mmk I am running PHP-Nuke (not for much longer I might add) and I kinda got hit back around the 2nd week of aug. with a simple lil thing.. a missing table in my DB... no biggie I didnt know if it was a hack or not.. Well.. I fixed it and just today around 5:30 est I got hacked again.. This time they took out my Nuke tables BIG TIME.. Only lucky me I had a semi recent backup (from the first "hack?" I backed up what was left (all but the whos_online table which saved me.. but in the process of downloading the whole site onto my HDD I discovered some "odd" files... and it would seem some script kiddie has uploaded files onto my server in the modules directory... The script is question was "PhpShell 2.0" what I want to know is HOW they managed to upload files into that directory!... From that script you can run ANY command as root!!!
I am hoping there is a way to find out when this was done as I didnt find this until after midnight I cant see the log for yesterday but I am hoping Lunarpages Tech can cause maybe it will give an IP address to track and report to an ISP.. Anyway... Anyone else had this script used on them? Did you find out how they got it uploaded... (time to change my pass
This crap really nix my drawers....
Any suggestions or comments...
Those files can be uploaded to your website via any sort of "uploader" wich u have on your website and is not properly set up OR: ftp,ssh,telnet,SQL injection ... since you say they've accessed and modified your DB. it's most likely that SQL has been used.
have a good read through google about php shell injection and SQL injection.