Topic awaiting preservation: Help Deleting a File $Pages that link to <a href="https://ozoneasylum.com/backlink?for=29488" title="Pages that link to Topic awaiting preservation: Help Deleting a File" rel="nofollow" >Topic awaiting preservation: Help Deleting a File\$

Author	Thread
SleepingWolf Paranoid (IV) Inmate From: Insane since: Jul 2006	posted 08-31-2007 20:34 Not sure if this the right forum, sorry. I had two of my site's CMS PhP apps hacked yesterday, I cleaned up the mess and I'm in the process of upgrading those apps. The hack left two index.html files in photo folders. The files can't do anything - they are not visible and all they contain is an iframe - but I would still like to delete them - I can't. I can rename the parent folder, but I can't delete it or delete those particular files. The permission is set to read or write. If I try to change the permissions to anything else on these files I'm denied access. Does anyone know of a generic script that can allow me change the access and delete this crap. I asked my Webhost but they are as useless as tits on a nun. Nature & Travel Photography Visit the Sleeping Wolves
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 09-01-2007 02:22 quote: If I try to change the permissions to anything else on these files I'm denied access. you are denied access to your own files? That's not good. I would certainly be in touch with your host to have them take care of the problem. But judging from what you said in your other thread, you are not going to have much luck there. I would really grab all you could and get out of the host that you have. I am not aware of any script that you could run that would delete anything. If you are logging in to your account and you can't change the permissions, there's something very wrong. Do you have something like phpMyAdmin installed? You could possibly look there at the database's and see if there are any users that you don't recognize, change the password and try that. Later, C:\
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 09-01-2007 12:29 try to delete them vai php - I suspect they were created via php which ran as a differnt user than your ftp account. so drop this into the folder with the file and see if it helps: code: <?php unlink("index.html"); ?> so long, ->Tyberius Prime
SleepingWolf Paranoid (IV) Inmate From: Insane since: Jul 2006	posted 09-01-2007 17:58 quote: CPrompt said: quote:If I try to change the permissions to anything else on these files I'm denied access.you are denied access to your own files? That's not good. I would certainly be in touch with your host to have them take care of the problem. But judging from what you said in your other thread, you are not going to have much luck there.I would really grab all you could and get out of the host that you have.I am not aware of any script that you could run that would delete anything. If you are logging in to your account and you can't change the permissions, there's something very wrong.Do you have something like phpMyAdmin installed? You could possibly look there at the database's and see if there are any users that you don't recognize, change the password and try that.Later,C:\ CPrompt: I'm the only user. I can CHMOD, not a problem, but the exploit ran a script changing the permissions. Even CMS apps like Gallery will do that. To uninstall Gallery completely in the past I had to google for a script to allow me to delete certain files! As for my webhost, I've come to the sad conclusion that the concept of service no longer exists, not just for webhosts, but in general. I just know if I change hosts it will go from mediocre to worse. TP: Thanks I will try your script. I only worked from FTP at this point, I didn't even think to see if there would be a difference using the Plesk Control Panel. I'll try that first, the script next. Thanks to both of you. Guys, I need to understand how this code was inserted - I'm totally convinced that this was a bot (the same lines of code were entered multiple times, only the apps that were not upgraded were affected etc.). What I need to know is what can I do at the server level or by customizing the php templates to keep this from happening again. The good news is that I don't run community CMS with the exception of my forums (which are dead) - so even if i had to remove all user access (i.e. remove the ability to add comments) I would be willing to. I've looked at some of the security forums but didn't see too many sharp knives in the drawers. Need to think like a hacker. Nature & Travel Photography Visit the Sleeping Wolves (Edited by SleepingWolf on 09-01-2007 17:59)
SleepingWolf Paranoid (IV) Inmate From: Insane since: Jul 2006	posted 09-01-2007 18:22 Refused permission from Plesk, could not transfer Tao's php script (permission refused) - tried vainly to run it with a path change from the root..no dice. Going back to Plesk helped me understand what's going on. There many image folders contained in one parent folder called albums. All the folders show my name as the user, but two show Apache as the user. Both these folders were created using the Windows XP Web Publishing Wizard - this requires a Coppermine script to change the permissions. The part I don't understand is why can i rename this folder, or delete any of the files except the hacker introduced index.html? Nature & Travel Photography Visit the Sleeping Wolves

Topic awaiting preservation: Help Deleting a File\$

Author

Thread

SleepingWolf
Paranoid (IV) Inmate

From:
Insane since: Jul 2006

posted 08-31-2007 20:34

Not sure if this the right forum, sorry.

