[b]Rajoul_Mok was here[/b]
A few days ago my server was hacked by a PHP Backdoor Trojan that was put on my server using the Joomla component exposé (picture upload component). Using this backdoor the hacker(s) put some of their tools on my site allowing them to do whatever they like:
- index.php for sending spam.
- max.php for TOTAL server control (open/edit files (even my PHP files with mysql login codes in them), send kernel attacks, delete everything and many more...). An example of this file can be found by Googling "Rajoul_Mok": http://5pc.com/~willboar/c100.php . Many, many other sites have also been hacked just like me.
Also, there is a file named install.php, which he probably used to get in.
Removing his tools is impossible:
[15:59:08] DELE index.php.yourwww.aerljgselutgsluegulser
[15:59:08] 550 index.php.yourwww.aerljgselutgsluegulser: Permission denied
This is how the max.php tool looks:
[URL=http://img243.imageshack.us/my.php?image=maxiz5.png]image[/URL]
And this is how the spam index.php looks:
[URL=http://img57.imageshack.us/my.php?image=indexpz1.png]image[/URL]
They can do ANYTHING with max.php. They can edit files with a built-in editor:
[URL=http://img57.imageshack.us/my.php?image=editoriv0.png]image[/URL]
They can CHMOD all my files:
[URL=http://img243.imageshack.us/my.php?image=chmodji6.png]image[/URL]
They got all kinds of functionalities to make the hacking more easy:
[URL=http://img243.imageshack.us/my.php?image=functiessx6.png]image[/URL]
And they can help your server to its death:
[URL=http://img220.imageshack.us/my.php?image=takeoveray9.png]image[/URL]
And there is a lot more!
[b]Tracking these Hackers[/b]
The email adress in the application is k1r4@gmail.com, but its foney. 2 Other email adresses that are real are h3lpm3allahu@gmail.com (the support address for this application) and spyn3t@gmail.com (another hacker that also uses this app). I want to know how to trace these people. The website they use for updating their application automatically is http://emp3ror.com (for this app: http://emp3ror.com/k1r4) but these links appear to be dead...
I tried to check out where the images are coming from that max.php has in it, but these images are somehow generated with some kind of PHP code, there is no source link for them. Refer to the attachment at the end of this post for the source codes of both files.
Please help me do something against these hacker(s) and let's al work together finding them! Thank you for your time.
Laurens
laurens8019@gmail.com
[b]Attachment[/b]
[url=http://rapidshare.de/files/41054912/serverhack.rar.html]2 PHP files in a RAR[/url]
A few days ago my server was hacked by a PHP Backdoor Trojan that was put on my server using the Joomla component exposé (picture upload component). Using this backdoor the hacker(s) put some of their tools on my site allowing them to do whatever they like:
- index.php for sending spam.
- max.php for TOTAL server control (open/edit files (even my PHP files with mysql login codes in them), send kernel attacks, delete everything and many more...). An example of this file can be found by Googling "Rajoul_Mok": http://5pc.com/~willboar/c100.php . Many, many other sites have also been hacked just like me.
Also, there is a file named install.php, which he probably used to get in.
Removing his tools is impossible:
[15:59:08] DELE index.php.yourwww.aerljgselutgsluegulser
[15:59:08] 550 index.php.yourwww.aerljgselutgsluegulser: Permission denied
This is how the max.php tool looks:
[URL=http://img243.imageshack.us/my.php?image=maxiz5.png]image[/URL]
And this is how the spam index.php looks:
[URL=http://img57.imageshack.us/my.php?image=indexpz1.png]image[/URL]
They can do ANYTHING with max.php. They can edit files with a built-in editor:
[URL=http://img57.imageshack.us/my.php?image=editoriv0.png]image[/URL]
They can CHMOD all my files:
[URL=http://img243.imageshack.us/my.php?image=chmodji6.png]image[/URL]
They got all kinds of functionalities to make the hacking more easy:
[URL=http://img243.imageshack.us/my.php?image=functiessx6.png]image[/URL]
And they can help your server to its death:
[URL=http://img220.imageshack.us/my.php?image=takeoveray9.png]image[/URL]
And there is a lot more!
[b]Tracking these Hackers[/b]
The email adress in the application is k1r4@gmail.com, but its foney. 2 Other email adresses that are real are h3lpm3allahu@gmail.com (the support address for this application) and spyn3t@gmail.com (another hacker that also uses this app). I want to know how to trace these people. The website they use for updating their application automatically is http://emp3ror.com (for this app: http://emp3ror.com/k1r4) but these links appear to be dead...
I tried to check out where the images are coming from that max.php has in it, but these images are somehow generated with some kind of PHP code, there is no source link for them. Refer to the attachment at the end of this post for the source codes of both files.
Please help me do something against these hacker(s) and let's al work together finding them! Thank you for your time.
Laurens
laurens8019@gmail.com
[b]Attachment[/b]
[url=http://rapidshare.de/files/41054912/serverhack.rar.html]2 PHP files in a RAR[/url]