4

Possible Duplicate:
My server's been hacked EMERGENCY

My user account on a shared hosting server got hacked and overwrote every PHP with this at the bottom....

eval(gzuncompress(base64_decode( etc etc

Luckily I think I know the script that was vulnerable and I have a backup that is free from all bad files. So, I want to rsync it and replace the bad stuff, will this work?

rsync -rltpqz --delete username@remotehost.com:dir /users/home/username/

Will "-rltpqz --delete" delete all the local files and replace them with remote versions?

Are there any other steps to follow?

Community
  • 1
firefusion
  • 303
  • 2
  • 3
  • 8
  • This is clearly not a duplicate of that question - this one is quite specific, whereas the other one was a plain "what should I do?" – dunxd Nov 17 '11 at 12:20
  • FWIW, this 'virus' attempts connections to 91.196.216.64. – jftuga Nov 17 '11 at 12:21
  • Possible dupe. – tombull89 Nov 17 '11 at 12:23
  • 2
    'My account got hacked' - What account? On What? Are you talking about a web host or a server on your network? The general rule of thumb when a system is compromised is to wipe, reinstall, restore from known good backup. – Bryan Nov 17 '11 at 12:25
  • 1
    So how do you know that they haven't opened other backdoors? Your mistake is that this SHOULD be a dupe of the generic question. – JamesRyan Nov 17 '11 at 12:30
  • 1
    Wow - people start putting questions into other people's mouths and then closing on the basis of a duplicate of that? Way too much of this going on here these days. So if firefusion had just asked "how do I restore from rsync" without hanging a story about hacking around it, would this have been closed? – dunxd Nov 17 '11 at 12:33
  • @dunxd Questions do get closed here too quickly in my opinion and I don't for one minute think it would have been closed if there was no mention of a compromise. The rsync part of the question could have been answered, but we wouldn't have done @firefusion any favours if we ignore the compromise part of the question. I was hoping the @firefusion might have responded to my comment with "it's the logon to a shared hosting server", in which case we could give some appropriate advice. Closing the question maybe was harsh, but adding more detail (or putting less detail) might just have saved it. – Bryan Nov 17 '11 at 12:46
  • 2
    I notice the question has now been modified, and I believe this question should now be reopened, as the correct answer to the famous 'duplicate' question doesn't apply now. – Bryan Nov 17 '11 at 12:50
  • 1
    It got closed after the question had been edited. People clearly will vote to close a question just because someone else voted to close it. Not good for the site or the community. – dunxd Nov 17 '11 at 12:56
  • It clearly should be reopened. It's ABSOLUTELLY have nothing to do with that duplicate - here USER account hacked. There's absolutelly no evidence that hack could propagate to hosting itself - hosting provided MUST have adequate protection in place to prevent malicious users from hacking into the hosting and into other user accounts. Here only one account compromised, on the "duplicate" the question was about the whole system comprimised. – Sandman4 Nov 17 '11 at 13:20
  • 1
    firefusion - my answer here is that if you delete/overwrite every file on your account, and check that there's no anything nasty in your SQL database, you are fine. Even better would be notifying your hosting provider and asking them to wipe and recreate your account. – Sandman4 Nov 17 '11 at 13:25

0 Answers0