Knowledgebase

How to delete hidden directory???

Posted by Joomla, 09-11-2008, 06:20 PM
I got this after doing locate "..." /home/xxx/public_html/demo/smf/avatars/.. /.../.log/.crond /home/xxx/public_html/smf/.. /... /home/xxx/public_html/smf/.. /.../.log /home/xxx/public_html/smf/.. /.../.log/.crond /home/xxx/public_html/smf/... How can I delete it? Thanks.
Posted by Joomla, 09-11-2008, 06:37 PM
I just did "rm -R .*" Anyway, how can I go to those hidden dir so I can check what's on the .crond file?
Posted by Joomla, 09-11-2008, 06:40 PM
it's ok I got it... -rw-rw-rw- 1 xxx xxx 394 Oct 19 2005 angry.gif drwxrwxrwx 7 xxx xxx 4096 Dec 27 2005 ../ drwxr-xr-x 3 xxx xxx 4096 Nov 3 2007 ..\ \ / drwxrwxrwx 3 xxx xxx 4096 Nov 3 2007 ./ root@localhost [/home/xxx/public_html/demo/smf/Themes/CoolMetalSMF1/CoolMetalSMF1/images/post]# cd ..\ \ / root@localhost [/home/xxx/public_html/demo/smf/Themes/CoolMetalSMF1/CoolMetalSMF1/images/post/.. ]# ls ./ ../ .../ root@localhost [/home/xxx/public_html/demo/smf/Themes/CoolMetalSMF1/CoolMetalSMF1/images/post/.. ]# cd .../ root@localhost [/home/xxx/public_html/demo/smf/Themes/CoolMetalSMF1/CoolMetalSMF1/images/post/.. /...]#
Posted by Jonathan Kinney, 09-11-2008, 06:46 PM
Looks like something fishy has been going on, perhaps a PHP or CGI/Perl exploit. To remove those, you can just use the names of the directories or you can use a recursive rm command if you don't need the parent directory. One thing that makes figuring out what to type is the "Tab" key, type what part of the directory or file name you know, then hit Tab to complete it or at least complete as much as it can, and hit Tab again to list the possibilities. Or you can manually include the spaces and such using the escape sequence \ in front of things like a space, so that it will treat the space as part of the file or directory name. For example, a simple way to remove the first thing you mention, would be the following command: rm -rf /home/xxx/public_html/demo/smf/avatars/..\ / One thing to note about using the * wildcard in commands like rm, is that it will not ever select a directory or file that starts with a period, this is for your safety, you can run into some scary situations if it did not act this way.
Posted by Joomla, 09-11-2008, 06:58 PM
I think it's some CGI/Perl exploit. I'm trying to figure out how this is happening so I can stop it. I've been looking at my logs. Do you have any idea how to stop this?
Posted by Joomla, 09-11-2008, 07:01 PM
Wow!! I just found this... Someone was able to put these files!
Posted by Jonathan Kinney, 09-11-2008, 07:19 PM
First thing to do after you remove the offending applications is to kill the instances of these hacker applications that are probably running right now. Then next, just dig through the logs for strange activities, doing a grep for all POST lines in the access logs can often show issues, especially when there is no referrer listed (assuming you log those normally). There are instances where it does not have to be a POST though. You may want to grep for all .cgi, .pl, or .php accesses in the logs. Now would also be a good time to make a list of Perl/CGI and PHP applications you have on your site (or sites, what ever the situation is) and check for updates. You may also want to check for a root kit. Watch the ownerships of the files that were uploaded, that will give a good idea on how they got in too, and pray they are not owned by root, because that would mean hackers gained root access of your server. If your site or sites have user separation, then the ownership of the files may lead you to the site with exploitable things. If they are owned by the webserver (what ever that runs as, httpd, nobody, or apache) then there is a good chance it is a PHP exploit. Turning safe_mode on would put a halt to most PHP exploits. Just a few more ideas to help you along.
Posted by Joomla, 09-11-2008, 07:26 PM
Last night I killed a bunch of processes owned by nobody (except HTTPD) when my load avg. shoot to 150+. I'm just starting to dig through the logs and find out how this happened. Thanks for the suggestions.
Posted by Joomla, 09-11-2008, 07:30 PM
My dedicated server provider is charging $80/hr just to look into it. I'll try to figure it out first myself.
Posted by Joomla, 09-11-2008, 07:43 PM
Seriously. Do you mean reinstall Centos? Is it easy? And it won't mess up the websites?
Posted by xbox360, 09-11-2008, 08:11 PM
You have to backup all your data first. That is the best way, because your machine could possibly be compromised.


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Plesk 7 Reseller with Shell Access (Views: 609)
please post successful reseller's site (Views: 536)
EHOSTING - Stay away from their services! (Views: 603)
Reliable hi-tech Windows host (Views: 594)
Ultraunix - domains not resolving - my fault? (Views: 559)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.