So, I've been hacked. What do I do next?

So, I was about to create a thread to post some of my favorite wallpapers which means going to my public download director which has an uploader script:

http://kimrari.com/public/

When I noticed the "Hacked By DarkBlooD"

Now, I'm not sure how long it has been like this because I only noticed it when I was about to upload a file to host online.

The good this is this is the only thing I noticed. Nothing is damaged/deleted so I am wondering if he only got access because of a vulnerability in the Uploader Script or if he rooted the box. I think its unlikely because this account (though it has shell access) is not the root account.

Are there any files I should search for on the server?

And googling, I found another site that was compromised as well:

http://www.foto-akce.wz.cz/

It looks like this may have taken place last night. From shell, the modified date is yesterday:

-rw-r--r-- 1 nobody nobody 407 Oct 3 04:24 index.php

and from this website, it seems like this DarkBlood went on a rampage yesterday:

http://www.zone-h.org/en/defacements...cer=DarkBlooD/

I searched for my domain but it wasn't among the list.

Thanks for any help and suggestions.

 

 

 

 

Top