Question: |
Hello! Wanted to log into my Drupal website (which is on the website, as an administrator, Drupal) - did not happen. Then I went through the cpanel on pnpMyAdmin the site database. In the users table suddenly appeared in my profile. There was another, attached to my email. email called \"EMAIL\". For him I put a hash of the known password and a new password entered via this profile. Question: could You tell me how could it get pushed to You like this? Now I have on site 3 unknown profile administrators( |
Answer: |
Hello. Yesterday vyslali information about the spam you received it? Time: Fri Oct 30 21:51:02 2015 +0300 Type: LOCALRELAY, Local Account - vpi Count: 101 emails relayed Blocked: No
Sample of the first 10 emails:
2015-10-30 21:47:32 1ZsEi4-000bof-Rl <= EMAIL U=vpi P=local S=867 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:33 1ZsEi5-000bp1-08 <= EMAIL U=vpi P=local S=857 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:33 1ZsEi5-000bpO-4e <= EMAIL U=vpi P=local S=865 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:33 1ZsEi5-000bpt-BI <= EMAIL U=vpi P=local S=905 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:33 1ZsEi5-000bqM-GC <= EMAIL U=vpi P=local S=849 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:33 1ZsEi5-000bql-Kk <= EMAIL U=vpi P=local S=877 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:33 1ZsEi5-000br8-OI <= EMAIL U=vpi P=local S=865 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:33 1ZsEi5-000brT-TP <= EMAIL U=vpi P=local S=907 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:34 1ZsEi6-000brv-10 <= EMAIL U=vpi P=local S=859 T=\"Hot Local Girls Online\" for EMAIL 2015-10-30 21:47:34 1ZsEi6-000bsH-5T <= EMAIL U=vpi P=local S=869 T=\"Hot Local Girls Online\" for EMAIL
Time: Fri Oct 30 21:50:27 2015 +0300 Path: `/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms` Count: 301 emails sent
Sample of the first 10 emails:
2015-10-30 21:41:51 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:52 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:52 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:52 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:52 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:52 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:52 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:53 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:53 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL 2015-10-30 21:41:53 cwd=/home/vpi/public_html/sites/all/libraries/ckeditor/plugins/forms 4 args: /usr/sbin/sendmail -t-i EMAIL
Possible Scripts: Check and change settings. site hacked. |
Question: |
Received, especially without understanding what it says. I deleted all the other profiles, its name changed and password.What else can you do?And still could not say how long it could crack and how the hell did this happen. |
Answer: |
the spam was sent yesterday. when was vslm us is not known. check out website here`s your virus. /home/vpi/russia-tomorrow.ru/includes/class.php: {HEX}base64.inject.unclassed.7.UNOFFICIAL FOUND /home/vpi/public_html/alihackercr7.php: {HEX}php.cmdshell.unclassed.359.UNOFFICIAL FOUND /home/vpi/public_html/includes/class.php: {HEX}base64.inject.unclassed.7.UNOFFICIAL FOUND /home/vpi/abavis.ru/includes/class.php: {HEX}base64.inject.unclassed.7.UNOFFICIAL FOUND |
Question: |
I never encountered. How to check? And what to do with viruses? |
Answer: |
the viruses that the antivirus found it was removed. if you don`t know what to do then two outputs, reinstalled the website from scratch, or refer to competent specialists. can recommend https://www.revisium.com |
Question: |
And if nothing is done what can turn. In principle I constantly make backups of all sites. |
Answer: |
it may turn out like a broken website and an account ban on prichny send spam or host phishing pages. to leave it to chance nivkoem case it is impossible |
Question: |
1.I have a copy of the database and the folder public_html (here is the main website zakon63.ru). I understand the need from file Manager to clear the public_html directory, delete the database of the site, then upload to public_html the old version folder and restore the database?2. I have two new website, posted recently. Infection, as I understand it, is exposed to a specific site instead of the whole directory? |
Answer: |
if the sites are on the same account then the attacker can pollucite access to them. ie the probability ochne high. proverai all you need |
Question: |
Well, then I will examine the Mat on this issue. Thank you. |
Question: |
And tell me how to change the password to Your account on the hosting? |
Answer: |
Hello. To change the password in cPanel, You need to authorize it and through the Change password. To change the password of the billing system, use the Profile. Please set complex passwords with numbers and upper case letters.
|
Question: |
The fact of the matter is that I use long passwords *H@E891`j9@, and all passwords except the billing and spanel stored in double-encrypted files on the computer. |
Question: |
And yet - I have a static. You can make sunset on the sites as administrator and cPanel - only from my IP? |
Answer: |
did we govorio that the passwords *H@E891`j9@ cannot be used? |
Question: |
Please read carefully - I am USING complex passwords. And answer, please, to the question about entrepreneur? |
Answer: |
where we hochtl nxj was talking about passwords? what`s the difference what password you use if the database password is written in plaintext in the configuration file, and the hacking could be done through the vulnerability of the engine. Despite the fact that brute force admins we have closed and means bots unreal principle. no . to ustanoviti private ip for access to the panel is impossible. in the panel this functionality is not provided. and this, again, does not protect a website if it |
Question: |
Thanks, I will solve the issue! |
Answer: |
ok
|