove port forwarding on your router
2) shut down the RPI
3) download a new version of raspbian and put it on a new SDcard
4) add a new user and disable the user pi
5) create a new version on your RPi server machine
6) recover any files off your old sdcard not exectuables
.

did you leave the rpi open to the internet with user pi / default password?

[raspi-owner]

1) remove port forwarding on your router
2) shut down the RPI
3) download a new version of raspbian and put it on a new SDcard
4) add a new user and disable the user pi
5) create a new version on your RPi server machine
6) recover any files off your old sdcard not exectuables
.

did you leave the rpi open to the internet with user pi / default password?

no i have changed the default username and password, but i dont know how the hacker was able to get there with firewall and fail2ban open ??
by the way, i deleted that file that conatined some info about my usename and something else that didn't show up correctly

[Martin Frezman]

Isn't it more likely that there is no problem here at all?

Modern software tends to create all kinds of temporary files, with sometimes somewhat suspicious names, all the time. We've come to accept it. They can't possibly document all the various files and temporary files that they create. You just have to live with it.

[raspi-owner]

Isn't it more likely that there is no problem here at all?

Modern software tends to create all kinds of temporary files, with sometimes somewhat suspicious names, all the time. We've come to accept it. They can't possibly document all the various files and temporary files that they create. You just have to live with it.

in the log of fail2ban it show the ip of the hacker that puted the file,so i dont think that it's from the software.

[DougieLawson]

Have you somehow disabled

Code: Select all

[apache-noscript]

port     = http,https
logpath  = %(apache_error_log)s

in fail2ban, because that jail should catch tests for non-existent php scripts and block the remote user?

Are you running fail2ban 0.9.6-2 or an earlier version?

testproxy.php has been a hack attempt for about four years or more.
https://www.google.co.uk/search?q=testproxy.php

[Martin Frezman]

in the log of fail2ban it show the ip of the hacker

I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?

[raspi-owner]

Have you somehow disabled

Code: Select all

[apache-noscript]

port     = http,https
logpath  = %(apache_error_log)s

in fail2ban, because that jail should catch tests for non-existent php scripts and block the remote user?

Are you running fail2ban 0.9.6-2 or an earlier version?

testproxy.php has been a hack attempt for about four years or more.
https://www.google.co.uk/search?q=testproxy.php

i have fail2ban 0.9.2 and i have only changed the section about ssh.

[DougieLawson]

if you're running a public webserver on port 80 you need to activate the fail2ban jails for Apache2/Lighty/Nginx depending which on runs your webserver.

Activating just ssh is not good enough.

[raspi-owner]

in the log of fail2ban it show the ip of the hacker

I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?

didn't understand what you mean (sorry) can you explain ??

[raspi-owner]

do you recommand me to restart everything from zero because i checked for apache no script and it seem working ??

[RaTTuS]

did you leave the rpi open to the internet with user pi / default password?

[raspi-owner]

did you leave the rpi open to the internet with user pi / default password?

no,not at all.. i created a new username with a new password and deleted the pi user plus i have found that this guy have had the same problem as me : https://www.digitalocean.com/community/ ... le-to-stat

[ShiftPlusOne]

Was it a strong password? I think it's important to figure out what happened here.

Edit: Also, what was installed on the SD card? Were you running wordpress with some plugins, for example?

[raspi-owner]

Was it a strong password? I think it's important to figure out what happened here.

yep it was and i have wordpress (in another folder) with some plugins

[raspi-owner]

is it because fail2ban start ssh and apache no script jails only ??

[drgeoff]

in the log of fail2ban it show the ip of the hacker

I don't see that in any of the OP's posts (i.e., you are the first to post it).

Have you been in PM with OP (so you know things about the case that are not in the thread) ?

@Martin Frezman

Go back to sleep. The person who wrote "in the log of fail2ban .." is the OP!

[raspi-owner]

after some research i found that it's not a big deal and that hacker is runnig some kind of proxy server that search for other servers to put in that kind of file,so i guess i must make mine more secure to prevent similar hacks.