I had two of my site's CMS PhP apps hacked yesterday, I cleaned up the mess and I'm in the process of upgrading those apps.

The hack left two index.html files in photo folders. The files can't do anything - they are not visible and all they contain is an iframe - but I would still like to delete them - I can't.

I can rename the parent folder, but I can't delete it or delete those particular files. The permission is set to read or write. If I try to change the permissions to anything else on these files I'm denied access.

Does anyone know of a generic script that can allow me change the access and delete this crap. I asked my Webhost but they are as useless as tits on a nun.

Nature & Travel Photography
Visit the Sleeping Wolves

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 09-01-2007 02:22

quote:
If I try to change the permissions to anything else on these files I'm denied access.

you are denied access to your own files? That's not good. I would certainly be in touch with your host to have them take care of the problem. But judging from what you said in your other thread, you are not going to have much luck there.

I would really grab all you could and get out of the host that you have.

I am not aware of any script that you could run that would delete anything. If you are logging in to your account and you can't change the permissions, there's something very wrong.

Do you have something like phpMyAdmin installed? You could possibly look there at the database's and see if there are any users that you don't recognize, change the password and try that.

Later,

C:\

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 09-01-2007 12:29

try to delete them vai php - I suspect they were created via php which ran as a differnt user than your ftp account.

so drop this into the folder with the file and see if it helps:

code:

<?php
unlink("index.html");
?>

so long,

->Tyberius Prime

SleepingWolf
Paranoid (IV) Inmate

From:
Insane since: Jul 2006

posted 09-01-2007 17:58

quote:

CPrompt said:

quote:If I try to change the permissions to anything else on these files I'm denied access.you are denied access to your own files? That's not good. I would certainly be in touch with your host to have them take care of the problem. But judging from what you said in your other thread, you are not going to have much luck there.I would really grab all you could and get out of the host that you have.I am not aware of any script that you could run that would delete anything. If you are logging in to your account and you can't change the permissions, there's something very wrong.Do you have something like phpMyAdmin installed? You could possibly look there at the database's and see if there are any users that you don't recognize, change the password and try that.Later,C:\

CPrompt: I'm the only user. I can CHMOD, not a problem, but the exploit ran a script changing the permissions. Even CMS apps like Gallery will do that. To uninstall Gallery completely in the past I had to google for a script to allow me to delete certain files! As for my webhost, I've come to the sad conclusion that the concept of service no longer exists, not just for webhosts, but in general. I just know if I change hosts it will go from mediocre to worse.

TP: Thanks I will try your script. I only worked from FTP at this point, I didn't even think to see if there would be a difference using the Plesk Control Panel. I'll try that first, the script next.

Thanks to both of you. Guys, I need to understand how this code was inserted - I'm totally convinced that this was a bot (the same lines of code were entered multiple times, only the apps that were not upgraded were affected etc.). What I need to know is what can I do at the server level or by customizing the php templates to keep this from happening again.

The good news is that I don't run community CMS with the exception of my forums (which are dead) - so even if i had to remove all user access (i.e. remove the ability to add comments) I would be willing to.

I've looked at some of the security forums but didn't see too many sharp knives in the drawers. Need to think like a hacker.

Nature & Travel Photography
Visit the Sleeping Wolves

(Edited by SleepingWolf on 09-01-2007 17:59)

SleepingWolf
Paranoid (IV) Inmate

From:
Insane since: Jul 2006

posted 09-01-2007 18:22

Refused permission from Plesk, could not transfer Tao's php script (permission refused) - tried vainly to run it with a path change from the root..no dice.

Going back to Plesk helped me understand what's going on. There many image folders contained in one parent folder called albums. All the folders show my name as the user, but two show Apache as the user. Both these folders were created using the Windows XP Web Publishing Wizard - this requires a Coppermine script to change the permissions. The part I don't understand is why can i rename this folder, or delete any of the files except the hacker introduced index.html?

Nature & Travel Photography
Visit the Sleeping Wolves