This Saturday I found some suspicious activities on our server, everyday we monitor a lot of suspicious activities on server but this time we found something special, some file injected to our server root directory. Story just began, I immediately contact to our host and instruct them to deny all incoming connection to our cPanel, WHM, FTP and sFTP.
Sunday morning, I started scanning all files using with Admin Tools Pro and found lot of c99 shell script injected here and there. Then immediately run server scanner and mean time started deleting all c99 shell script found by Admin Tools, took backup of our documentation site, forum and affiliate software and deleted every files from server, so we can examine each and every file of these sites and upload again.
Steps we've taken to save our site
I'm documenting the steps we've taken to save our sites so others can be benefited from here.
- We disabled this functions 'exec, shell_exec, system, passthru, myshellexec, popen' on our system.
- Blocked all incoming access to cPanel, FTP, sFTP so no one can access the site, also accessing via cPanel proxy.
- Examined all files using Admin Tools Pro and replaced/deleted suspicious files.
- Backup all child sites docs, forums, affiliates and demo to examine in local pc and deleted from server.
We do not store any sensitive data such as credit card number, payment details on our server. All data are protected and save.
As i mentioned earlier our forum and documentation site are down and we are only providing ticket support to our customers. We really appreciate your patients and support. I want to make sure we are working hard to fix all sites and glitches on our mainsite. We are almost done checking all the files individually and manually you can see from above picture.
Here is our priority list for bringing the sites up
We'll update this post to keep you up to date with our recent activities.
Update-5: We restored our forum and phpBB get update to latest version.
Update-4: We bought Amazon SES service to deliver the email, so you will never see an email goes to spam box!
Update-3: Demo site site is UP and running with 2012 templates only. We've migrated to a new server and working hard to restore all our template demo. Extension demo is down also.
Update-2: Documentation site is UP and running on a new powerful server.
Update-1: We open some Paypal IP address to connect our server, now auto subscription creation process is back to normal for paypal payments.